CTF : MrPhisher
Informations
- IP: 10.10.62.86
- MYIP: 10.8.98.126
Informations
I received a suspicious email with a very weird-looking attachment. It keeps on asking me to "enable macros". What are those?
This is a forensic box. We already got an access to the box. We just have to download two files a .docm and a zip archive.
Basics
- Get files informations
console$ cat MrPhisher.docm | sha1sum - 6fdf7d1185cc383b8ffece61b03c58560f83a990 $ mkdir tmp && cd tmp/ $ unzip ../mr-phisher.zip $ cat MrPhisher.docm | sha1sum - 6fdf7d1185cc383b8ffece61b03c58560f83a990
Ok so the file contained in the archive is the same as the .docm.
console$ file MrPhisher.docm MrPhisher.docm: Microsoft Word 2007+
Go deeper
Now let's try to get a look into it.
As we know it's a word document, we can search for macros inside of it :
console$ sudo pip3 install -U oletools[full]
First we scan the file to determine what's inside :
console$ oleid MrPhisher.docm XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) oleid 0.60.1 - http://decalage.info/oletools THIS IS WORK IN PROGRESS - Check updates regularly! Please report any issue at https://github.com/decalage2/oletools/issues Filename: MrPhisher.docm WARNING For now, VBA stomping cannot be detected for files in memory --------------------+--------------------+----------+-------------------------- Indicator |Value |Risk |Description --------------------+--------------------+----------+-------------------------- File format |MS Word 2007+ Macro-|info | |Enabled Document | | |(.docm) | | --------------------+--------------------+----------+-------------------------- Container format |OpenXML |info |Container type --------------------+--------------------+----------+-------------------------- Encrypted |False |none |The file is not encrypted --------------------+--------------------+----------+-------------------------- VBA Macros |Yes |Medium |This file contains VBA | | |macros. No suspicious | | |keyword was found. Use | | |olevba and mraptor for | | |more info. --------------------+--------------------+----------+-------------------------- XLM Macros |No |none |This file does not contain | | |Excel 4/XLM macros. --------------------+--------------------+----------+-------------------------- External |0 |none |External relationships Relationships | | |such as remote templates, | | |remote OLE objects, etc --------------------+--------------------+----------+--------------------------
Now, we know there is a macro !
Get macro code and Deobfuscate it
console$ olevba MrPhisher.docm XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) olevba 0.60.1 on Python 3.10.4 - http://decalage.info/python/oletools =============================================================================== FILE: MrPhisher.docm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO NewMacros.bas in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub Format() Dim a() Dim b As String a = Array(102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88) For i = 0 To UBound(a) b = b & Chr(a(i) Xor i) Next End Sub +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |Suspicious|Chr |May attempt to obfuscate specific strings | | | |(use option --deobf to deobfuscate) | |Suspicious|Xor |May attempt to obfuscate specific strings | | | |(use option --deobf to deobfuscate) | +----------+--------------------+---------------------------------------------+
There should be several ways to deobfuscate the macro and get the string but I didn't found it so I wrote a stupid python code to do the job...
pythonb = '' a = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88] i=0 while i < len(a): b += chr(a[i] ^ i) i+=1 print(b)
Then, I just lauched the script and got the answer ;)
console$ python3 macro.py
\o/