forensics

Cyber Apocalypse 2023

Relic Maps

Solved by: Bobbysox

The relic maps challenge started with the link to one file called relicmaps.one. This is a onedrive file and has been the focus of recent breaches because it can bypass the Mark of the Web(MOTW). I used a tool called pyone note.

https://github.com/DissectMalware/pyOneNote

Now that we have extracted all the data the next thing to do was hunt down the macros that were likely used for this attack. This attacker embedded an hta file that contained vbscript. This vbscript would effectively reach out for the “payload”

initial access vector exploit chain phish>.hta>vbscript>wmi>download>cmd_exec

The only valid url out of those was the windows.bat file. It was a mess, but there were three separate parts to this payload that make it “work”

The table of obfuscated strings:

The commands that these strings were being mapped to:

User-uploaded image: image.png

This isnt actually encryption or encoding, its a long and obnoxious obfuscation technique instead. The values pictured above, were mapped to a section of encrypted text that appeared lower in the windows.bat file:

Unknown data:

You can confirm this by decrypting a few blocks and see if it makes sense like so:

to help assist in the decryption of the text, TwH assisted with a python script that could automate this:

Now that the python script did most of the heavy lifting, I just separated the script by the variables and the one function that was present:

From here it was very trivial. This has been seen in the wild and written about by sans instructors here: https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470 it was quite easy as it was just reverse base64 as noted here:

('gnirtS46esaBmorF'[-1..-16] -join '')

We have completely reverse engineered the cryptographic functions and have managed to obtain the full keys. There was only one data set we havent used yet. Pretty solid guess that it is our actual payload. The only thing we had to do to get the flag was follow the sans article exactly on how they decrypted the payload.

Published on : 27 Mar 2023