ECSC CTF 2021 - User Manual
Forensics 1 - user manual
Challenge Description
Recently I bought a custom made video game from a totally legit salesman under a dark bridge. There was a user manual alongside, but I can not see the contents of it.
- This challenge has a downloadable part.
Steps
Unzip challenge files:
unzip forensics_user_manual
We get a file user_manual.docm, which is a word document file with macros.
Unzip docm file
Our first try was to unzip the .docm file to see the xml files that is composed of, but in the end it was not needed:
unzip user_manual.docm -d user_manual
View docm file
We can view the code directly from Macros page of Microsoft Word or Libre Office writer.
We can also use a python tool that analyzes doc files, but again it was not needed for this challenge but definitely helpful:
sudo -H pip3 install -U oletools
If we run the olevba tool we can see the Visual Basic macros in the document and some useful info:
olevba user_manual.docm
At the end of the run, after the scripts we get a lot of suspicious warnings:
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|AutoExec |Auto_Open |Runs when the Excel Workbook is opened |
|AutoExec |Workbook_Open |Runs when the Excel Workbook is opened |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Open |May open a file |
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|Output |May write to a file (if combined with Open) |
|Suspicious|Print # |May write to a file (if combined with Open) |
|Suspicious|Kill |May delete a file |
|Suspicious|ADODB.Stream |May create a text file |
|Suspicious|SaveToFile |May create a text file |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|vbNormal |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|Create |May execute file or a system command through |
| | |WMI |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|GetObject |May get an OLE object with a running instance|
|Suspicious|Windows |May enumerate application windows (if |
| | |combined with Shell.Application object) |
|Suspicious|User-Agent |May download files from the Internet |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|system |May run an executable file or a system |
| | |command on a Mac (if combined with |
| | |libc.dylib) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |https://ccserver.com|URL |
| |/ECSC | |
|IOC |1.1.2.2 |IPv4 address |
|IOC |444.exe |Executable file name |
+----------+--------------------+---------------------------------------------+
We can now inspect the scripts code. We can save the script in a .vbs file in order to view it in a text editor:
olevba user_manual.docm > user_manual_olevba.vbs
Inside the h() procedure we notice the following part:
str = "https://ccserver.com/ECSC{" + Chr(68) + "o" + Chr(Asc("w")) + "nl" + Chr(48)
sec = Replace("ed_det_ju1cy_b1n}/bin", "e", "a")
That is the sign of the flag. If we replace the ascii characters and do all the concatenations and replaces we get the following link:
https://ccserver.com/ECSC{Downl0ad_dat_ju1cy_b1n}/bin
This is our flag.
Flag
Flag: ECSC{Downl0ad_dat_ju1cy_b1n}