> For the complete documentation index, see [llms.txt](https://ctf.smithsecurity.biz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2023/2023-htb-cyber-apocalypse-challenges/forensics-artifacts-of-dangerous-sightings.md).

# Forensics - Artifacts of Dangerous Sightings

With this challenge we started with a disk image. Now, this image was a VHDX file. This just happens to be pretty much unsupported by Autopsy, the tool I really wanted to use for this. Now this caused me a quick headache but I got it working by using FTK Imager to mount the image on my machine and then open the mounted disk as a data source with Autopsy.

Now with it mounted I could let Autospy analyze the disk and I could poke around easier. After poking around for about 10 minutes I came across the ConsoleHost\_history.txt file. In here was the powershell command history... Very spicy.

It was indeed very spicy and had something called "finpayload" being hidden inside ActiveSyncProvider.dll.

<figure><img src="/files/LEdzEdXmCvFdVIrIRyUR" alt=""><figcaption><p>In the bottom right you can see the text in the file (Powershell history)</p></figcaption></figure>

Now, because we had the whole disk, we can go grab that ActiveSyncProvider.dll file and extract whats in there. Easy Peasy.

<figure><img src="/files/8wClmMoTwqRRC1e2dDt7" alt=""><figcaption><p>LOTS of encoded powershell</p></figcaption></figure>

After extracting it we are left with so much encoded powershell. Yuck. Lets get it back into plaintext...

<figure><img src="/files/7ttVbP7JUoqkzHothxtJ" alt=""><figcaption><p>The decoded powershell</p></figcaption></figure>

<figure><img src="/files/YSgMlTsQenXlt9wQcPwI" alt=""><figcaption><p>My honest reaction</p></figcaption></figure>

Ew. This is even grosser than the encoded powershell.

Where do I even start?

I didn't know, but after some googling I figured out what it was doing. It was starting by creating variables with values of 0, 1, 2, 3, etc. This was done with this section:

```powershell
${[~@} = $(); ${!!@!!]} = ++${[~@}; ${[[!} = --${[~@} + ${!!@!!]} + ${!!@!!]}; ${~~~]} = ${[[!} + ${!!@!!]}; ${[!![!} = ${[[!} + ${[[!}; ${(~(!} = ${~~~]} + ${[[!}; ${!~!))} = ${[!![!} + ${[[!}; ${((!} = ${!!@!!]} + ${[!![!} + ${[[!}; ${=!!@!!}  = ${~~~]} - ${!!@!!]} + ${!~!))}; ${!=} =  ${((!} - ${~~~]} + ${!~!))} - ${!!@!!]}; ${=@!~!} = "".("$(@{})"[14]+"$(@{})"[16]+"$(@{})"[21]+"$(@{})"[27]+"$?"[1]+"$(@{})"[3]); ${=@!~!} = "$(@{})"[14]+"$?"[3]+"${=@!~!}"[27]; ${@!=} = "["+"$(@{})"[7]+"$(@{})"[22]+"$(@{})"[20]+"$?"[1]+"]";
```

I didn't know it but apparently "++${\[\~@}" is equal to 1 in powershell. And each integer can be encoded in a similar, weird, way.

I got to this by using powershell ISE and putting a breakpoint at the end and then hovering over each variable to get their value. I would then go back to the saved text I had and find and replace all with the appropriate character/integer.

At the end of that I had this file:

{% file src="/files/HUJfHlYYae2OPw1eWRAe" %}
Almost done...
{% endfile %}

With this I could just change the iex at the end of the file to an echo and get the contents by running it. And thats what I did.

<figure><img src="/files/5VmKDMPvcv18e2uKH20v" alt=""><figcaption><p>The Flag!</p></figcaption></figure>

There's the flag! And here's the fully translated file:

{% file src="/files/t7JkYuDSc7lGSw07c9qI" %}

PWNED!!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2023/2023-htb-cyber-apocalypse-challenges/forensics-artifacts-of-dangerous-sightings.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.