> For the complete documentation index, see [llms.txt](https://ctf.smithsecurity.biz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2023/2023-htb-cyber-apocalypse-challenges/forensics-relic-maps.md).
# Forensics - Relic Maps
We started off with a file download. This file is a Microsoft OneNote attachment, all the rage for phishing a few months ago (and still a bit today). I immediately went and dropped it into CyberChef so I can mess with it.
The first thing I ran on it was strings and tada! We got the commands that would execute if you enabled it.
relicmaps.one strings
In the commands run we see two main parts. Both are similar, with the usage of powershell to download a file and then running the file. The main one of interest for this is the windows.bat file that gets renamed to system32.bat.
If we download the file from the link we get this:
window.bat contents
In the contents we can see it declaring a ton of variables and then combining them to create commands that will actually run. To make this readable I used sublime to edit out junk and created a python version of it and had it print it out to me.
```python
eFlP="set "
ualBOGvshk="ws"
...
fLycQgNMii="oin "
KsuJogdoiJ=" -no"
djeIEnPaCg="tsWi"
brwOvSubJT="e =\" "
TOqZKQRZli="uZOc"
test1 = CJnGNBkyYp + UBndSzFkbH + ujJtlzSIGW + nwIWiBzpbz + cHFmSnCqnE + kTEDvsZUvn + JBRccySrUq + ZqjBENExAX + XBucLtReBQ + BFTOQBPCju + vlwWETKcZH + NCtxqhhPqI + GOPdPuwuLd + YcnfCLfyyS + JPfTcZlwxJ + ualBOGvshk + xprVJLooVF + cIqyYRJWbQ + jaXcJXQMrV + pMrovuxjjq + KXASGLJNCX + XzrrbwrpmM + VCWZpprcdE + tzMKflzfvX + ndjtYQuanY + chXxviaBCr + tHJYExMHlP + WmUoySsDby + UrPeBlCopW + lYCdEGtlPA + eNOycQnIZD + PxzdwcSExs + VxroDYJQKR + zhNAugCrcK + XUpMhOyyHB + OOOxFGwzUd
#cls
test2 = dzPrbmmccE + xQseEVnPet
test3 = eDhTebXJLa + vShQyqnqqU + KsuJogdoiJ + uVLEiIUjzw + SJsEzuInUY + gNELMMjyFY + XIAbFAgCIP + weRTbbZPjT + yQujDHraSv + zwDBykiqZZ + nfEeCcWKKK + MtoMzhoqyY + igJmqZApvQ + SIQjFslpHA + KHqiJghRbq + WSRbQhwrOC + BGoTReCegg + WYJXnBQBDj + SIneUaQPty + WTAeYdswqF + EdLUuXiTNo + rVOFKTskYR + nMLIkcyFZj + jtkYEPXtKX + RWcegafVtf + KhyyrSrcKr + zDUDeXKPaV + VZAbZqJHBk + XClTzcVMGM + xVIsxobyZi + qpUykKHwzb + iKAAuWsbec + cYinxarhDL + olHsTHINJO + uynFENuiYB + WauWfrgGak + tzSNMWchGN + oFspIELDJK + FijcPoQLnC + AbMyvUGzSH + LmCknrHfoB + GDXqElqPYy + gqUdnmSTUN + YlKbYsFYPy + GLwLVWewUj + EQAuBusyXb + yOkBDuSVrl + FraARuTjiq + hwZKiiLqAE + ahbOZSBViB + djeIEnPaCg + AiqHTcPzsv + JCuNlxqlBZ + TYbHmXrqgV + sLNudRRtUX + dbDMRBPrxg + XEyDmChJvW + KytxcYPZKt + GWrDWSvoPL + haSZYOmkiA + JhYYmEHfJT + LPGeAanVGt + hTTJOKGuzo + MFRjJyYsrs + kpEWZrtOzX + BrDOtQoojB + YnGvhgYxvb + cUDojRpXKx + rSVBNvbdPT + kJjQuXIjOT + tVtxVGNpFB + BqEMjgsfHM + fVHBRsLNUl + jgiQdwyxFg + HLynrUfwGo + FCBcNynRGD + VavtsuhNIN + HUAAetwukX + nogFGGEgdF + iHRclHpeVX + MrNTGKcbYu + bTHJpHTPMM + QbKdEZdxpx + drymkVAnZW + DDiJEpaiME + OAsjgKHKoH + HFLAqJuuyu + gFQQimTbzp + YULKJDZpgz + oQYrpYRHsU + VGKsxiJBaT + RGlZIMTaRM + JenYfqHzBk + vmIEtsktnA + TypmIIEYJC + eQPFkQsLmh + AkaPyEXHFq + BANrSlObpx + LIQYgFxctD + ZygfZJxAOd + KXttaDcyMZ + brwOvSubJT + hVncqdtHrj + OonlMOpxYC + CZpuCIcrKh + owRVWPJqcX + jugDlMdkcG + DXdgqiFTAH + acXjUrxrpX + eYuashSMjP + ESpdErsKEO + kQQvXhxXIT + pLUeCEDcNj + pTKKchMUFD + ZMNBNnhYdl + KVdpASYkBZ + OpWuyrggtP + uDsfTCYsro + wEZCzuPukj + jCsFOJQsdv + hbFnQgCXwX + UFSmCjquVd + BMVjGSkNrk + MFpVhvZMMs + SRYmoDJgcF + svwZUufvHX + WPGlloqWfh + kEHDlJOIVc + jdKMRqipbM + pEeOvclMbZ + nMbUuONTOk + GwAFOSfUtV + gbVsRGzTij + ybHVOwcPrc + CpAQgSdzaC + XqtgTmRIdO + pUKFMEPFQs + QpDqsQAemY + CZTFliIBbC + EuMCNHEVeC + dyJHMHMcNc + LNwemqbftD + VnDoNvCbDL + mFZJVdqlTD + vGOYQQYIpx + GzBAHPVuTq + fLycQgNMii + ZPlPiozEyW + xULgeMdzcg + iVrCyJhMiJ + dlzhxQnMss + pqWXTkasXe + doKcadyJqy + hNwOTmvEJo + yqhJQSZuJo + JPOdGPAwht + rEvTlCThdH + PwJJFMgamh + eeacPrYshd + LYxpWUVnyn + YRqcyngfyU + IAkZpnEseT + DAaZVQYtML + QTBYjmNXEB + lSUnvlNyZI + pCjFJxRqgH + oMsMdPYmPd + AGOCIKFMEK + dAuevoJWoL + uwRWnyAikF + mBIWiJNHWZ + RfMwENsorP + gbXeIdPSoj + kxCYxBSxVM + AbZpTpKurz + glRvzlEEoe + TVsNOuCNZd + VUsEoebHks + tuAPcYGhzl + WojQSFImBz + NXvoEmTmgu + jWtWLzuDKP + NvnNgHLBLJ + vPgKEvZmlQ + ftaecaUnft + lfCLMrJHhW + ArAxZuPIrp + zhsTKtujLg + MxwsyqmvYm + MsfoqNTDfI + klVPUdMJas + XzWakcViZI + htJeDhbeDW + ARecVABHyu + EDuGpmwedn + SKEwAQBRlN + bIgeRgvTeJ + AnKEeEZdOq + KXapePmHCe + YKwLsVwqOj + QCZuMFaZsV + RycUceHQZc + TOqZKQRZli + hIpFAiXGDz + PmpGnAHBIo + nGqMpclaJV + NbOjNijxuU + hbnAmGyJMk + jpqWVBsCpx + WXWHLOygSe + rjhOhltPzI + DCnzMxKRnm + QGiWXkfFPy + isQISZiBPJ + iCcGUuJxVn + dGSGnKbkQW + gNabAkLFGN + pibEdoDBbD + AHKCuBAkui + YYKSCuCbgJ + IeRiYUFnCZ + hzjnwzdyGY + KAlyOryibJ + MBvrUwPCDz + WmHvayPxwd + reviZiSttH + wwmTmFdRsZ + JBUgbyTPxp + BaMYsIgnsM + DwiWdAaOiv + vXewtPjogB + odWdfvJnBE + yPzFwnsYdA + xfHbUEWpFC + ySgQyAAfQH + QMmDXFyyag + xllGdjvUjB + zuIYfGJIhV + MmhvJKSdep + fxpyemHAMo + eFWpiweoyr + WQqetkePWs + qsPTvcejTS + YiVTQhqRnm + GEFNspgkfU + iREuYMPcTg + rVuFsOUxnm + UmCJMMMcBg + VUeZKgDBUe + roXhULjavE + uIWSZVpUHl + ZNBNkxQuUl + ktDjVGpvOa + CMHWMmXlZO + RITIeDNkWx + UPfjubfNXt + GTgGJngEbX + zFvgtBzUer + TfyrgNGxBL + hknFiXCnZQ + xijYXotZPT + BlIFABuPAW + GJcpQprPXv + YmUoUKWAtR + tHHIjVCHeH + DNNdkNfTiI + XEcuUpquLQ + EUwICZcugV + MJKqSlzRdg + FcrKUOEnOU + EiWocIreAk + LLNnWnTLBJ + QzqEkBCLON + uOGlqENvnk + TuqTvTpeOG + USLedfRsdA + fFqNPWfBWr + AyyrPvjwjr + mxXhSCdBil + MusMeoeDey + OOiwgwuupI + WvjMoIIiUn + TEtLFfgLmA + rFsKCxpAbv + hImzprlFyw + GVIREkvxRa + qIhOqqdyjR + shhyfkrTvn + UAnQUvXBfs + bSIafzAxiZ + oNvGdyNkLt + SCbDgQuqTU + tBsRPAyhtG + KUKwZheGNw + INPLAzQfUo + ekEoGMuERC + aGQeJYSFDZ + LODxmGMGqq + KtmeCApwQn + MAPkvbWKbC + HlBVDpGgba + ZNnASGtLCj + IwOqmlYsbl + JbFOJyRrBm + TiuQnZmosP + HkiSTlwlIs + rofQqYizRu + OckpqzbYcn + YJZmDySMUy + cGJiVEdEzp + QNxYaFZSBu + jxjvtHoTnR + fvEtritbuM + wxzMwkmbmY + yZlAoExoOn + pjrIjvjdGR + mYyPXMYwYi + vnHosfjdeN + LfngwmfRCb + bivuMABwCB + GapFScCcpe + lfYSggLrsL + GhTXhmRnCR + ENADhKPHot + KdByPVjCnF + PjdRUyhsyG + kpzxAxFvLw + rddZbDFvhl
#exit /b
print(test1)
print("Second: \n")
print(test2)
print("Third: \n")
print(test3)
```
Using this I got the commands being run on the system. From that I gathered it was trying to hide that it was running powershell commands by copying the powershell executable and using the copy instead. With powershell it was then decrypting an AES encrypted payload decompressing it from GZip and then running it. I modified the powershell to try to print this out so I could see what the payload was but it kept breaking.
To fix this I had it print the contents to a output.gz file like this:
Decrypting the payload
Once I had it saved I threw it into CyberChef and got the flag!
Flag in CyberChef
PWNED!!
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2023/2023-htb-cyber-apocalypse-challenges/forensics-relic-maps.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.