ghostinthepowershell

NDH 2018 - RE.

NDH 2018 : Wargame

Challenge details

Event Challenge Category Points Solves
NDH 16 Wargame ghostinthepowershell Reverse ? ??

Download: ghostinthepowershell.ps1

TL;DR

Deobfuscate a powershell to get a Base64 containing the flag

Methodology

I first started using Sublime Text and removed all the comments with a simple regex.

Image1

Then I separated all semicolon with another regex.

Image2

${DONTREv`ERs`E`ME1}=($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAxADEAfQB7ADEAMgB9AHsANgB9AHsAOQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewAyAH0AewA0AH0AewA3AH0AewA1AH0AewAzAH0AewAxAH0A'))) -f($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A')))-f $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwB3AGEA'))),'tc'),($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A')))-f 'gX','cQ'),'h','9W',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A'))) -f '?v','=d'),'4w',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAxAH0AewAyAH0AewAwAH0A')))-f 'o',$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwB3AHcAdwA='))),'.y'),'Qw','m',$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dQB0AHUA'))),($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A')))-f $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YgBlAC4AYwA='))),'o'),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQA'))),($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A'))) -f'p',$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwA6AC8A'))))) ;

 ${D`oNt`ReVErSEm`e2}=($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewA1AH0AewA2AH0AewA0AH0AewAwAH0AewAyAH0AewA5AH0AewAxAH0AewAzAH0AewA4AH0AewA3AH0A')))-f ($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A'))) -f 'ww','w.'),'a',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAxAH0AewAyAH0AewAwAH0A')))-f $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAB1AGIAZQA='))),'y','ou'),($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A')))-f $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABjAGgA'))),'?v'),'/',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0AewAxAH0A'))) -f $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA='))),'s'),':/',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAzAH0AewAyAH0AewAwAH0AewAxAH0A')))-f'g',$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WABjAFEA'))),'9W',$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZABRAHcANAB3AA==')))),'=',($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAyAH0AewAwAH0AewAxAH0A'))) -f$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bwBtAC8A'))),'w','.c')) ;

 .("{0}{1}" -f 'se','T')  ('r2Q'+'F') (  [tYpe]("{3}{0}{2}{1}" -F'xT.',("{0}{1}{2}"-f'N','Co','DiNG'),'E','TE') ) ;

.("{0}{1}{2}"-f 'se',("{0}{1}"-f't-V','aR'),("{0}{1}"-f 'iAbL','e'))  ("{1}{0}" -f 'N','mXK') ( [TYpe]("{2}{1}{0}" -F ("{0}{1}"-f 'Ve','rt'),'N','Co') );

${X1}=("{2}{1}{0}"-f("{0}{1}" -f ("{1}{0}"-f'AGs','v'),'A'),'gB','b');

${x2}=("{7}{9}{4}{0}{3}{8}{5}{2}{6}{1}"-f'Z','oA','AB','Q','A',("{1}{0}"-f'AAc','yAC'),("{0}{2}{3}{1}"-f ("{0}{1}" -f 'h','AHM'),'kAD',("{1}{0}{2}" -f 'cw','A','B3AG8A'),'cgB'),("{1}{0}" -f 'u','RQB'),'B','AHQ');

${x3}=("{13}{2}{5}{14}{8}{4}{0}{24}{23}{10}{17}{18}{21}{7}{20}{3}{12}{22}{6}{1}{15}{9}{16}{11}{19}" -f '0AZ',("{1}{0}"-f 'FUA','A'),("{1}{0}{2}" -f 'VAD',("{0}{1}"-f'IARg','B'),'U'),'t','EAC','AQ','m','Gk',("{2}{1}{0}"-f'wB','AM','AHQ'),'DQ','A',("{0}{1}{2}" -f'A','GQA','JA'),("{1}{0}" -f'AA','AD'),("{0}{2}{1}"-f'Xg','PAG','B'),'wA0',("{0}{1}"-f ("{1}{0}" -f'QBj','N'),'A'),("{0}{1}" -f 'AV','AAz'),'DQA','Rw','A=',("{0}{1}" -f'A','NQA'),'AtA','QgB','s','gB');

${x`4}=("{11}{8}{6}{3}{4}{7}{9}{0}{10}{1}{2}{5}"-f'cgB','AC','AAI','CA',("{0}{1}" -f ("{0}{1}"-f 'A','cAB'),'h'),'QA=',("{1}{0}{2}" -f 'gB','8Ab','nA'),("{2}{0}{1}" -f("{1}{0}"-f'3','cwB'),'A',("{0}{1}" -f 'AH','MA')),'yAG','G8A','k','VwB');

${x5}=("{0}{1}" -f ("{1}{0}"-f ("{2}{1}{0}"-f's','vAG','gB'),'b'),'A');

${X6}=("{3}{0}{1}{2}{4}"-f 'Z',("{0}{1}{2}" -f 'A',("{0}{1}"-f'AgAG','I'),'A'),("{2}{1}{0}"-f ("{1}{0}" -f 'I','5ACAA'),'B','bw'),("{1}{2}{0}"-f ("{1}{0}" -f '8A','vAG'),'R','wB'),'QA=');

${Z1}=$(${r`2QF}::"u`NI`cODE"."G`ETStRI`NG"(( &("{1}{0}"-f'E',("{1}{0}"-f 'ArIaBl','v')) ("M"+"xKN"))."vA`lUE"::("{0}{2}{3}{4}{1}"-f 'Fr',("{0}{1}" -f'St','ring'),'om',("{1}{0}" -f'e','Bas'),'64')."invo`KE"(${x1})));

${Z`2}=$( ${R`2qf}::"U`NiCOde"."GE`TsT`R`Ing"((&('ls')(("{1}{2}{0}"-f 'b','VARi','a')+("{0}{1}" -f 'Le:','MX')+'Kn'))."vA`LuE"::("{2}{0}{1}" -f ("{1}{0}" -f 'Str','4'),'ing',("{1}{2}{0}"-f'ase6','F','romB'))."I`NVoke"(${X`2})));

${z`3}=$( (  .("{3}{0}{2}{1}"-f("{1}{0}{2}"-f 't-c','E','Hi'),'m',("{0}{1}" -f'lDIT','E'),'g') ("{1}{0}{2}"-f ("{1}{2}{0}"-f'BL','ar','Ia'),'v',("{0}{1}" -f'e',':R2Qf')))."VAL`UE"::"uNic`O`dE"."G`et`strinG"(${MX`KN}::("{2}{0}{1}{4}{3}" -f ("{0}{1}" -f'omB','as'),("{1}{0}"-f'4S','e6'),'Fr','ng','tri')."I`NV`oKE"(${x`3})));

${z4}=$((.("{0}{1}" -f 'iTe','m') (("{1}{0}"-f 'aRiAb','v')+'l'+'E'+':'+("{0}{1}" -f 'r2','QF')) )."val`UE"::"uNIC`ode"."GEt`S`TriNg"((&("{1}{0}" -f'ir','d') (("{1}{0}" -f 'i','var')+"Ab"+("{1}{0}{2}"-f 'MX','Le:','K')+"n"))."VaL`Ue"::("{2}{4}{1}{0}{3}" -f ("{2}{1}{0}"-f'in','tr','4S'),'e6',("{1}{0}" -f 'B','From'),'g','as')."inVO`Ke"(${x`4})));

${z`5}=$((&("{0}{1}"-f'G','ci') ("{1}{4}{0}{2}{3}"-f'le',("{0}{1}"-f 'v','ARiA'),':R','2QF','b'))."VAL`UE"::"Un`I`COdE"."Gets`Tri`Ng"(  (  &("{0}{1}{2}" -f("{0}{1}"-f'G','eT-ch'),("{0}{1}"-f'i','LDITe'),'m') ('vAr'+'I'+'A'+("{2}{1}{0}"-f'k','X','BlE:m')+'N'))."v`ALUE"::("{3}{1}{2}{0}{4}"-f 'S',("{0}{1}"-f 'romB','a'),("{1}{0}" -f'64','se'),'F',("{1}{0}"-f 'ring','t'))."INVO`kE"(${X5})));

${z`6}=$((&("{0}{1}{3}{2}"-f 'GE','t',("{1}{2}{0}" -f'BlE','a','rIA'),'-v')  ('r2Q'+'F') -vaLUEonLy  )::"UNiCo`dE"."gETS`T`RI`NG"( (&("{2}{0}{1}" -f'iAb','LE','VAr')("{1}{0}"-f'n','Mxk'))."Va`lUe"::("{3}{0}{4}{1}{2}" -f("{2}{1}{0}"-f 'ase64','B','om'),("{0}{1}" -f'tr','in'),'g','Fr','S')."I`Nv`oKE"(${x`6})));

do{ ${in`Put}=${z`1};

.("{0}{1}{2}"-f ("{0}{1}"-f("{0}{1}" -f 'W','rit'),'e'),'-H','ost') ${z2};

${01100101010000101} = .("{0}{1}{2}"-f 'Re','a',("{0}{1}"-f("{1}{0}"-f 's','d-Ho'),'t'));

 if (${01100101010000101} -notmatch ${z3}) { &("{3}{1}{2}{0}"-f 'ost','t','e-H','Wri') "";

 &("{0}{2}{3}{1}" -f 'Wri','t','te',("{1}{0}" -f 'Hos','-')) ${z`4} -ForegroundColor ("{1}{0}" -f 'ed','R');

.("{2}{1}{0}" -f ("{1}{0}" -f'ost',("{0}{1}"-f'te','-H')),'i','Wr') "";

${iNP`UT}=${z5}}else{ ${I`NpUT}="ok";

.("{2}{1}{0}" -f("{0}{1}" -f ("{0}{1}"-f 'e','-Ho'),'st'),'it','Wr') ${Z6} -ForegroundColor ("{0}{1}" -f'Blu','e')}} while(${I`NpUT} -ne "ok")

Here we can see where variables are defined ( variable notation is ${variable_name}), after displaying them one by one using PowershellISE :

Image3

@Areizen