Open
Description
- original file 504lab.exe.zip
- patched bytecode 504lab.pyc.zip
- error message
$ uncompyle6 504lab.pyc
# uncompyle6 version 3.7.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.2 (default, Mar 11 2020, 00:29:50)
# [Clang 11.0.0 (clang-1100.0.33.17)]
# Embedded file name: 504lab.py
# Compiled at: 2054-06-26 14:40:57
# Size of source mod 2**32: 584092496 bytes
Instruction context:
L. 183 1022 LOAD_NAME time
1024 LOAD_METHOD sleep
1026 LOAD_CONST 1
1028 CALL_METHOD_1 1 ''
-> 1030 POP_TOP
# file 504lab.pyc
# --- This code section failed: ---
L. 1 0 LOAD_CONST 0
2 LOAD_CONST None
4 IMPORT_NAME os
6 STORE_NAME os
L. 2 8 LOAD_CONST 0
10 LOAD_CONST None
12 IMPORT_NAME subprocess
14 STORE_NAME subprocess
L. 3 16 LOAD_CONST 0
18 LOAD_CONST None
20 IMPORT_NAME time
22 STORE_NAME time
L. 4 24 LOAD_CONST 0
26 LOAD_CONST None
28 IMPORT_NAME tempfile
30 STORE_NAME tempfile
L. 5 32 LOAD_CONST 0
34 LOAD_CONST None
36 IMPORT_NAME sys
38 STORE_NAME sys
L. 6 40 LOAD_CONST 0
42 LOAD_CONST None
44 IMPORT_NAME signal
46 STORE_NAME signal
L. 7 48 LOAD_CONST 0
50 LOAD_CONST None
52 IMPORT_NAME base64
54 STORE_NAME base64
L. 8 56 LOAD_CONST 0
58 LOAD_CONST None
60 IMPORT_NAME re
62 STORE_NAME re
L. 9 64 LOAD_CONST 0
66 LOAD_CONST None
68 IMPORT_NAME random
70 STORE_NAME random
L. 10 72 LOAD_CONST 0
74 LOAD_CONST None
76 IMPORT_NAME socket
78 STORE_NAME socket
L. 11 80 LOAD_CONST 0
82 LOAD_CONST None
84 IMPORT_NAME webbrowser
86 STORE_NAME webbrowser
L. 12 88 LOAD_CONST 0
90 LOAD_CONST None
92 IMPORT_NAME signal
94 STORE_NAME signal
L. 14 96 LOAD_CODE <code_object reliable_start>
98 LOAD_STR 'reliable_start'
100 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
102 STORE_NAME reliable_start
L. 70 104 LOAD_CODE <code_object shellcmd>
106 LOAD_STR 'shellcmd'
108 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
110 STORE_NAME shellcmd
L. 75 112 LOAD_CODE <code_object exec_cmd>
114 LOAD_STR 'exec_cmd'
116 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
118 STORE_NAME exec_cmd
L. 84 120 LOAD_CODE <code_object handler>
122 LOAD_STR 'handler'
124 MAKE_FUNCTION_0 'No defaults, keyword-only args, annotations, or closures'
126 STORE_NAME handler
L. 88 128 LOAD_NAME signal
130 LOAD_METHOD signal
132 LOAD_NAME signal
134 LOAD_ATTR SIGINT
136 LOAD_NAME handler
138 CALL_METHOD_2 2 ''
140 POP_TOP
L. 90 142 LOAD_NAME webbrowser
144 LOAD_METHOD open_new
146 LOAD_STR 'https://markbaggett.github.io/504lab/'
148 CALL_METHOD_1 1 ''
150 POP_TOP
L. 91 152 LOAD_NAME webbrowser
154 LOAD_METHOD open_new_tab
156 LOAD_STR 'https://www.sans.org/course/hacker-techniques-exploits-incident-handling'
158 CALL_METHOD_1 1 ''
160 POP_TOP
L. 92 162 LOAD_NAME webbrowser
164 LOAD_METHOD open_new_tab
166 LOAD_STR 'https://www.sans.org/course/automating-information-security-with-python'
168 CALL_METHOD_1 1 ''
170 POP_TOP
L. 94 172 LOAD_NAME os
174 LOAD_METHOD system
176 LOAD_STR 'cls'
178 CALL_METHOD_1 1 ''
180 POP_TOP
L. 95 182 LOAD_NAME os
184 LOAD_METHOD system
186 LOAD_STR 'color f0'
188 CALL_METHOD_1 1 ''
190 POP_TOP
L. 96 192 LOAD_NAME print
194 LOAD_STR 'KNOW THY SYSTEM! \n\nOpen a second CMD prompt as an Administrator and run netstat -nao on your host so you know what your system looks like before it is "infected."'
196 CALL_FUNCTION_1 1 ''
198 POP_TOP
L. 97 200 LOAD_NAME print
202 LOAD_STR 'Verify your firewall and AV are disabled. I am about to start a non-malicious backdoor for you to find.\n'
204 CALL_FUNCTION_1 1 ''
206 POP_TOP
L. 99 208 LOAD_NAME input
210 LOAD_STR 'After you have run netstat press ENTER to continue'
212 CALL_FUNCTION_1 1 ''
214 STORE_NAME ans
L. 101 216 LOAD_NAME print
218 LOAD_STR '\n\nPlease wait: A TCP Backdoor is being started on your host.'
220 CALL_FUNCTION_1 1 ''
222 POP_TOP
L. 102 224 LOAD_STR 'TheFlagisBlack%s'
226 LOAD_NAME str
228 LOAD_NAME random
230 LOAD_METHOD randint
232 LOAD_CONST 999999
234 LOAD_CONST 999999999
236 CALL_METHOD_2 2 ''
238 CALL_FUNCTION_1 1 ''
240 BINARY_MODULO
242 STORE_NAME flag
L. 103 244 LOAD_NAME reliable_start
246 LOAD_NAME shellcmd
248 LOAD_STR '0'
250 LOAD_NAME flag
252 CALL_FUNCTION_2 2 ''
254 CALL_FUNCTION_1 1 ''
256 UNPACK_SEQUENCE_3 3
258 STORE_NAME pid
260 STORE_NAME ppid
262 STORE_NAME tprt
L. 104 264 LOAD_NAME print
266 LOAD_STR 'Backdoor Started. Please answer the following questions.'
268 CALL_FUNCTION_1 1 ''
270 POP_TOP
L. 106 272 LOAD_NAME input
274 LOAD_STR '\nWhat TCP port is the backdoor listening on? '
276 CALL_FUNCTION_1 1 ''
278 STORE_NAME ans
L. 107 280 LOAD_NAME ans
282 LOAD_NAME str
284 LOAD_NAME tprt
286 CALL_FUNCTION_1 1 ''
288 COMPARE_OP !=
290_292 POP_JUMP_IF_FALSE 418 'to 418'
294 LOAD_NAME ans
296 LOAD_STR 'skip'
298 COMPARE_OP !=
300_302 POP_JUMP_IF_FALSE 418 'to 418'
L. 108 304 LOAD_NAME ans
306 LOAD_CONST None
308 LOAD_CONST 4
310 BUILD_SLICE_2 2
312 BINARY_SUBSCR
314 LOAD_STR 'help'
316 COMPARE_OP ==
318_320 POP_JUMP_IF_FALSE 332 'to 332'
L. 109 322 LOAD_NAME print
324 LOAD_STR '\nnetstat -nao will show you what is listening now. Run it again and compare it to the previous results.'
326 CALL_FUNCTION_1 1 ''
328 POP_TOP
330 JUMP_FORWARD 340 'to 340'
332_0 COME_FROM 318 '318'
L. 111 332 LOAD_NAME print
334 LOAD_STR 'That is incorrect. Please check your answer and try again.'
336 CALL_FUNCTION_1 1 ''
338 POP_TOP
340_0 COME_FROM 330 '330'
L. 112 340 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
342 LOAD_NAME pid
344 BINARY_MODULO
346 STORE_NAME srchstr
L. 113 348 SETUP_FINALLY 376 'to 376'
L. 114 350 LOAD_NAME re
352 LOAD_METHOD search
354 LOAD_NAME srchstr
356 LOAD_NAME exec_cmd
358 LOAD_STR 'netstat -nao'
360 CALL_FUNCTION_1 1 ''
362 CALL_METHOD_2 2 ''
364 LOAD_METHOD group
366 LOAD_CONST 1
368 CALL_METHOD_1 1 ''
370 STORE_NAME tprt
372 POP_BLOCK
374 JUMP_FORWARD 406 'to 406'
376_0 COME_FROM_FINALLY 348 '348'
L. 115 376 POP_TOP
378 POP_TOP
380 POP_TOP
L. 116 382 LOAD_NAME print
384 LOAD_STR "Can't find the TCP port for that PID. Check your AV,Firewall and run the lab as an administrator again"
386 CALL_FUNCTION_1 1 ''
388 POP_TOP
L. 117 390 LOAD_NAME sys
392 LOAD_METHOD exit
394 LOAD_CONST 1
396 CALL_METHOD_1 1 ''
398 POP_TOP
400 POP_EXCEPT
402 JUMP_FORWARD 406 'to 406'
404 END_FINALLY
406_0 COME_FROM 402 '402'
406_1 COME_FROM 374 '374'
L. 118 406 LOAD_NAME input
408 LOAD_STR 'What TCP port is the backdoor listening on? '
410 CALL_FUNCTION_1 1 ''
412 STORE_NAME ans
414_416 JUMP_BACK 280 'to 280'
418_0 COME_FROM 300 '300'
418_1 COME_FROM 290 '290'
L. 120 418 LOAD_NAME input
420 LOAD_STR '\nWhat is the process id number of the backdoor? '
422 CALL_FUNCTION_1 1 ''
424 STORE_NAME ans
L. 121 426 LOAD_NAME ans
428 LOAD_NAME str
430 LOAD_NAME pid
432 CALL_FUNCTION_1 1 ''
434 COMPARE_OP !=
436_438 POP_JUMP_IF_FALSE 498 'to 498'
440 LOAD_NAME ans
442 LOAD_STR 'skip'
444 COMPARE_OP !=
446_448 POP_JUMP_IF_FALSE 498 'to 498'
L. 122 450 LOAD_NAME ans
452 LOAD_CONST None
454 LOAD_CONST 4
456 BUILD_SLICE_2 2
458 BINARY_SUBSCR
460 LOAD_STR 'help'
462 COMPARE_OP ==
464_466 POP_JUMP_IF_FALSE 478 'to 478'
L. 123 468 LOAD_NAME print
470 LOAD_STR '\nnetstat -nao shows you the process id number in the last column.'
472 CALL_FUNCTION_1 1 ''
474 POP_TOP
476 JUMP_FORWARD 486 'to 486'
478_0 COME_FROM 464 '464'
L. 125 478 LOAD_NAME print
480 LOAD_STR 'That is incorrect. Please check your answer and try again.'
482 CALL_FUNCTION_1 1 ''
484 POP_TOP
486_0 COME_FROM 476 '476'
L. 126 486 LOAD_NAME input
488 LOAD_STR 'What is the process id number of the backdoor? '
490 CALL_FUNCTION_1 1 ''
492 STORE_NAME ans
494_496 JUMP_BACK 426 'to 426'
498_0 COME_FROM 446 '446'
498_1 COME_FROM 436 '436'
L. 129 498 LOAD_NAME input
500 LOAD_STR '\nWhat is the parent process id number of the backdoor? '
502 CALL_FUNCTION_1 1 ''
504 STORE_NAME ans
L. 130 506 LOAD_NAME ans
508 LOAD_NAME str
510 LOAD_NAME ppid
512 CALL_FUNCTION_1 1 ''
514 COMPARE_OP !=
516_518 POP_JUMP_IF_FALSE 578 'to 578'
520 LOAD_NAME ans
522 LOAD_STR 'skip'
524 COMPARE_OP !=
526_528 POP_JUMP_IF_FALSE 578 'to 578'
L. 131 530 LOAD_NAME ans
532 LOAD_CONST None
534 LOAD_CONST 4
536 BUILD_SLICE_2 2
538 BINARY_SUBSCR
540 LOAD_STR 'help'
542 COMPARE_OP ==
544_546 POP_JUMP_IF_FALSE 558 'to 558'
L. 132 548 LOAD_NAME print
550 LOAD_STR '\nwmic process where (processid = 1234) get parentprocessid - would show you the parent processid for process 1234'
552 CALL_FUNCTION_1 1 ''
554 POP_TOP
556 JUMP_FORWARD 566 'to 566'
558_0 COME_FROM 544 '544'
L. 134 558 LOAD_NAME print
560 LOAD_STR 'That is incorrect. Please check your answer and try again.'
562 CALL_FUNCTION_1 1 ''
564 POP_TOP
566_0 COME_FROM 556 '556'
L. 135 566 LOAD_NAME input
568 LOAD_STR 'What is the parent process id number of the backdoor? '
570 CALL_FUNCTION_1 1 ''
572 STORE_NAME ans
574_576 JUMP_BACK 506 'to 506'
578_0 COME_FROM 526 '526'
578_1 COME_FROM 516 '516'
L. 137 578 LOAD_NAME print
580 LOAD_STR '\nUse Netcat to connect to the backdoor TCP port.'
582 CALL_FUNCTION_1 1 ''
584 POP_TOP
L. 138 586 LOAD_NAME input
588 LOAD_STR 'What is flag printed when you connect to the backdoor? '
590 CALL_FUNCTION_1 1 ''
592 STORE_NAME ans
L. 139 594 LOAD_NAME ans
596 LOAD_NAME flag
598 COMPARE_OP !=
600_602 POP_JUMP_IF_FALSE 662 'to 662'
604 LOAD_NAME ans
606 LOAD_STR 'skip'
608 COMPARE_OP !=
610_612 POP_JUMP_IF_FALSE 662 'to 662'
L. 140 614 LOAD_NAME ans
616 LOAD_CONST None
618 LOAD_CONST 4
620 BUILD_SLICE_2 2
622 BINARY_SUBSCR
624 LOAD_STR 'help'
626 COMPARE_OP ==
628_630 POP_JUMP_IF_FALSE 642 'to 642'
L. 141 632 LOAD_NAME print
634 LOAD_STR '\nnc 127.0.0.1 1234 - would connect to a backdoor on tcp port 1234.'
636 CALL_FUNCTION_1 1 ''
638 POP_TOP
640 JUMP_FORWARD 650 'to 650'
642_0 COME_FROM 628 '628'
L. 143 642 LOAD_NAME print
644 LOAD_STR 'That is incorrect. Please check your answer and try again.'
646 CALL_FUNCTION_1 1 ''
648 POP_TOP
650_0 COME_FROM 640 '640'
L. 144 650 LOAD_NAME input
652 LOAD_STR 'What is flag printed when you connect to the backdoor? '
654 CALL_FUNCTION_1 1 ''
656 STORE_NAME ans
658_660 JUMP_BACK 594 'to 594'
662_0 COME_FROM 610 '610'
662_1 COME_FROM 600 '600'
L. 147 662 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
664 LOAD_NAME pid
666 BINARY_MODULO
668 STORE_NAME srchstr
L. 148 670 LOAD_NAME re
672 LOAD_METHOD search
674 LOAD_NAME srchstr
676 LOAD_NAME exec_cmd
678 LOAD_STR 'netstat -nao'
680 CALL_FUNCTION_1 1 ''
682 CALL_METHOD_2 2 ''
684 LOAD_METHOD group
686 LOAD_CONST 1
688 CALL_METHOD_1 1 ''
690 STORE_NAME tprt
L. 149 692 LOAD_NAME input
694 LOAD_STR '\nWhat TCP port is the backdoor listening on now? '
696 CALL_FUNCTION_1 1 ''
698 STORE_NAME ans
L. 150 700 LOAD_NAME ans
702 LOAD_NAME str
704 LOAD_NAME tprt
706 CALL_FUNCTION_1 1 ''
708 COMPARE_OP !=
710_712 POP_JUMP_IF_FALSE 842 'to 842'
714 LOAD_NAME ans
716 LOAD_STR 'skip'
718 COMPARE_OP !=
720_722 POP_JUMP_IF_FALSE 842 'to 842'
L. 151 724 LOAD_NAME ans
726 LOAD_CONST None
728 LOAD_CONST 4
730 BUILD_SLICE_2 2
732 BINARY_SUBSCR
734 LOAD_STR 'help'
736 COMPARE_OP ==
738_740 POP_JUMP_IF_FALSE 756 'to 756'
L. 152 742 LOAD_NAME print
744 LOAD_STR '\nnetstat -nao will show you what is listening now. The process id number is still %s.'
746 LOAD_NAME pid
748 BINARY_MODULO
750 CALL_FUNCTION_1 1 ''
752 POP_TOP
754 JUMP_FORWARD 764 'to 764'
756_0 COME_FROM 738 '738'
L. 154 756 LOAD_NAME print
758 LOAD_STR 'That is incorrect. Please check your answer and try again.'
760 CALL_FUNCTION_1 1 ''
762 POP_TOP
764_0 COME_FROM 754 '754'
L. 155 764 LOAD_STR '\\r\\n.*?TCP.*?\\d{1,3}:(\\d+).*?%s\\r\\n'
766 LOAD_NAME pid
768 BINARY_MODULO
770 STORE_NAME srchstr
L. 156 772 SETUP_FINALLY 800 'to 800'
L. 157 774 LOAD_NAME re
776 LOAD_METHOD search
778 LOAD_NAME srchstr
780 LOAD_NAME exec_cmd
782 LOAD_STR 'netstat -nao'
784 CALL_FUNCTION_1 1 ''
786 CALL_METHOD_2 2 ''
788 LOAD_METHOD group
790 LOAD_CONST 1
792 CALL_METHOD_1 1 ''
794 STORE_NAME tprt
796 POP_BLOCK
798 JUMP_FORWARD 830 'to 830'
800_0 COME_FROM_FINALLY 772 '772'
L. 158 800 POP_TOP
802 POP_TOP
804 POP_TOP
L. 159 806 LOAD_NAME print
808 LOAD_STR 'Bad things happened. Check your AV,Firewall and run the lab as an administrator again'
810 CALL_FUNCTION_1 1 ''
812 POP_TOP
L. 160 814 LOAD_NAME sys
816 LOAD_METHOD exit
818 LOAD_CONST 1
820 CALL_METHOD_1 1 ''
822 POP_TOP
824 POP_EXCEPT
826 JUMP_FORWARD 830 'to 830'
828 END_FINALLY
830_0 COME_FROM 826 '826'
830_1 COME_FROM 798 '798'
L. 161 830 LOAD_NAME input
832 LOAD_STR 'What TCP port is the backdoor listening on now? '
834 CALL_FUNCTION_1 1 ''
836 STORE_NAME ans
838_840 JUMP_BACK 700 'to 700'
842_0 COME_FROM 720 '720'
842_1 COME_FROM 710 '710'
L. 163 842 LOAD_NAME print
844 LOAD_STR '\nNow use wmic to kill the process.'
846 CALL_FUNCTION_1 1 ''
848 POP_TOP
L. 164 850 LOAD_NAME input
852 LOAD_STR 'Press enter after you have killed the process.'
854 CALL_FUNCTION_1 1 ''
856 STORE_NAME ans
L. 165 858 LOAD_STR 'wmic process where (processid = %s) list brief'
860 LOAD_NAME pid
862 BINARY_MODULO
864 STORE_NAME check_pid
L. 166 866 LOAD_NAME exec_cmd
868 LOAD_NAME check_pid
870 CALL_FUNCTION_1 1 ''
872 LOAD_STR 'No Instance(s) Available.'
874 COMPARE_OP !=
876_878 POP_JUMP_IF_FALSE 938 'to 938'
880 LOAD_NAME ans
882 LOAD_STR 'skip'
884 COMPARE_OP !=
886_888 POP_JUMP_IF_FALSE 938 'to 938'
L. 167 890 LOAD_NAME ans
892 LOAD_CONST None
894 LOAD_CONST 4
896 BUILD_SLICE_2 2
898 BINARY_SUBSCR
900 LOAD_STR 'help'
902 COMPARE_OP ==
904_906 POP_JUMP_IF_FALSE 918 'to 918'
L. 168 908 LOAD_NAME print
910 LOAD_STR '\nwmic process where (processid = 1234) delete OR get-process -PID 1234 | stop-process - would kill process number 1234.'
912 CALL_FUNCTION_1 1 ''
914 POP_TOP
916 JUMP_FORWARD 926 'to 926'
918_0 COME_FROM 904 '904'
L. 170 918 LOAD_NAME print
920 LOAD_STR 'The process still seems to be running. Please kill the process used by the backdoor with wmic.'
922 CALL_FUNCTION_1 1 ''
924 POP_TOP
926_0 COME_FROM 916 '916'
L. 171 926 LOAD_NAME input
928 LOAD_STR 'Press enter after you have killed the process.'
930 CALL_FUNCTION_1 1 ''
932 STORE_NAME ans
934_936 JUMP_BACK 866 'to 866'
938_0 COME_FROM 886 '886'
938_1 COME_FROM 876 '876'
L. 173 938 LOAD_NAME print
940 LOAD_STR "\n\nThis PowerShell backdoor was easy to find because it listened on a TCP port. A more typical PowerShell backdoor will not. Instead it makes periodic client connections to a command and control server. Now I'm creating a new PowerShell process that does not listen on a port."
942 CALL_FUNCTION_1 1 ''
944 POP_TOP
L. 175 946 LOAD_STR 'Sasquatch%s'
948 LOAD_NAME random
950 LOAD_METHOD randint
952 LOAD_CONST 99999
954 LOAD_CONST 9999999999
956 CALL_METHOD_2 2 ''
958 BINARY_MODULO
960 STORE_NAME newflg
L. 176 962 LOAD_STR 'while($true){$flag = "%s"; [System.Threading.Thread]::Sleep(10000)};'
964 LOAD_NAME newflg
966 BINARY_MODULO
968 STORE_NAME newscript
L. 177 970 LOAD_CONST b'powershell.exe -nop -exec bypass -enc '
972 LOAD_NAME base64
974 LOAD_METHOD b64encode
976 LOAD_NAME newscript
978 LOAD_METHOD encode
980 LOAD_STR 'UTF-16LE'
982 CALL_METHOD_1 1 ''
984 CALL_METHOD_1 1 ''
986 BINARY_ADD
988 LOAD_METHOD decode
990 CALL_METHOD_0 0 ''
992 STORE_NAME newcmd
L. 178 994 LOAD_CONST 5
996 STORE_NAME retry_cnt
L. 180 998 SETUP_FINALLY 1016 'to 1016'
L. 181 1000 LOAD_NAME subprocess
1002 LOAD_METHOD Popen
1004 LOAD_NAME newcmd
1006 CALL_METHOD_1 1 ''
1008 LOAD_ATTR pid
1010 STORE_NAME pid
1012 POP_BLOCK
1014 BREAK_LOOP 1086 'to 1086'
1016_0 COME_FROM_FINALLY 998 '998'
L. 182 1016 POP_TOP
1018 POP_TOP
1020 POP_TOP
L. 183 1022 LOAD_NAME time
1024 LOAD_METHOD sleep
1026 LOAD_CONST 1
1028 CALL_METHOD_1 1 ''
1030 POP_TOP
L. 184 1032 LOAD_NAME retry_cnt
1034 LOAD_CONST 1
1036 INPLACE_SUBTRACT
1038 STORE_NAME retry_cnt
L. 185 1040 LOAD_NAME retry_cnt
1042 LOAD_CONST 1
1044 COMPARE_OP <
1046_1048 POP_JUMP_IF_FALSE 1072 'to 1072'
L. 186 1050 LOAD_NAME print
1052 LOAD_STR 'Unable to start the 2nd part of this lab. In another window manually start the following command:'
1054 CALL_FUNCTION_1 1 ''
1056 POP_TOP
L. 187 1058 LOAD_NAME print
1060 LOAD_NAME cmd
1062 CALL_FUNCTION_1 1 ''
1064 POP_TOP
L. 188 1066 POP_EXCEPT
1068_1070 BREAK_LOOP 1086 'to 1086'
1072_0 COME_FROM 1046 '1046'
1072 POP_EXCEPT
1074 JUMP_BACK 998 'to 998'
1076 END_FINALLY
L. 190 1078_1080 BREAK_LOOP 1086 'to 1086'
1082_1084 JUMP_BACK 998 'to 998'
L. 192 1086 LOAD_NAME input
1088 LOAD_STR '\nWhat is the process id number of the backdoor? '
1090 CALL_FUNCTION_1 1 ''
1092 STORE_NAME ans
L. 193 1094 LOAD_NAME ans
1096 LOAD_NAME str
1098 LOAD_NAME pid
1100 CALL_FUNCTION_1 1 ''
1102 COMPARE_OP !=
1104_1106 POP_JUMP_IF_FALSE 1166 'to 1166'
1108 LOAD_NAME ans
1110 LOAD_STR 'skip'
1112 COMPARE_OP !=
1114_1116 POP_JUMP_IF_FALSE 1166 'to 1166'
L. 194 1118 LOAD_NAME ans
1120 LOAD_CONST None
1122 LOAD_CONST 4
1124 BUILD_SLICE_2 2
1126 BINARY_SUBSCR
1128 LOAD_STR 'help'
1130 COMPARE_OP ==
1132_1134 POP_JUMP_IF_FALSE 1146 'to 1146'
L. 195 1136 LOAD_NAME print
1138 LOAD_STR '\nYou have been told it is a PowerShell based tool. wmic process where (name like "powershell%") list brief - will show you processes that are probably PowerShell.'
1140 CALL_FUNCTION_1 1 ''
1142 POP_TOP
1144 JUMP_FORWARD 1154 'to 1154'
1146_0 COME_FROM 1132 '1132'
L. 197 1146 LOAD_NAME print
1148 LOAD_STR 'That is incorrect. Please check your answer and try again.'
1150 CALL_FUNCTION_1 1 ''
1152 POP_TOP
1154_0 COME_FROM 1144 '1144'
L. 198 1154 LOAD_NAME input
1156 LOAD_STR 'What is the process id number of the backdoor? '
1158 CALL_FUNCTION_1 1 ''
1160 STORE_NAME ans
1162_1164 JUMP_BACK 1094 'to 1094'
1166_0 COME_FROM 1114 '1114'
1166_1 COME_FROM 1104 '1104'
L. 200 1166 LOAD_NAME print
1168 LOAD_STR '\nUse wmic to retrieve the CommandLine and answer the following.'
1170 CALL_FUNCTION_1 1 ''
1172 POP_TOP
L. 201 1174 LOAD_NAME input
1176 LOAD_STR '\nWhat is the flag contained in the script executed by the backdoor? '
1178 CALL_FUNCTION_1 1 ''
1180 STORE_NAME ans
L. 202 1182 LOAD_NAME ans
1184 LOAD_NAME str
1186 LOAD_NAME newflg
1188 CALL_FUNCTION_1 1 ''
1190 COMPARE_OP !=
1192_1194 POP_JUMP_IF_FALSE 1286 'to 1286'
1196 LOAD_NAME ans
1198 LOAD_STR 'skip'
1200 COMPARE_OP !=
1202_1204 POP_JUMP_IF_FALSE 1286 'to 1286'
L. 203 1206 LOAD_NAME ans
1208 LOAD_CONST None
1210 LOAD_CONST 4
1212 BUILD_SLICE_2 2
1214 BINARY_SUBSCR
1216 LOAD_STR 'help'
1218 COMPARE_OP ==
1220_1222 POP_JUMP_IF_FALSE 1266 'to 1266'
L. 204 1224 LOAD_NAME print
1226 LOAD_STR 'Step 1: Acquire the command line that launched the process.'
1228 CALL_FUNCTION_1 1 ''
1230 POP_TOP
L. 205 1232 LOAD_NAME print
1234 LOAD_STR '"wmic process where (processid = 1234) get commandline" - would get the command line that launched process id 1234.'
1236 CALL_FUNCTION_1 1 ''
1238 POP_TOP
L. 206 1240 LOAD_NAME print
1242 LOAD_STR 'Step 2: Decode the base64 string containing the PowerShell Script.'
1244 CALL_FUNCTION_1 1 ''
1246 POP_TOP
L. 207 1248 LOAD_NAME print
1250 LOAD_STR 'For example, the following command decodes a -enc (base64 encoded) string:'
1252 CALL_FUNCTION_1 1 ''
1254 POP_TOP
L. 208 1256 LOAD_NAME print
1258 LOAD_STR '[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("QwBoAGUAYwBrACAAbwB1AHQAIABTAEEATgBTACAAUAB5AHQAaABvAG4AIABDAGwAYQBzAHMAIQAgAFMARQBDADUANwAzACEAIQA=")).'
1260 CALL_FUNCTION_1 1 ''
1262 POP_TOP
1264 JUMP_FORWARD 1274 'to 1274'
1266_0 COME_FROM 1220 '1220'
L. 210 1266 LOAD_NAME print
1268 LOAD_STR 'That is incorrect. Please check your answer and try again.'
1270 CALL_FUNCTION_1 1 ''
1272 POP_TOP
1274_0 COME_FROM 1264 '1264'
L. 211 1274 LOAD_NAME input
1276 LOAD_STR 'What is the flag contained in the script executed by the backdoor? '
1278 CALL_FUNCTION_1 1 ''
1280 STORE_NAME ans
1282_1284 JUMP_BACK 1182 'to 1182'
1286_0 COME_FROM 1202 '1202'
1286_1 COME_FROM 1192 '1192'
L. 213 1286 LOAD_NAME print
1288 LOAD_STR '\nNow use wmic to kill the process.'
1290 CALL_FUNCTION_1 1 ''
1292 POP_TOP
L. 214 1294 LOAD_NAME input
1296 LOAD_STR 'Press enter after you have killed the process.'
1298 CALL_FUNCTION_1 1 ''
1300 STORE_NAME ans
L. 215 1302 LOAD_STR 'wmic process where (processid = %s) list brief'
1304 LOAD_NAME pid
1306 BINARY_MODULO
1308 STORE_NAME check_pid
L. 216 1310 LOAD_NAME exec_cmd
1312 LOAD_NAME check_pid
1314 CALL_FUNCTION_1 1 ''
1316 LOAD_STR 'No Instance(s) Available.'
1318 COMPARE_OP !=
1320_1322 POP_JUMP_IF_FALSE 1382 'to 1382'
1324 LOAD_NAME ans
1326 LOAD_STR 'skip'
1328 COMPARE_OP !=
1330_1332 POP_JUMP_IF_FALSE 1382 'to 1382'
L. 217 1334 LOAD_NAME ans
1336 LOAD_CONST None
1338 LOAD_CONST 4
1340 BUILD_SLICE_2 2
1342 BINARY_SUBSCR
1344 LOAD_STR 'help'
1346 COMPARE_OP ==
1348_1350 POP_JUMP_IF_FALSE 1362 'to 1362'
L. 218 1352 LOAD_NAME print
1354 LOAD_STR '\nwmic process where (processid = 1234) delete OR get-process -PID 1234 | stop-process - would kill process number 1234.'
1356 CALL_FUNCTION_1 1 ''
1358 POP_TOP
1360 JUMP_FORWARD 1370 'to 1370'
1362_0 COME_FROM 1348 '1348'
L. 220 1362 LOAD_NAME print
1364 LOAD_STR '\nThe process still seems to be running. Please kill the process used by the backdoor with wmic.'
1366 CALL_FUNCTION_1 1 ''
1368 POP_TOP
1370_0 COME_FROM 1360 '1360'
L. 221 1370 LOAD_NAME input
1372 LOAD_STR 'Press enter after you have killed the process.'
1374 CALL_FUNCTION_1 1 ''
1376 STORE_NAME ans
1378_1380 JUMP_BACK 1310 'to 1310'
1382_0 COME_FROM 1330 '1330'
1382_1 COME_FROM 1320 '1320'
L. 223 1382 LOAD_NAME input
1384 LOAD_STR '\n\nYou have done well. The evil hackers have been thwarted.\nPress enter to end this lab.'
1386 CALL_FUNCTION_1 1 ''
1388 POP_TOP
Parse error at or near `POP_TOP' instruction at offset 1030