Invoked!
Creator's Cut
Scenario:
Invoke-Expression can be a sign of a malicious script on a network. With PowerShell this can be obfuscated in several different ways!
Inside this file is a script that will show you 11 ways to call out invoke-expression and most of these will possibly bypass security products.
What is the unencoded flag?
Key take away for this scenario:
- Invoke-Expression can be obfuscated but still run.
- We need to decode the flag
This challenge was inspired by the follow article from SANS: https://isc.sans.edu/forums/diary/Did+You+Spot+InvokeExpression/26762/
Script:
Solution:
What is Invoke-Expression
When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string.
Invoke Expression Walkthrough
Level 1:
.('i'+'e'+'x') '$l2'
This concatenates the alias of Invoke-Expression (IEX) and runs the next command which is level 2
Level 2:
&('i'+'e'+'x') '$l3'
Duplicate of level 1 but has & instead of . to run the command and calls Level 3
Level 3:
&(('{2}{1}{0}' -f 'x', 'e', 'i')) '$l4'
This one is a string jumble where it puts together the following string in the order specified; in this case {2} = I, {1} = e, {0} = x
Level 4:
$box = 'ëçú'.ToCharArray();for ($i=0; $i -lt $box.Length; $i++) {$box[$i] = $box[$i] -bxor 0x82 }.(-join($box)) '$l5'
This line of code is going through and running an xor of 0x82 in the string: 'ëçú to create iex and then joins them back together from an array
Level 5:
sal turkeyjerky iex; turkeyjerky '$l6'
This command is creating an alias for iex of turkyjerky so anytime turkeyjerky is used it is calling iex
Level 6:
&(($ENV:COMsPEc[4,15,25])-join '') '$l7'
This calls out an environmental variable: C:\Windows\system32\cmd.exe and extracts out iex and joins them together
Level 7:
&( $VERBOSePRefereNCe.toSTRiNG()[1,3]+'X'-join'') '$l8'
This one gets the preference above: SilentlyContinue, it extracts out ie and joins them to x and runs
Level 8:
&IE`x '$l9'
This one runs the ` which is an escape character in PowerShell, typically this is used for escaping \ and special characters that you want to print ou. But since x is not a special character the ` doesn’t do much but obfuscate the code.
Level 9:
&($PSHome[21]+$PSHOme[34]+'x') '$l10'
$pshome = C:\Windows\System32\WindowsPowerShell\v1.0, so this just pulls out the I and e from another variable
Level 10:
&('DEX'.replace('D','I')) '$l11'
This command takes DEX and replaces the D for an I so when ran it becomes IEX
Level 11:
$String = 'XEI';&(([regex]::Matches($String,'.','RightToLeft')).value -join '') '$flag'
This command takes the XEI and reverses it to become IEX
Getting to the Answer:
We can see that the original order of the script is out of order, so just going through you may get things jumbled.
But essentially to find the flag we need to run the last part of each line in order, all the invoke-expressions did was unscramble the order for us.
For example, we run for the last line we have #2, if we run the code after that separately, we get the following:
or Zml2 which if you don’t recognize this it is base64 for fiv
Let’s look closer at what is going on here
There is a variable called $flag that equals “n2ltZNWV22fZGhldbln29nZvcNbZtVma2Xp0” and in the code above we are calling in the positions of the letters in this jumbled up mess. So, the 23rd letter is Z … and so on (there is an empty space in the front of the letters so that is why it starts at 1 and not 0).
Pulling the letters out in order:
There are several ways to do this…
Manually pull them out… but this is time consuming and prone to human error.
2. You can run the echo commands one at a time
3. Or create a script that will pull it all together and convert from base64 (I like this one!)
Last updated