35 lines
1.6 KiB
Markdown
35 lines
1.6 KiB
Markdown
# Giveaway
|
|
|
|
Santa's SOC team is working overtime during December due to Christmas phishing
|
|
campaigns. A new team of malicious actors is targeting mainly those affected by
|
|
the holiday spirit. Could you analyse the document and find the command &
|
|
control server?
|
|
|
|
## Flag
|
|
|
|
HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s}
|
|
|
|
## How to solve
|
|
|
|
- The giveaway.docm file is a word file with enabled macros
|
|
- Use oletools to extract any vba code `olevba -c christmas_giveaway.docm > macros.vba`
|
|
- By analyzing the vba macro it is quite obvious which part is the obfuscated c&c address
|
|
|
|
```vba
|
|
Module VBModule
|
|
Sub Main()
|
|
Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
|
|
HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
|
|
cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
|
|
fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
|
|
fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
|
|
ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
|
|
FVpHoEqBKnhPO = Replace("christmas", "i", "1")
|
|
FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
|
|
Console.WriteLine(HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO)
|
|
End Sub
|
|
End Module
|
|
```
|
|
|
|
- Execute this part of the script in any vba online compiler and get the flag.
|