【CISCN2023初赛】PwSh

[CISCN 2023 初赛]PwSh | NSSCTF

看了下，全混淆了，用一个反混淆器

denisugarte/PowerDrive: A tool for de-obfuscating PowerShell scripts (github.com)

提示可能包含恶意代码，用虚拟机拍快照、把网卡禁了

用管理员权限运行pwsh

Set-Executionpolicy Unrestricted
Import-Module ./PowerDrive.psm1

卡死了，换一个

Malandrone/PowerDecode: PowerDecode is a PowerShell-based tool that allows to deobfuscate PowerShell scripts obfuscated across multiple layers. The tool performs code dynamic analysis, extracting malware hosting URLs and checking http response.It can also detect if the malware attempts to inject shellcode into memory. (github.com)

失败，再换

赛博厨子#

看了一些文章，突然发现这玩意贼强

参考：

• Deobfuscate PowerShell using subtract - CyberChef Recipe 0x4 - Securityinbits
• Deobfuscate Script using CyberChef – Recipe 0x3 - Securityinbits

From_Base64('A-Za-z0-9+/=',true,false)
Raw_Inflate(0,0,'Adaptive',false,false)

上面这段代码可以解压

From Base64, Raw Inflate - CyberChef