I noted that command was triggered with base64 encdoing, so the answer should be (I assume) copy and pasted from github link provided, but I’m not able to progress at all.
Hi. I found the solution but I just guessed it. I found the power shell with the base64 and when I decoded it, I finally find an executable code but nothing about the module used.
hello. I need assistance kindly. I have been stuck here for days: (Practical Digital Forensics Scenario)
Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework) has been utilized within the process, and enter its name as your answer.
I just finished this a while ago,
First identify any PowerShell commands or scripts executed by the process with PID 6744 in a memory dump, you can use Volatility’s windows.cmdline
second - this is based 64, decode it using any tool like, powershell, cyberchef or burpsuite. me i ask chatgpt to decode it for me. then i ask gpt to explain it to,
It’s simpler than this, just use the provided site with metasploit tools and try to find adequate tools name that „performs network enumeration and exploitation”.
This is the most frustrating task i have ever done, it looks like its injecting shell code into a process
But its not the answer.
And to all my efforts i cant find any other good ways of solving this one.
I have reversed all det encoded parts, to no effect.
It still is just not clear, i feel the question is messing it up for me…
It sounds like your search for the tools was simple, but it has been complicated for me.
I tried listing all the tools from the README.md but none of them worked. Then I tried listing individual functions and modules but there are lots of them in each file so I tried lots but not all of them. Someone said the work Invoke was not in the name so I tried function names eliminating Invoke from them but to no luck.
This one was tricky. I had to decode it from base64, and then there was a powershell script with another payload that furthermore was being decoded from base64 and uncompressed, per the code. I had to change the code to just save the uncompressed double decoded payload to a file instead of executing it, and then run the powershell script. Then the final payload was still not searchable in the github, but I tried searching other random parts of the code until I found something promising. The name of the tool corresponds to the name of one of the powershell files, but without the .ps1 extension.