NetSupport

less than 1 minute read

🐞 NetSupport

Category Author
🐞 Malware Ben Folland

Challenge Prompt

An unexpected Remote Monitoring and Management (RMM) tool was identified on this laptop. We identified a suspicious PowerShell script written to disk at a similar time. Can you find the link between the two?

Problem Type

  • PowerShell

Password

The password to the ZIP archive is netsupport.

Solve

Opened PowerShell file Found byte string that PS converts to ZIP archive

[byte[]]$kKtyJL = $xϞzzghϞ + $mcZΞ›kΟžΟ€ + $RΞΆΟ€rMwGEQi
[IO.File]::WriteAllBytes($LjLSTACGF, $kKtyJL)
$weBRvm = [IO.Path]::ChangeExtension($LjLSTACGF, 'zip')

Used Python to save as ZIP:

1
2
3
4

x = bytearray([80,75,3,4,20,0)]
with open('output_bytearray.zip', 'wb') as f:
    # Write the bytearray to the file
    f.write(x)

Expanded ZIP, and found INI file.
Ran cat on Client32.ini

Found this line: Flag=ZmxhZ3tiNmU1NGQwYTBhNWYyMjkyNTg5YzM4NTJmMTkzMDg5MX0NCg==

Base64 decode in CyberChef

Flag

flag{b6e54d0a0a5f2292589c3852f1930891}

(back to top)

You May Also Enjoy

ValenFind

2 minute read

🌐 Love at First Breach 2026 - Valenfind

Try Heart Me

1 minute read

🌐 Love at First Breach 2026 - TryHeartMe

Speed Chat

1 minute read

🌐 Love at First Breach 2026 - Speed Chat