Chapter 5

Whispers in the Shadows

Well done agent! Just one more push!

Thanks to your talent, we've managed to compromise the machine of the organization's presumed leader and installed a backdoor on it.

Unfortunately, his machine has been hardened and our best analysts have been unable to extract anything about his identity. Everything seems to confirm that he keeps his most precious documents in a restricted directory under C:\Users\Administrator.

Nevertheless, we were able to find the history of a conversation he had with the lead developer a few weeks earlier. We've transcribed it for you here:

EMERALD> We need to strengthen the security of our communications. I know that our detractors are spying on us. What's the status of the S project?

DEV> We're working on it! We've made significant strides in implementing multi-layer encryption and address masking. The core functionality is nearly complete.

EMERALD> That's excellent to hear.

DEV> I've sent you version 1.0 via our secure channel. You are safe to install it on your machine with the instructions provided. Let me know if you encounter any problems.

EMERALD> Great. Once the driver is fully finalized, we'll need to discuss deployment strategies and any potential implications for our organization's infrastructure. Everything must be ready for our next public action...

DEV> Ave viridis crystallum.

EMERALD> Ave viridis crystallum.

We were able to extract the binaries of the project discussed in this conversation. It's all contained in the following archive:

The archive contains:

  • netshdw.sys, the mentioned Windows driver
  • netshdw.inf, the INF file to install the driver
  •, the CAT file used to install the driver
  • ENIGMA.qcow2, a virtual disk of a VM that mimics the target environment for testing purposes
  •, a few tips from our experts on how to use the supplied environment

We are therefore counting on you to analyze this driver and exploit its potential vulnerabilities in order to increase your privileges on the leader's machine. This should give us access to those juicy classified documents... Who knows what kind of dreadful public action they could be plotting?