Tags: powershell forensics
Rating:
# Powershell writeup
> I want to know what is happening in my Windows Powershell.
```bash
$ file file.mp3
file.mp3: Audio file with ID3 version 2.46.20
# If you run strings on the file you can see there are 3 files
$ strings file.mp3
Login.evtx
Suspicious.reg
PowerShell.xml
# Extract the files
cp file.mp3 file.zip
unizip file.zip
# Open `Powershell.xml` and you can see all commands that were ran
# After looking around on line 104 you can find the flag encoded in base64
$ echo "ZGFya0NURntDMG1tNG5kXzBuX3AwdzNyc2gzbGx9" | base64 -d
darkCTF{C0mm4nd_0n_p0w3rsh3ll}
```
