add solved giveaway challenge

forensics/giveaway/README.md

@@ -0,0 +1,34 @@
+# Giveaway
+
+Santa's SOC team is working overtime during December due to Christmas phishing
+campaigns. A new team of malicious actors is targeting mainly those affected by
+the holiday spirit. Could you analyse the document and find the command &
+control server?
+
+## Flag
+
+HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s}
+
+## How to solve
+
+- The giveaway.docm file is a word file with enabled macros
+- Use oletools to extract any vba code `olevba -c christmas_giveaway.docm > macros.vba`
+- By analyzing the vba macro it is quite obvious which part is the obfuscated c&c address
+
+```vba
+Module VBModule
+    Sub Main()
+        Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
+        HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
+        cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
+        fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
+        fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
+        ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
+        FVpHoEqBKnhPO = Replace("christmas", "i", "1")
+        FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
+        Console.WriteLine(HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO)
+    End Sub
+End Module
+```
+
+- Execute this part of the script in any vba online compiler and get the flag.