Category: Forensics
In this challenge, an attacker gained access to a Windows machine and used a legitimate Windows binary to execute a malicious PowerShell payload. The script was heavily obfuscated to evade detection and complicate forensic analysis.
The objective was to analyze the suspicious files, understand the obfuscation techniques used, safely deobfuscate the script, and recover the hidden flag without executing the malicious code.
While manually browsing the file system, a suspicious directory stood out:
\Iced\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
This directory is commonly abused by malware to store staged payloads. Inside it, a suspicious file contained a long obfuscated PowerShell command.
To analyze it safely, the following command was used:
strings *
-f formatting operatorCvxInvoke-Expression (IEX)Although the script looked extremely complex, it was simply multiple layers of obfuscation hiding a Base64-encoded command.
Instead of executing the entire script (which could be dangerous), only the safe reconstruction parts were evaluated.
First, all junk tokens such as Cvx were removed.
Then the formatted string was reconstructed.
This revealed the real inner command:
Invoke-Expression(
[System.Text.Encoding]::Unicode.GetString(
[System.Convert]::FromBase64String("...")
)
)
The Base64 string had been intentionally split and modified to make analysis harder. After cleaning and decoding it safely, the hidden payload was revealed.
FlagY{d41d8cd98f00b204e9800998ecf8427e}
This challenge demonstrates how attackers use legitimate Windows binaries and layered PowerShell obfuscation techniques to evade detection. It highlights the importance of static analysis and understanding common obfuscation patterns during forensic investigations.