As this was a downloadable OVA file, I figured I needed to import it into VirtualBox and spin-up the machine in order to start.

After logging in with the provided password I noticed a PowerShell window appearing for a short time (the description mentioned something about ‘blue windows’ popping up so this is interesting).

A quick look in the Task Manager revealed two suspicious processes with no name; however, when opening the file locations, I found a weird svchost.exe file in a non-standard location: **C:\ProgramData\windows\svchost.exe**


I quickly saved this file to my main machine for further analysis.

As I wanted to see what the PowerShell window from earlier was, I took a quick look at the Startup tab in Task Manager but there was nothing of interest.

I ran a Sysinternals Autoruns instance and I noticed a weird PowerShell-based Scheduled Task:


Analyzing this revealed that this Scheduled Task fetched a registry key’s value which was a base64-encoded obfuscated Powershell script then executed it.


`powershell.exe -w hidden -ExecutionPolicy Bypass -nop -NoExit -C Write-host 'Windows update ready'; iex ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\1X90wOyH).Q4josQ44)));`

This explains the quick Powershell window I saw when the machine booted.

Decoding the base64 registry key revealed the following PS script which contains a part of the flag for this challenge:


After a bit of cleaning-up I got to this:


So indeed the rest of the flag must be related to that svchost.exe file; the web request in the else branch seems to be just for misleading purposes.

Running a quick strings dump on the svchost.exe binary reveals that it’s a **pyinstaller-compiled .exe file**:


So the next logical step was to try and extract the file using **pyinstextractor** (https://github.com/extremecoders-re/pyinstxtractor):


Indeed I got some .pyc & .pyd files so I continued with trying to decompile them with **uncompyle6** (https://pypi.org/project/uncompyle6/)


Taking a look in **logger.py** reveals this svchost.exe file is actually a keylogger that encrypts the keyboard captured data with **AES in CFB mode, then base64-encodes** the cipher text and saves it to a file in the user’s APPDATA directory:


I saved the key and the initialization vector for the AES decryption and I fetched the **%APPDATA%\anVzdGFuW1l.txt** file which contained Python binary strings (the base64-encoded cipher text from before):


I cleaned the file a bit (removed the b’’ stuff) then I tried decrypting it in CyberChef, getting only garbage:


So I wrote a quick Python script to decrypt the file:


Which produced the following output:


After cleaning it a bit I could clearly see an email body:


As the first part of the flag was: **HTB{1_c4n_S33_3v3ryTh1ng_3v3n_y0uR_P1N_**

I figured the PIN from the email has to be the other part and indeed this was the final flag:

**HTB{1_c4n_S33_3v3ryTh1ng_3v3n_y0uR_P1N_50133700013}**