# Silent Breach Lab

## Challenge: [Silent Breach Lab](https://cyberdefenders.org/blueteam-ctf-challenges/silent-breach/)

After a long period of inactivity, I’m back with a new post. I'm excited to present a new challenge, freely released for the community. As of now, no public write-ups have been published on **Featured Writeups**, so I'm glad to share my insights to support those seeking guidance.

## Q1: What is the MD5 hash of the potentially malicious EXE file the user downloaded?

The challenge provides us with a file named *ad1,* which is a disk image. I loaded it using FTK Imager for analysis. Upon inspecting the ***Downloads*** folder, we discovered a suspicious file. Although it appears to be a PDF, it is actually an executable file disguised with a *.pdf* extension, an evident case of file masquerading commonly used in malware delivery.

<figure><img src="/files/qU4bKmKBe8sccTXIyuF0" alt=""><figcaption><p>Image 1</p></figcaption></figure>

By uploading the file to VirusTotal, we can obtain its hash value.

<figure><img src="/files/4dTF1SJTt99lOqLDPyq1" alt=""><figcaption><p>Image 2</p></figcaption></figure>

## Q2: What is the URL from which the file was downloaded?

To determine the source URL from which the file was downloaded, we can examine the browser's history database. For detailed steps on locating this evidence, refer to my blog post on [Browser Forensics](https://walterdrake.gitbook.io/mysite/browser-forensics/).

In this case, we observe that the victim system contains two web browsers: Google Chrome and Microsoft Edge.

<figure><img src="/files/07PO4Bfe5adgBMAZ8AOo" alt=""><figcaption><p>Image 3</p></figcaption></figure>

I began by examining the Google Chrome history database. However, it only shows a download for TeamViewer software, which is not the file we are investigating.

<figure><img src="/files/7IibDVYK4Q9Tu8fkcHLm" alt=""><figcaption><p>Image 4</p></figcaption></figure>

Turning to Microsoft Edge, we uncover more revealing information related to the downloaded files, including the one of interest.

<figure><img src="/files/hbd7BYkfz8Kr4H2KFC51" alt=""><figcaption><p>Image 5</p></figcaption></figure>

## Q3: What application did the user use to download this file?

As mentioned earlier, which browser did you retrieve the submitted answer from ??

## Q4: By examining Windows Mail artifacts, we found an email address mentioning three IP addresses of servers that are at risk or compromised. What are the IP addresses?

As a reference for this lab, we’ve provided a blog detailing the new location of Windows Mail artifacts. However, upon examining the data in HxD, it becomes clear that identifying an IP address in such a cluttered format is quite challenging. If you can spot it using HxD. Well, you truly have sharp eyes! :)).

I found a helpful blog related to this evidence titled [*Windows 10 Mail App Forensics*](https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2). It might be useful for future investigations, though not immediately applicable here. The tool referenced in that blog, [NirSoft’s ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), didn’t provide the message content as the author described. Unfortunately, I don’t have the budget to use the paid alternative, **OSForensics**, which could potentially offer more results.

Returning to the mindset of "*no budget, still solving the problem*". I took a traditional approach, using simple string searches to locate the IP address :)).

Initially, I tried using regex to extract the IP address, but it returned no results. Afterwards, I loaded the file into BinText and performed a manual search.

<figure><img src="/files/nRw5zDdmQIHeRGtLkjwK" alt=""><figcaption><p>Image 6 </p></figcaption></figure>

## Q5: By examining the malicious executable, we found that it uses an obfuscated PowerShell script to decrypt specific files. What predefined password does the script use for encryption?

When I encountered this question, my initial thought was to search for the dropped file. However, these files are often deleted and difficult to recover. Then, I considered loading the file into IDA to look for any PowerShell-related strings or code. I’m not sure if this was the correct approach, but I quickly gave up on it because, at the time, I wasn’t confident in my reverse engineering skills.

While browsing the file in HxD, I unexpectedly noticed that the code was quite easy to read. This led me to extract the strings and analyze them further.

After adding strings to the file to make it easier to read, I began searching for a *.ps1* file name. You can locate this filename in the dropped file section on VirusTotal.

<figure><img src="/files/ylBciXKehgEKi7SAbv1X" alt=""><figcaption><p>Image 7</p></figcaption></figure>

<figure><img src="/files/rFtgAsgl2Q1g12gPwbU2" alt=""><figcaption><p>Image 8</p></figcaption></figure>

As shown in the image above, the PowerShell script is obfuscated. By analyzing the code, we can extract the initial encoded string and decode it by following the script’s logic. You can execute the script and print the *FHG* variable to reveal the decoded strings. For this process, I will use CyberChef to simplify the decoding steps.

{% hint style="warning" %}
If the script is difficult to understand, don’t hesitate to use support tools like ChatGPT or other large language models to assist you in the analysis.
{% endhint %}

<figure><img src="/files/qtzaOQLOKj47cQkljZ3t" alt=""><figcaption><p>Image 9</p></figcaption></figure>

After decoding the string, we were able to obtain the desired result.

## Q6: After identifying how the script works, decrypt the files and submit the secret string.

By analyzing the extracted code, we can see that it encrypts a *.pdf* file and saves the resulting *.enc* file to the ***Desktop*** folder.\
Based on the encryption code, we could manually write a decryption script, but to simplify the process, I used ChatGPT for assistance. Below is the code I used to decrypt the file.

```python
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1

password = b"Imf!nfo#2025Sec$"
salt = bytes([0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08])
iterations = 10000
key_size = 32
iv_size = 16

# Use SHA1 module from PyCryptodome
derived = PBKDF2(password, salt, dkLen=key_size + iv_size, count=iterations, hmac_hash_module=SHA1)
key = derived[:key_size]
iv = derived[key_size:]


# === Decrypt Function ===
def decrypt_file(enc_path, dec_path):
    with open(enc_path, "rb") as f:
        ciphertext = f.read()

    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)

    # Remove PKCS7 padding
    pad_len = plaintext[-1]
    if pad_len < 1 or pad_len > 16:
        raise ValueError("Invalid padding")
    plaintext = plaintext[:-pad_len]

    with open(dec_path, "wb") as f:
        f.write(plaintext)

# === Files to decrypt ===
files = [
    "IMF-Secret.enc",
    "IMF-Mission.enc"
]

# === Run decryption ===
for enc_file in files:
    dec_file = enc_file.replace(".enc", ".decrypted.pdf")
    decrypt_file(enc_file, dec_file)
    print(f"[+] Decrypted: {dec_file}")

```

After decrypting the file, we examined its contents and successfully retrieved the flag.

<figure><img src="/files/aYrsPD1sS3pkRwNpoEoZ" alt=""><figcaption><p>Image 10</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://walterdrake.gitbook.io/mysite/lab-and-challenge/cyberdefenders/silent-breach-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.