Tag: vbs

Huntress CTF: Week 2 – Forensics: Wimble, Opposable Thumbs, Tragedy_Redux

CTF, DFIR, Forensics

Wimble

Once the file was downloaded and extracted from the zip I ran the file command on it.

OK so we’ll be doing the analysis for this one on a Windows box to start.

Move the file to windows and rename to Fetch.wim

Open the .wim with 7zip explorer

Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip

When we extract the contents of the zip file we have another directory of Prefetch files.

I extracted the .pf files to a folder.

I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.

That was easy.

Opposable Thumbs

I know for a fact that Axiom can process thumbnail caches.

And BAM! there’s the flag.

Tragedy Redux

First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.

Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.

There’s a macro file with some curious fruit and vegetable related functions.

If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.

When opening the file in Word, there is a prompt to enable macros.

Once the document is open you see a document containing the definition of Tragedy.

From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.

The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.

This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.

When we run the Python script we get back:

powershell -enc JGZsYWc9ImZsYWd7NjNkY2M4MmMzMDE5Nzc2OGY0ZDQ1OGRhMTJmNjE4YmN9Ig==

Now we can echo the value to base64 decrypt and get our final flag value.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir

CTF, DFIR, Malware

VeeBeeEee

First examine the file contents.

Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe.

Copy the output to VS Code.

The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove them.

There also seems to be an abundance of “&” obscuring the code. We’ll remove them too.

That’s a lot more readable. Looking at the code we see it’s going to use PowerShell to create a file C:\Users\Pubic\Documents\July.htm using as input the content from a pastebin URL.

Snake Eater

We’ll detonate snake_eater.exe in our lab environment.

I really enjoyed this challenge as I used my detonaRE PowerShell script to control the detonation and solve the challenge. Besides firing the malware itself, the script will initiate a pcap capture and monitor the malware process using Process Monitor. The script the converts the ProcMon output to csv for easy analysis.

Scrolling through the csv we find that the application was writing a file to: 

~\AppData\Roaming\Mael Horns\flag{hashforflag}

Opendir

Let’s get Started

The link brings us to an Open Directory (duh) with lots of scripts and executables, not to mention a number of subdirectories.

The first thing to do is grab everything.

Site Sucker works well for this.

Once we’ve captured all the files and subdirectories locally we can search through them en masse. Once again in this CTF, the_silver_searcher (ag) comes into play.

Tucked away in /sir/64_bit_new/oui.txt is the flag.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.