TryHackMe - Masquerade CFT - SOC Investigation

#challenge #tryhackme #blueteam #cybersecurity #ghidra #wireshark Jim from the Finance department received an email that appeared to come from the company’s system administrator, asking him to run a script to “apply critical security updates.” Trusting the message, Jim executed the script on his workstation. Shortly after, unusual network traffic and system activity were observed. You have been provided with relevant artifacts to investigate what happened, determine the impact, and identify how the attacker established control over the system. First scrypt python : from Crypto.Cipher import ARC4 import hashlib key = b"X9vT3pL2QwE8xR6ZkYhC4s" with open("amd.bin","r") as f: hexdata = f.read().strip() data = bytes.fromhex(hexdata) cipher = ARC4.new(key) decrypted = cipher.decrypt(data) print(hashlib.sha256(decrypted).hexdigest()) with open("payload.bin","wb") as f: f.write(decrypted) Second Scrypt Python : import base64 import hashlib from Crypto.Cipher import AES # Key key = "M4squ3r4d3Th3P4ck3tSt34lthM0d31337" b64_data = """ Base64 """ # decode base64 2 times data = base64.b64decode(b64_data) data = base64.b64decode(data) # to hex hex_data = data.hex() print("[+] HEX:", hex_data[:100], "...") # IV + ciphertext iv = bytes.fromhex(hex_data[:32]) ciphertext = bytes.fromhex(hex_data[32:]) print("[+] IV:", iv.hex()) # SHA256(key) aes_key = hashlib.sha256(key.encode()).digest() print("[+] KEY:", aes_key.hex()) # decrypt cipher = AES.new(aes_key, AES.MODE_CBC, iv) decrypted = cipher.decrypt(ciphertext) print("\n[+] RAW DECRYPT:") print(decrypted) try: print("\n[+] TEXT:") print(decrypted.decode()) except: print("error decoding")