CTFtime.org / SECCON 2017 Online CTF / Powerful

```bash
file powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024
```
powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024: ASCII text

```bash
strings powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024: ASCII text
```
```PowerShell
$ECCON="";
$ECCON+=[char](3783/291);
$ECCON+=[char](6690/669);
$ECCON+=[char](776-740);
$ECCON+=[char](381-312);
$ECCON+=[char](403-289);
$ECCON+=[char](-301+415);
$ECCON+=[char](143-32);
$ECCON+=[char](93594/821);
$ECCON+=[char](626-561);
$ECCON+=[char](86427/873);
$ECCON+=[char](112752/972);
$ECCON+=[char](43680/416);
$ECCON+=[char](95127/857);
$ECCON+=[char](-682+792);
$ECCON+=[char](-230+310);
$ECCON+=[char](-732+846);
$ECCON+=[char](1027-926);
$ECCON+=[char](94044/922);
$ECCON+=[char](898-797);
$ECCON+=[char](976-862);
$ECCON+=[char](52419/519);
$ECCON+=[char](1430/13);
$ECCON+=[char](18216/184);
$ECCON+=[char](21715/215);
$ECCON+=[char](12320/385);
$ECCON+=[char]([int][Math]::sqrt([Math]::pow(61,$ECCON+=[char](803-793);
[...]
$ECCON+=[char](10426/802);
Write-Progress -Activity "Extracting Script" -status "20040" -percentComplete 99;
$ECCON+=[char](520-510);
2)));
```
for those who don't know powershell scripting , the script juste concat some chars to the variable $ECCON , i rewrite the script using python

the output was :
```PowerShell
$ErrorActionPreference = "ContinueSilently"
[console]::BackgroundColor = "black";[console]::ForegroundColor = "white";cls;Set-Alias -Name x -Value Write-Host;$host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size 95,25;$host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size 95,25;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 12 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 0 -n;x ' ' -b 15 -n;x;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x ' ' -b 15 -n;x;x;

<# Host Check #>
Write-Host -b 00 -f 15 Checking Host... Please wait... -n
Try{
If ((Get-EventLog -LogName Security | Where EventID -Eq 4624).Length -Lt 1000) {
Write-Host "This host is too fresh!"
Exit
}
}Catch{
Write-Host "Failed: No admin rights!"
Exit
}
Write-Host "Check passed"

$keytone=@{'a'=261.63}
$pk='a'
ForEach($k in ('w','s','e','d','f','t','g','y','h','u','j','k')){
$keytone+=@{$k=$keytone[$pk]*[math]::pow(2,1/12)};$pk=$k
}
Write-Host -b 00 -f 15 "Play the secret melody."

Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' | '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 ' | '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' | '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' '
Write-Host -b 15 -f 00 ' | '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' w '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' e '
Write-Host -b 15 -f 00 -n ' | '
Write-Host -b 00 -f 15 -n ' t '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' y '
Write-Host -b 15 -f 00 -n ' '
Write-Host -b 00 -f 15 -n ' u '
Write-Host -b 15 -f 00 ' | '
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 ' '
Write-Host -b 15 -f 00 -n ' a |'
Write-Host -b 15 -f 00 -n ' s |'
Write-Host -b 15 -f 00 -n ' d |'
Write-Host -b 15 -f 00 -n ' f |'
Write-Host -b 15 -f 00 -n ' g |'
Write-Host -b 15 -f 00 -n ' h |'
Write-Host -b 15 -f 00 -n ' j |'
Write-Host -b 15 -f 00 ' k '
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 -n ' |'
Write-Host -b 15 -f 00 ' '
Write-Host
$stage1=@();$f="";
While($stage1.length -lt 14){
$key=(Get-Host).ui.RawUI.ReadKey("NoEcho,IncludeKeyDown")
$k=[String]$key.Character
$f+=$k;
If($keytone.Contains($k)){
$stage1+=[math]::floor($keytone[$k])
[console]::beep($keytone[$k],500)
}
}
$secret=@(440,440,493,440,440,493,440,493,523,493,440,493,440,349)
If($secret.length -eq $stage1.length){
For ($i=1; $i -le $secret.length; $i++) {
If($secret[$i] -ne $stage1[$i]){
Exit
}
}
x "Correct. Move to the next stage."
}
$text=@"
YkwRUxVXQ05DQ1NOE1sVVU4TUxdTThBBFVdDTUwTURVTThMqFldDQUwdUxVRTBNEFVdAQUwRUxtT
TBEzFVdDQU8RUxdTbEwTNxVVQUNOEFEVUUwdQBVXQ0NOE1EWUUwRQRtVQ0FME1EVUU8RThdVTUNM
EVMVUUwRFxdVQUNCE1MXU2JOE0gWV0oxSk1KTEIoExdBSDBOE0MVO0NKTkAoERVDSTFKThNNFUwR
FBVINUFJTkAqExtBSjFKTBEoF08RVRdKO0NKTldKMUwRQBc1QUo7SlNgTBNRFVdJSEZCSkJAKBEV
QUgzSE8RQxdMHTMVSDVDSExCKxEVQ0o9SkwRQxVOE0IWSDVBSkJAKBEVQUgzThBXFTdDRExAKhMV
Q0oxTxEzFzVNSkxVSjNOE0EWN0NITE4oExdBSjFMEUUXNUNTbEwTURVVSExCKxEVQ0o9SkwRQxVO
EzEWSDVBSkJAKBEVQUgzThAxFTdDREwTURVKMUpOECoVThNPFUo3U0pOE0gWThNEFUITQBdDTBFK
F08RQBdMHRQVQUwTSBVOEEIVThNPFUNOE0oXTBFDF0wRQRtDTBFKFU4TQxZOExYVTUwTSBVMEUEX
TxFOF0NCE0oXTBNCFU4QQRVBTB1KFU4TThdMESsXQ04TRBVMEUMVThNXFk4TQRVNTBNIFUwRFBdP
EUEXQ0ITShdME0EVThBXFU4TWxVDThNKF0wRMBdMETUbQ0wRShVOE0MWThMqFU1ME0gVTBFDF08R
QxdMHUMVQUwTSBVOEEEVThNNFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNGF0wTKhVBTxFK
F0wdMxVOEzUXQ04QSBVOE0AVTBFVFUFMEUkXTBFDG0wTQRVMETMXQE4TSBVCE0MXTBNBFU4QQRVB
TB1KFU4TQxdMEVYXTBEUG0NMEUoVThNBFk4TQRVCEygXQ0wRShdPEUMXTB1DFU4TQBdDThBIFU4T
SBVMESgVQUwRSRdMEUYbTBMWFUNOE0gWThNCFUITFBdDTBFKF08RQxdMHUMVThNVF0NOEEgVThNN
FUwRQxVOE0IWQUwRShtME0EVTBFVF08RQxdDQhNKF0wTQRVOEEEVThM9FUNOE0oXTBFFF0wRKBtD
TBFKFU4TQRZOE0EVQhNAF0NMEUoXTxFDF0wdVRVOEzMXQ04QSBVOE00VTBFVFU4TQRZBTBFKG0wT
RBVMESgXQE4TSBVCE0MXTBNBFU4QKhVBTB1KFU4TFBdMEUIXQ04TRBVMEUMVThNBFk4TNxVNTBNI
FUwRQxdPEUMXTB01FUFME0gVThBBFU4TTRVMERQVQUwRSRdMEUMbTBNBFUwRQxdAThNIFUITQxdM
E0EVThAxFUFMHUoVThNDF0wRVhdMEVUbQ0wRShVOE0QWThMWFU1ME0gVTBFDF08RRhdDQhNKF0wT
QRVOEFcVQUwdShVOE0EXTBFFF0NOE0QVTBFDFU4TVxZOEyoVTUwTSBVMETMXTxFVF0NCE0oXTBNE
FU4QQhVBTB1KFU4TQBdMERcXQ04TRBVMEUAVThNDFkFMEUobTBNCFUwRQRdAThNIFUITQRdMExYV
QU8RShdMHUEVThNOF0NOEEgVThNIFUwRKBVBTBFJF0wRMxtMEzcVQ04TSBZOE0EVQhNVF0wTQRVB
TxFKF0wdQxVOE0MXTBFFF0NOE0QVTBFGFU4TKhZBTBFKG0wTRBVMERQXQE4TSBVCE04XTBNXFUFP
EUoXTB0zFU4TThdDThBIFU4TTRVMEUMVThMWFkFMEUobTBNCFUwRFBdAThNIFUITQxdME0EVThAx
FUFMHUoVThNGF0wRQxdDThNEFUwRQRVOEyoWQUwRShtMEzcVTBFDF0BOE0gVQhMzF0wTFhVBTxFK
F0wdMxVOExQXQ04QSBVOE0gVTBEUFUFMEUkXTBEzG0wTQRVDThNIFk4TQRVCEygXTBNEFUFPEUoX
TB1DFU4TRhdDThBIFU4TTRVMEVUVQUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdM
HTMVQUwTSBVOEEEVThNbFUwRNRVBTBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwd
ShVOEzMXTBE2F0NOE0QVTBFBFU4TKhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsV
Q04TShdMEUAXTBFDG0wTQhVDThNIFk4TRBVCEygXQ0wRShdPEUYXTB0UFUFME0gVThBDFU4TTRVD
ThNKF0wRQBdMEUMbTBNBFUNOE0gWThNBFUITQxdME0EVQU8RShdMHUMVThNVF0wRVhdDThNEFUwR
RhVOEyoWQUwRShtME0MVTBEzF0BOE0gVQhNDF0wTQRVOEEEVQUwdShVOExQXTBFNF0NOE0QVTBFG
FU4TRBZBTBFKG0wTRBVMERQXQE4TSBVCEzUXTBMWFUFPEUoXTB1DFU4TRhdDThBIFU4TTRVMEVUV
QUwRSRdMERQbQ0wRShVOE0wWThNDFU1ME0gVTBFDF08RQxdMHTMVQUwTSBVOEEEVThNbFUwRNRVB
TBFJF0wRQxtME0EVTBFAF0BOE0gVQhNDF0wTVxVOEEEVQUwdShVOEzMXTBE2F0NOE0QVTBFBFU4T
KhZBTBFKG0wTQRVMEUMXTxFDF0NCE0oXTBNBFU4QQRVOEzsVQ04TShdMEUAXTBFDG0wTQhVDThNI
Fk4TRBVCEygXQ0wRShdPEUYXTB0zFUFME0gVThBMFU4TSBVDThNKF0wRQxdMERQbQ0wRShVOE0IW
ThNDFU1ME0gVTBFAF08RQRdDQhNKF0wTQxVOEBYVQUwdShVOE0EXTBFNF0NOE0QVTBFDFU4TKhZO
E0QVTUwTSBVMEUYXTxFAF0NCE0oXTBNCFU4QFhVBTB1KFU4TQBdMEUIXQ04TRBVMEUAVThNDFkFM
EUobTBNDFUwRFBdAThNIFUITQRdME0wVQU8RShdMHUMVThMoF0wRNhdDThNEFUwRRhVOEzEWQUwR
ShtME0EVTBFGF0BOE0gVQhNDF0wTVxVBTxFKF0wdQxVOEygXTBE2FxROE10VShZOTBFTF2E=
"@

$plain=@()
$byteString = [System.Convert]::FromBase64String($text)
$xordData = $(for ($i = 0; $i -lt $byteString.length; ) {
for ($j = 0; $j -lt $f.length; $j++) {
$plain+=$byteString[$i] -bxor $f[$j]
$i++
if ($i -ge $byteString.Length) {
$j = $f.length
}
}
})
iex([System.Text.Encoding]::ASCII.GetString($plain))
```

Arriving here , this step has two steps :

**First Step :**
the script generate some keytone using a for loop which leads the keytone to has this content (simply done using echo $keytone)

Name Value
*-*-*- *-*-*-
f 349.234151046506
a 261.63
g 392.002080523246
y 415.31173722644
k 523.26
u 466.171663254114
e 311.132257498162
j 493.891672853823
h 440.007458245659
d 329.633144283996
s 293.669745699181
w 277.187329377222
t 370.000694323673

![Alt text](imgs/powershell.png?raw=true "Play the Melody")

then the script asks us to play the melody , if we take a look at the while loop and for loop just after the game :
```PowerShell
$stage1=@();$f="";
While($stage1.length -lt 14){
$key=(Get-Host).ui.RawUI.ReadKey("NoEcho,IncludeKeyDown")
$k=[String]$key.Character
$f+=$k;
echo "f : $f"
If($keytone.Contains($k)){
echo "d5alt"
$stage1+=[math]::floor($keytone[$k])
echo "stage : $stage1"
}
}
$secret=@(440,440,493,440,440,493,440,493,523,493,440,493,440,349)
echo "secret : $secret"
If($secret.length -eq $stage1.length){
For ($i=1; $i -le $secret.length; $i++) {
If($secret[$i] -ne $stage1[$i]){
Exit
}
}
echo "Correct. Move to the next stage."
}
```

We can easily figure out that we should press keytone that generates 440,440,493,440,440,493,440,493,523,493,440,493,440,349 , so playing arround with this
we got the chars that gives us the correct output "hhjhhjhjkjhjhf"

and we got the message "Correct. Move to the next stage."

**Second Step**

the script just makes some xored transformation between $text content and $f content ( we don't really need to understant what it exactly does )

we can easily add at the end "echo $plain" and the output is :

```ascii
10 36 123 59 125 61 43 36 40 41 59 36 123 61 125 61 36 123 59 125 59 36 123 43 125 61 43 43 36 123 59 125 59 36 123 64 125 61 43 43 36 123 59 125 59 36 123 46 125 61 43 43 36 123 59 125 59 36 123 91 125 61 43 43 36 123 59 125 59 10 36 123 93 125 61 43 43 36 123 59 125 59 36 123 40 125 61 43 43 36 123 59 125 59 36 123 41 125 61 43 43 36 123 59 125 59 36 123 38 125 61 43 43 36 123 59 125 59 36 123 124 125 61 43 43 36 123 59 125 59 10 36 123 34 125 61 34 91 34 43 34 36 40 64 123 125 41 34 91 36 123 41 125 93 43 34 36 40 64 123 125 41 34 91 34 36 123 43 125 36 123 124 125 34 93 43 34 36 40 64 123 125 41 34 91 34 36 123 64 125 36 123 61 125 34 93 43 34 36 63 34 91 36 123 43 125 93 43 34 93 34 59 10 36 123 59 125 61 34 34 46 40 34 36 40 64 123 125 41 34 91 34 36 123 43 125 36 123 91 125 34 93 43 34 36 40 64 123 125 41 34 91 34 36 123 43 125 36 123 40 125 34 93 43 34 36 40 64 123 125 41 34 91 36 123 61 125 93 43 34 36 40 64 123 125 41 34 91 36 123 91 125 93 43 34 36 63 34 91 36 123 43 125 93 43 34 36 40 64 123 125 41 34 91 36 123 46 125 93 41 59 10 36 123 59 125 61 34 36 40 64 123 125 41 34 91 34 36 123 43 125 36 123 91 125 34 93 43 34 36 40 64 123 125 41 34 91 36 123 91 125 93 43 34 36 123 59 125 34 91 34 36 123 64 125 36 123 41 125 34 93 59 34 36 123 34 125 36 123 46 125 36 123 40 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 41 125 36 123 124 125 43 36 123 34 125 36 123 41 125 36 123 38 125 43 36 123 34 125 36 123 40 125 36 123 43 125 43 36 123 34 125 36 123 38 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 124 125 36 123 41 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 61 125 43 36 123 34 125 36 123 91 125 36 123 93 125 43 36 123 34 125 36 123 41 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 91 125 36 123 93 125 43 36 123 34 125 36 123 38 125 36 123 61 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 61 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 64 125 43 36 123 34 125 36 123 124 125 36 123 41 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 61 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 61 125 43 36 123 34 125 36 123 41 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 64 125 43 36 123 34 125 36 123 91 125 36 123 61 125 43 36 123 34 125 36 123 46 125 36 123 40 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 41 125 36 123 124 125 43 36 123 34 125 36 123 41 125 36 123 38 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 91 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 46 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 38 125 36 123 61 125 43 36 123 34 125 36 123 91 125 36 123 38 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 46 125 36 123 40 125 43 36 123 34 125 36 123 41 125 36 123 64 125 43 36 123 34 125 36 123 93 125 36 123 43 125 43 36 123 34 125 36 123 91 125 36 123 124 125 43 36 123 34 125 36 123 91 125 36 123 124 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 91 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 64 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 61 125 43 36 123 34 125 36 123 124 125 43 36 123 34 125 36 123 38 125 36 123 41 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 91 125 36 123 93 125 43 36 123 34 125 36 123 41 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 41 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 61 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 41 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 124 125 36 123 38 125 43 36 123 34 125 36 123 46 125 36 123 46 125 43 36 123 34 125 36 123 46 125 36 123 124 125 43 36 123 34 125 36 123 93 125 36 123 124 125 43 36 123 34 125 36 123 43 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 61 125 43 36 123 34 125 36 123 124 125 43 36 123 34 125 36 123 38 125 36 123 41 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 43 125 36 123 61 125 36 123 43 125 43 36 123 34 125 36 123 91 125 36 123 93 125 43 36 123 34 125 36 123 41 125 36 123 64 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 43 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 93 125 43 36 123 34 125 36 123 43 125 36 123 43 125 36 123 40 125 43 36 123 34 125 36 123 46 125 36 123 64 125 43 36 123 34 125 36 123 46 125 36 123 91 125 43 36 123 34 125 36 123 38 125 36 123 46 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 41 125 36 123 124 125 43 36 123 34 125 36 123 41 125 36 123 38 125 43 36 123 34 125 36 123 43 125 36 123 64 125 36 123 46 125 43 36 123 34 125 36 123 46 125 36 123 40 125 43 36 123 34 125 36 123 40 125 36 123 124 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 40 125 36 123 41 125 43 36 123 34 125 36 123 41 125 36 123 124 125 43 36 123 34 125 36 123 41 125 36 123 38 125 43 36 123 34 125 36 123 43 125 36 123 64 125 36 123 93 125 43 36 123 34 125 36 123 46 125 36 123 91 125 43 36 123 34 125 36 123 43 125 36 123 46 125 43 36 123 34 125 36 123 43 125 36 123 61 125 43 36 123 34 125 36 123 43 125 36 123 64 125 36 123 93 125 124 36 123 59 125 34 124 38 36 123 59 125 10
```
It's a hex , we grab python , and with a simple
```py
obfuscated=plain.replace(" ",")+chr(")
obfuscated="chr("+obfuscated+")"
eval(obfuscated)
```
we got :
```PowerShell
${;}=+$();
${=}=${;};
${+}=++${;};
${@}=++${;};
${.}=++${;};
${[}=++${;};
\n${]}=++${;};
${(}=++${;};
${)}=++${;};
${&}=++${;};
${|}=++${;};
${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]";
${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]);
${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"];
"${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${(}${+}+${"}${&}${@}+${"}${+}${=}${+}+${"}${|}${)}+${"}${+}${=}${=}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${[}${]}+${"}${&}${=}+${"}${+}${+}${[}+${"}${+}${+}${+}+${"}${+}${=}${|}+${"}${+}${+}${@}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${|}+${"}${(}${|}+${"}${+}${+}${=}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${+}${+}${[}+${"}${.}${@}+${"}${+}${+}${(}+${"}${+}${=}${[}+${"}${+}${=}${+}+${"}${.}${@}+${"}${+}${+}${@}+${"}${|}${)}+${"}${+}${+}${]}+${"}${+}${+}${]}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${=}+${"}${.}${|}+${"}${+}${.}+${"}${+}${=}+${"}${)}${.}+${"}${+}${=}${@}+${"}${[}${=}+${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${.}${@}+${"}${[}${]}+${"}${+}${=}${+}+${"}${+}${+}${.}+${"}${.}${@}+${"}${.}${|}+${"}${&}${=}+${"}${[}${&}+${"}${+}${+}${|}+${"}${(}${|}+${"}${+}${+}${[}+${"}${.}${(}+${"}${)}${@}+${"}${]}${+}+${"}${[}${|}+${"}${[}${|}+${"}${.}${|}+${"}${[}${+}+${"}${+}${@}${.}+${"}${+}${.}+${"}${+}${=}+${"}${|}+${"}${&}${)}+${"}${+}${+}${[}+${"}${+}${=}${]}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${|}+${"}${)}${+}+${"}${+}${+}${+}+${"}${+}${+}${+}+${"}${+}${=}${=}+${"}${.}${@}+${"}${)}${[}+${"}${+}${+}${+}+${"}${|}${&}+${"}${.}${.}+${"}${.}${|}+${"}${]}${|}+${"}${+}${.}+${"}${+}${=}+${"}${|}+${"}${&}${)}+${"}${+}${+}${[}+${"}${+}${=}${]}+${"}${+}${+}${(}+${"}${+}${=}${+}+${"}${[}${]}+${"}${)}${@}+${"}${+}${+}${+}+${"}${+}${+}${]}+${"}${+}${+}${(}+${"}${.}${@}+${"}${.}${[}+${"}${&}${.}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${+}${@}${.}+${"}${.}${(}+${"}${(}${|}+${"}${(}${)}+${"}${(}${)}+${"}${)}${|}+${"}${)}${&}+${"}${+}${@}${]}+${"}${.}${[}+${"}${+}${.}+${"}${+}${=}+${"}${+}${@}${]}|${;}"|&$;;}
```
just defining some variables :
```
; : 0
= : 0
+ : 1
@ : 2
. : 3
[ : 4
] : 5
( : 6
) : 7
& : 8
\ : 9
" : [CHar]
; : string Insert(int startIndex, string value)
; : iex
```
we want to print the last line content which contains the vaidation password , so wee need only to escape the double quotes then make a simple echo of the code
```PowerShell
echo "`"${`"}${.}${(}+${`"}${(}${|}+${`"}${(}${)}+${`"}${(}${)}+${`"}${)}${|}+${`"}${)}${&}+${`"}${(}${+}+${`"}${&}${@}+${`"}${+}${=}${+}+${`"}${|}${)}+${`"}${+}${=}${=}+${`"}${[}${]}+${`"}${)}${@}+${`"}${+}${+}${+}+${`"}${+}${+}${]}+${`"}${+}${+}${(}+${`"}${.}${@}+${`"}${[}${]}+${`"}${&}${=}+${`"}${+}${+}${[}+${`"}${+}${+}${+}+${`"}${+}${=}${|}+${`"}${+}${+}${@}+${`"}${+}${+}${(}+${`"}${.}${@}+${`"}${.}${|}+${`"}${(}${|}+${`"}${+}${+}${=}+${`"}${+}${+}${(}+${`"}${+}${=}${+}+${`"}${+}${+}${[}+${`"}${.}${@}+${`"}${+}${+}${(}+${`"}${+}${=}${[}+${`"}${+}${=}${+}+${`"}${.}${@}+${`"}${+}${+}${@}+${`"}${|}${)}+${`"}${+}${+}${]}+${`"}${+}${+}${]}+${`"}${+}${+}${|}+${`"}${+}${+}${+}+${`"}${+}${+}${[}+${`"}${+}${=}${=}+${`"}${.}${|}+${`"}${+}${.}+${`"}${+}${=}+${`"}${)}${.}+${`"}${+}${=}${@}+${`"}${[}${=}+${`"}${.}${(}+${`"}${(}${|}+${`"}${(}${)}+${`"}${(}${)}+${`"}${)}${|}+${`"}${)}${&}+${`"}${.}${@}+${`"}${[}${]}+${`"}${+}${=}${+}+${`"}${+}${+}${.}+${`"}${.}${@}+${`"}${.}${|}+${`"}${&}${=}+${`"}${[}${&}+${`"}${+}${+}${|}+${`"}${(}${|}+${`"}${+}${+}${[}+${`"}${.}${(}+${`"}${)}${@}+${`"}${]}${+}+${`"}${[}${|}+${`"}${[}${|}+${`"}${.}${|}+${`"}${[}${+}+${`"}${+}${@}${.}+${`"}${+}${.}+${`"}${+}${=}+${`"}${|}+${`"}${&}${)}+${`"}${+}${+}${[}+${`"}${+}${=}${]}+${`"}${+}${+}${(}+${`"}${+}${=}${+}+${`"}${[}${]}+${`"}${)}${@}+${`"}${+}${+}${+}+${`"}${+}${+}${]}+${`"}${+}${+}${(}+${`"}${.}${@}+${`"}${.}${|}+${`"}${)}${+}+${`"}${+}${+}${+}+${`"}${+}${+}${+}+${`"}${+}${=}${=}+${`"}${.}${@}+${`"}${)}${[}+${`"}${+}${+}${+}+${`"}${|}${&}+${`"}${.}${.}+${`"}${.}${|}+${`"}${]}${|}+${`"}${+}${.}+${`"}${+}${=}+${`"}${|}+${`"}${&}${)}+${`"}${+}${+}${[}+${`"}${+}${=}${]}+${`"}${+}${+}${(}+${`"}${+}${=}${+}+${`"}${[}${]}+${`"}${)}${@}+${`"}${+}${+}${+}+${`"}${+}${+}${]}+${`"}${+}${+}${(}+${`"}${.}${@}+${`"}${.}${[}+${`"}${&}${.}+${`"}${(}${|}+${`"}${(}${)}+${`"}${(}${)}+${`"}${)}${|}+${`"}${)}${&}+${`"}${+}${@}${.}+${`"}${.}${(}+${`"}${(}${|}+${`"}${(}${)}+${`"}${(}${)}+${`"}${)}${|}+${`"}${)}${&}+${`"}${+}${@}${]}+${`"}${.}${[}+${`"}${+}${.}+${`"}${+}${=}+${`"}${+}${@}${]}|${;}`"|&$;;}"
```
the output is :
```PowerShell
[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]61+[CHar]82+[CHar]101+[CHar]97+[CHar]100+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]45+[CHar]80+[CHar]114+[CHar]111+[CHar]109+[CHar]112+[CHar]116+[CHar]32+[CHar]39+[CHar]69+[CHar]110+[CHar]116+[CHar]101+[CHar]114+[CHar]32+[CHar]116+[CHar]104+[CHar]101+[CHar]32+[CHar]112+[CHar]97+[CHar]115+[CHar]115+[CHar]119+[CHar]111+[CHar]114+[CHar]100+[CHar]39+[CHar]13+[CHar]10+[CHar]73+[CHar]102+[CHar]40+[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]32+[CHar]45+[CHar]101+[CHar]113+[CHar]32+[CHar]39+[CHar]80+[CHar]48+[CHar]119+[CHar]69+[CHar]114+[CHar]36+[CHar]72+[CHar]51+[CHar]49+[CHar]49+[CHar]39+[CHar]41+[CHar]123+[CHar]13+[CHar]10+[CHar]9+[CHar]87+[CHar]114+[CHar]105+[CHar]116+[CHar]101+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]39+[CHar]71+[CHar]111+[CHar]111+[CHar]100+[CHar]32+[CHar]74+[CHar]111+[CHar]98+[CHar]33+[CHar]39+[CHar]59+[CHar]13+[CHar]10+[CHar]9+[CHar]87+[CHar]114+[CHar]105+[CHar]116+[CHar]101+[CHar]45+[CHar]72+[CHar]111+[CHar]115+[CHar]116+[CHar]32+[CHar]34+[CHar]83+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]123+[CHar]36+[CHar]69+[CHar]67+[CHar]67+[CHar]79+[CHar]78+[CHar]125+[CHar]34+[CHar]13+[CHar]10+[CHar]125|iex"|&iex
```
transforming the output using python we got another little powershell script , but this time is cleaner :D
```PowerShell
'$ECCON=Read-Host -Prompt \'Enter the password\'\r\nIf($ECCON -eq \'P0wEr$H311\'){\r\n\tWrite-Host \'Good Job!\';\r\n\tWrite-Host "SECCON{$ECCON}"\r\n}'
```

We enter P0wEr$H311 as password the we got the validation password : SECCON{P0wEr$H311}

it was a cool challenge it gives me a chance playing around with powershell scripts

Original writeup (https://github.com/AnisBoss/CTFs/tree/master/SECCON%202017/Powerful_Shell-Binary-300).

Powerful_Shell

Comments

Sign in with