Silent Breach Lab

Level: Medium

Challenge: Silent Breach Lab

After a long period of inactivity, I’m back with a new post. I'm excited to present a new challenge, freely released for the community. As of now, no public write-ups have been published on Featured Writeups, so I'm glad to share my insights to support those seeking guidance.

Q1: What is the MD5 hash of the potentially malicious EXE file the user downloaded?

The challenge provides us with a file named ad1, which is a disk image. I loaded it using FTK Imager for analysis. Upon inspecting the Downloads folder, we discovered a suspicious file. Although it appears to be a PDF, it is actually an executable file disguised with a .pdf extension, an evident case of file masquerading commonly used in malware delivery.

Image 1

By uploading the file to VirusTotal, we can obtain its hash value.

Image 2

Q2: What is the URL from which the file was downloaded?

To determine the source URL from which the file was downloaded, we can examine the browser's history database. For detailed steps on locating this evidence, refer to my blog post on Browser Forensics.

In this case, we observe that the victim system contains two web browsers: Google Chrome and Microsoft Edge.

Image 3

I began by examining the Google Chrome history database. However, it only shows a download for TeamViewer software, which is not the file we are investigating.

Image 4

Turning to Microsoft Edge, we uncover more revealing information related to the downloaded files, including the one of interest.

Image 5

Q3: What application did the user use to download this file?

As mentioned earlier, which browser did you retrieve the submitted answer from ??

Q4: By examining Windows Mail artifacts, we found an email address mentioning three IP addresses of servers that are at risk or compromised. What are the IP addresses?

As a reference for this lab, we’ve provided a blog detailing the new location of Windows Mail artifacts. However, upon examining the data in HxD, it becomes clear that identifying an IP address in such a cluttered format is quite challenging. If you can spot it using HxD. Well, you truly have sharp eyes! :)).

I found a helpful blog related to this evidence titled Windows 10 Mail App Forensics. It might be useful for future investigations, though not immediately applicable here. The tool referenced in that blog, NirSoft’s ESEDatabaseView, didn’t provide the message content as the author described. Unfortunately, I don’t have the budget to use the paid alternative, OSForensics, which could potentially offer more results.

Returning to the mindset of "no budget, still solving the problem". I took a traditional approach, using simple string searches to locate the IP address :)).

Initially, I tried using regex to extract the IP address, but it returned no results. Afterwards, I loaded the file into BinText and performed a manual search.

Image 6

Q5: By examining the malicious executable, we found that it uses an obfuscated PowerShell script to decrypt specific files. What predefined password does the script use for encryption?

When I encountered this question, my initial thought was to search for the dropped file. However, these files are often deleted and difficult to recover. Then, I considered loading the file into IDA to look for any PowerShell-related strings or code. I’m not sure if this was the correct approach, but I quickly gave up on it because, at the time, I wasn’t confident in my reverse engineering skills.

While browsing the file in HxD, I unexpectedly noticed that the code was quite easy to read. This led me to extract the strings and analyze them further.

After adding strings to the file to make it easier to read, I began searching for a .ps1 file name. You can locate this filename in the dropped file section on VirusTotal.

Image 7

Image 8

As shown in the image above, the PowerShell script is obfuscated. By analyzing the code, we can extract the initial encoded string and decode it by following the script’s logic. You can execute the script and print the FHG variable to reveal the decoded strings. For this process, I will use CyberChef to simplify the decoding steps.

If the script is difficult to understand, don’t hesitate to use support tools like ChatGPT or other large language models to assist you in the analysis.

Image 9

After decoding the string, we were able to obtain the desired result.

Q6: After identifying how the script works, decrypt the files and submit the secret string.

By analyzing the extracted code, we can see that it encrypts a .pdf file and saves the resulting .enc file to the Desktop folder. Based on the encryption code, we could manually write a decryption script, but to simplify the process, I used ChatGPT for assistance. Below is the code I used to decrypt the file.

from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1

password = b"Imf!nfo#2025Sec$"
salt = bytes([0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08])
iterations = 10000
key_size = 32
iv_size = 16

# Use SHA1 module from PyCryptodome
derived = PBKDF2(password, salt, dkLen=key_size + iv_size, count=iterations, hmac_hash_module=SHA1)
key = derived[:key_size]
iv = derived[key_size:]


# === Decrypt Function ===
def decrypt_file(enc_path, dec_path):
    with open(enc_path, "rb") as f:
        ciphertext = f.read()

    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)

    # Remove PKCS7 padding
    pad_len = plaintext[-1]
    if pad_len < 1 or pad_len > 16:
        raise ValueError("Invalid padding")
    plaintext = plaintext[:-pad_len]

    with open(dec_path, "wb") as f:
        f.write(plaintext)

# === Files to decrypt ===
files = [
    "IMF-Secret.enc",
    "IMF-Mission.enc"
]

# === Run decryption ===
for enc_file in files:
    dec_file = enc_file.replace(".enc", ".decrypted.pdf")
    decrypt_file(enc_file, dec_file)
    print(f"[+] Decrypted: {dec_file}")

After decrypting the file, we examined its contents and successfully retrieved the flag.

Image 10