Cyber Defenders - Obfuscated CTF
Another lunch break another challenge
We were challenged to complete this mini CTF in our lunch break. Below is our walkthrough to answering the challenges question. Only question 4 threw us for awhile, as we were using our own sandbox, and not the CMDwatcher tool that was mentioned on the challenges support page. Obfuscated CTF
Walkthrough
1) What is the sha256 hash of the doc file?
md5sum -a256 49b367ac261a722a7c2bbbc328c32545
ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751
2) Multiple streams contain macros in this document. Provide the number of lowest one.
We used Didier Stevens’ Oledump
python ./oledump.py ~/Downloads/49b367ac261a722a7c2bbbc328c32545.doc
1: 114 '\x01CompObj'
2: 284 '\x05DocumentSummaryInformation'
3: 392 '\x05SummaryInformation'
4: 8017 '1Table'
5: 4096 'Data'
6: 483 'Macros/PROJECT'
7: 65 'Macros/PROJECTwm'
8: M 7117 'Macros/VBA/Module1'
9: m 1104 'Macros/VBA/ThisDocument'
Answer:
8
3) What is the decryption key of the obfuscated code?
Either execute the code/document in your sandbox, or by reading the code the last WScript.Shell executes the downloaded script, and provides the key as the first cmd-line argument!
In our example, we used oletools: olevba to read the code:
olevba ~/Downloads/49b367ac261a722a7c2bbbc328c32545.doc
olevba 0.60 on Python 2.7.18 - http://decalage.info/python/oletools
===============================================================================
...
VBA MACRO Module1.bas
in file: /Downloads/49b367ac261a722a7c2bbbc328c32545.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
Answer:
EzZETcSXyKAdF_e5I2i1
4) What is the path of dropped file?
Warning: You have to use the CMDWatcher tool to get the correct user, as the script uses the users’ environmental variables - this will be your (usually your sandbox) user:
Answer
C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\maintools.js
5) This script uses what language?
Answer:
JScript
6) What is the name of the variable that is assigned the command-line arguments? Once you’ve extracted maintools.js, you can easily answer the next few questions:
Answer:
wvy1
7) How many command-line arguments does this script expect?
Easy:
1
8) What instruction is executed if this script encounters an error?
The next few answers involve reading the code:
Answer:
WScript.Quit()
9) What function returns the next stage of code (i.e. the first round of obfuscated code)?
Answer:
y3zb
10) The function LXv5 is an important function, what variable is assigned a key string value in determining what this function does?
Answer:
LUK7
11) What encoding scheme is this function responsible for decoding?
Answer:
Base64
12) In the function CpPT, the first two for loops are responsible for what important part of this function?
By now you should know the encryption algorithm is RC4
Key-scheduling algorithm
13) The function CpPT requires two arguments, where does the value of the first argument come from?
From your sandbox:
command-line argument
14) For the function CpPT, what does the first argument represent?
key
15) What encryption algorithm does the function CpPT implement in this script?
By now you should know the encryption algorithm is RC4
Answer:
RC4
16) What function is responsible for executing the deobfuscated code?
From maintools.js:
Eval
17) What Windows Script Host program can be used to execute this script in command-line mode?
An alternative to wscript?
cscript.exe
18) What is the name of the first function defined in the deobfuscated code?
We used this Cyberchef recipe to view the unencrypted code:
Answer:
UspD
Conclusion
A fun lunch-time challenge: useful as a training ctf for junior members of the team, as an introduction into investigation practises and metholody in analysing malicious documents and safely debugging malware.
Tools
Just another recap on the tools we used:
Share on: