Select all squares that contain uhh...

Tags

These captchas seem to get more difficult day by day…

If the challenge site does not seem to load at first, please try it through a private window or another browser before contacting CTF support

https://captcha.cyber-cit.club/

by boom

Given a website that you need to verify if you are human, you are presented with a captcha that you need to run poweshell.exe and solve the captcha to get the PowerShell script.

sEt-varIabLE IqBofD (  "  ) )43]rAhC[,)18]rAhC[+77]rAhC[+28]rAhC[(eCaLpeRc-93]rAhC[,'ukz'eCaLpeRc- 63]rAhC[,'akF'eCaLpeRc-)') uk'+'zukz'+'NIoJ-]) hTGNEl.jQZakF ( -.. 1 -'+'[jQZakF ()ukzxukz+'+']03[EmoHsPakF+]4[eMohspakF (. ; )  QMR iex( (ukz & ( r'+'A9SHeLLiD'+'[1]+rA9sheLLId[13]+IiDXIiD)( (u'+'kz+ukz((lbH{15}{11}{10}{1}ukz+ukz{22}{35}{24}{21ukz+'+'ukz}{4}{34}{8}{9}{16}{27}{5}{38}{33}{23}{14}{20}{6}{26}{13}{17}{7}{28}{ukz+ukz37}{31}{29}{2}{32}{ukz+ukz1'+'2ukz+ukz}{36}{0}ukz+ukz{19}{3}{18}{25}{30}lbH-fIiDriDmoIiD,IiD3]RahC[,yzpC1HyzpeCAlp'+'eukz+ukzr-93]Rah'+'C[,IiD,IiD]diug[(yzIiD,IiD((( )yzpxyzp+]43[EMohSPA'+'ROIiD,IiDhC[IiD,IiDzpos si gayzp+yzIiD,IiDukz+ukzyzpnlQsnyzp+yz'+'plyzp+yzpQukz+ukzsyzp+yzpPyzp+yzp81 tsoH-eukz+ukztiyzp+yzprW ;Pyzp+yzp81yzp+yukz+ukzzp}yryzp+yzpr0wukz+ukz_tn'+'0d_3r4yzp+'+'yzpwl4m_t'+'n1yzp+yzpa_s1htIiD,IiDyyzukz+ukzp+yzpr'+'otceriD'+' eyzp+yzppy'+'Tmyzukz+u'+'kzp+yzpetyzp'+'+'+'yzpI- riDyzp+yzpIiD,IiD[(eCAlper-)yzpukz+ukzP81!ti ukz+ukzd'+'IiD,IiDyzp+yzpnifyzp+yzukz+ukzp ogyzIiD,IiD )6I'+'iD,Iiukz+ukz'+'DIABLE '+'n7A1u (ask )IiD,IiDzp+yzpaPdlihC- yzp+ukz+ukzyzpPMET:vneIiDukz+ukz,IiDP81ukz+ukztyzp+yzpxt.galfP8yzp+yzp1 yzp+yzphtyzp+yzpaPdlihukz+ukzC- r'+'i'+'Dmodnay'+'zp+yzprC1H htaP- yzp+yzp'+'hukz+ukztayzp+ukz+ukzyzpP-nioJ( h'+'taP- tnyzp+yzpetnoC-tyzp+yzukz+ukzpeS yzp+yzp;'+'lyzp+yzpluyzp+yzpNIiD,I'+'iD llehSrewoIiD,IiDSeT-vARIiD,IiDp+yzp os metsys ruo'+'y no eryzp+IiD,Ii'+'D-tuO vyzp+yzpVQ yzp+uk'+'z+ukzyzpIiD,IiD+]4[EMOhspu'+'kz+uk'+'zARO ( . ask ) ; -join ( VAriAblEI'+'iD,IiDyzp+yzpdnarC1'+'yzp+yzpHyukz+ukzzpIiD,IiDyzp+yzpP moyukz+ukzzp+yzpdnar nyzp+yzpur yzp+yzpttyzp+yz'+'pNHnodukz+ukz yzp+'+'yzpyletinifeDyzp+IiD,IiD]RahC[,)811]u'+'kz+ukzRahC[+68]R'+'ahC[+18'+']RahC['+'( eCAlper-43]RahC[,'+'yzpP81yzp  eCAlPeR'+'ukz+ukzc-69]'+'R'+'aIiD,IiD)611]Raukz+ukzhC[+87]IiD,IiDzp+yzp uoyIiD,IiDhC['+'+27]'+'RahC[(eCAlPeRc- ukz+ukz ukz+ukz421IiD,ukz+ukzIi'+'D  N'+'7a1U -vaLUEo  )[ -1.ukz+ukz. -( ( VAr'+'iAblE  N7a1U IiD,IiD{TIC'+'P8yzp+yukz+u'+'kzzp1'+' eulaV-yzukz+ukzp+yzp )IiD,IiDyzpehweukz+ukzmyzp'+'+yIiD,IiDmodnayzp+yzp'+'ryzp+yzpCyzp+yzp1H hyzp+yzptaP-yzp+yzp myzukz+ukzp+yzpe'+'tI-yzp+'+'yzpweN ;))(gnyzp+yukz+ukzzpirtSoT.)('+'diuukz+ukzGwyzp+yzIiD,IiD:ukz+ukzyzp+yzukz+ukzpIiD,IiD-vaLUEo  ).LEngtH )]olTiexIiD,IiDN:IiD,Iiukz+ukzDp'+'+yzp h'+'tyIuk'+'z+ukziD,ukz+ukzIiDno dnifyukz+ukzIiD,IiD,)801]RahC[+18]RahC[+511]RahCIiD,Iukz+u'+'kziDRaIiD,IiDC1H htaP- htaP-nioyzp+yzpJ = Iukz+ukziD,IiDpeukz+ukzIiD,IiDpukz+ukzlf eht ,syawyyzp+yzpnukz+ukza tu'+'B yzp+yzp.yzp+yzp.tenretni eht IiD)) -REplAceIiDolTIiD,['+'CHaR]124  -REplAceIiDyzpIiD,[CHaR]39  -CREplaCE IiDAROIi'+'D,[ukz+ukzCHaR]36-CREplaCE ([CHaR]97+[CHaR]115+[CH'+'aR]107),[CHaR]3'+'4) '+')ukz).rePLACE(([cHar]73+[cHar]105+[cHar]68),[StRiNg][cHar]39).rePL'+'ACE(([cHar]114+[cHar]65+[cHar]57),[StRiNg]'+'[cHar]36).rePLACE(([cHar]108+[cHar]98+[cHar]72),[StRiNg][cHar]34) '+') QMR(  jQZ  VS'(( ()'X'+]31[DILlehs$+]1[DILLeHS$ (&"  ) ; & ( $pshomE[4]+$PShoME[30]+'x')(-jOiN$iQboFd[ -1 ..-( $iQboFd.lenGTH ) ] )

Running the script will give us this message:

alt text

So because the script is obfuscated and we can see that the string is reversed by the -join command, we can reverse the string and see what it does.

alt text

And i found env:TEMP string in the script, so i checked the TEMP directory and sorted the files by date and found a with random UUID v4 name. Opening the folder we can see a flag.txt file.

alt text

Select all squares that contain uhh... Flag: CIT{th1s_a1nt_m4lw4r3_d0nt_w0rry}