In this challenge, we received a PCAP file. Upon analyzing it, we found what appears to be an obfuscated PowerShell script, and indeed it is.
Haha, it seems the script is indeed a fake Discord Nitro generator. (LOL)
We have reversed and base64-encoded content, so I deobfuscated it using CyberChef.
Analyzing the code, there is a variable named part1:
$part1 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf"
Decoding it from base64, we got the first part of the flag: HTB{fr33_N17r0G3n_3xp053d!_
Then, we have a function that encrypts a string with AES encryption, and we have the key.
$AES_KEY = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="
So, in the PCAP file, in the last stream, we have an encrypted text, so it's the one that was encrypted.
Decoding it with the key (which must be decoded from base64).
We received a Base64-encoded string which, when decoded, provided us with JSON data.
Decoding the email field from this JSON data using Base64 yielded the last part of the flag.
FLAG :
HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}