oBfsC4t10n

edited November 2 in Challenges

Got the first part of the challenge with c*r().
Can't figure out what the CB and CR code means in the second part.
Is anybody familiar with it?

Comments

  • I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

    limbernie
    Write-ups of retired machines

  • edited November 3

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • edited November 3

    I also dumped the shellcode to disk. (Carefully) used VB to do it which took care of the negative numbers and all. Now trying to make sense of that.

    Edit: Got it. This was a great challenge. Learned a lot. Interesting read I stumbled across about real attacks using this vector: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

    Feel free to ping me for nudges.

  • The Article is brilliant.
    I wonder why processes allow techniques such as PE Injection to be executed on them.

    tabacci

  • Type your comment> @Xentropy said:

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    The shellcode may look weird at first glance. Try to focus on first few instructions and remember that allocated memory is rwx.

  • Got it. Trust in yourself but bear in mind the target environment the shellcode is attacking.

    limbernie
    Write-ups of retired machines

  • Got it! What a great little challenge! :D

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • Cool :)

    GUYS, I'm TRAVELLING - CANT ANSWER YOUR PMs,</ br>Hack The Box
    Profile: https://www.hackthebox.eu/home/users/profile/68523 | https://www.nav1n.com/

  • edited November 5

    It was hella good challenge . Thanks @0xdf

    azeroth

  • edited November 6

    I agree; I had tons of fun with it. For those who do not like reversing shellcode, there's always the possibility of dumping something to disk and then searching for something interesting ... just saying XD

    Sociaslkas

  • edited November 9

    @Kucharskov said:

    I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    no need to use VBA to do this, it can be done just fine with python. Just remember to use the correct mask. This topic from stackoverflow is usefull.

  • Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn't make any sense. Could any kind soul review my approach?
    Disclaimers:
    - I don't have Microsoft Office
    - I don't have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

    Thanks for your time!
Sign In to comment.