Official emo Discussion

htbapibot · November 20, 2020, 8:00pm

Official discussion thread for emo. Please do not post any spoilers or big hints.

trcm · November 22, 2020, 2:56pm

This is fun, I knew nothing about Word files before looking at this.

I learnt a new tool exists, thanks Didier!
I see a long (46) ‘Copy*****’ string, but doesn’t seem to be our flag,
I find some obfuscated code, but it doesn’t look to do anything fun and reversing would take too long.
Theres the ‘frozen towels’ too of course, thats interesting ?

I’m a bit stuck now though…

CaJiFan · November 24, 2020, 9:42pm

Got the flag!
Learned a lot, thanks @0xdf
Too much fun in this challenge!.
It was not that easy tho ;D

trcm · November 25, 2020, 10:54am

Any hints you could offer me @CaJiFan ?

TazWake · December 2, 2020, 2:08pm

A surprisingly difficult challenge for 40 points. I thought I had an idea but nothing I do seems to extract a flag.

NorthWest00 · December 3, 2020, 3:54am

I’ve been banging my head against this obfuscation for hours… Feel like I’m thinking about it too hard. Could anyone give a nudge on how to decode?

federella · December 3, 2020, 8:37am

That was really fun! hint: you don’t have to deobfuscate the whole m****. execute it in a VM and you’ll see another process, with the debofuscated commands !

lebutter · December 3, 2020, 10:55pm

Wow i though this would be easy, judging by the green bars in the rating…

I find those pretty interesting, well done to the author ! I was a bit puzzled by the little bit which is very specific to HTB and didn’t really know how to interpret that, if you’re wondering about that, you’re close to the end !

trcm · December 9, 2020, 10:44am

I was rather hoping I could complete this challenge without having to buy Microsoft Office, is there another way ?

trcm · December 10, 2020, 11:58am

OK, that was pretty convoluted, I’d love to see how experienced hackers are analysing these!
Some Procmon and manually feeding lines into powershell and seeing what they evaluate to, combined with some judicious cyberchef’ing solved it for me.

HKLM · December 10, 2020, 4:49pm

Are all of the url’s down which I can find or do I need to connect by VPN ?

jimmypw · December 16, 2020, 4:21pm

It never fails to amaze me how broken powershell can be and still work.

th30ne · December 16, 2020, 11:12pm

So I found code decoded it and know what it is doing. but still can’t find flag. the urls are not public so code can’t download anything., not sure if this challenge requires connecting to VPN. Any tips would be welcomed.

Icyb3r · December 18, 2020, 2:38pm

Done, N!c3 simple easy Challenge. my recommendation to do it on windows. Event viewer is your best friend.

Hint:
its all about run and decode.

escugs · December 24, 2020, 7:22pm

Hint: Be on the VPN to finish this.

L0rdG1zm0 · December 29, 2020, 7:16pm

I feel like I am close, but having an issue accessing URLs. I am using the HTB VPN, but they don’t resolve. I must be missing something. IP of a DNS server buried in an obfuscated variable maybe?

Pir00t · January 8, 2021, 4:52pm

I’m in the same boat as you. Did you resolve this one? > @L0rdG1zm0 said:

I feel like I am close, but having an issue accessing URLs. I am using the HTB VPN, but they don’t resolve. I must be missing something. IP of a DNS server buried in an obfuscated variable maybe?

PorridgeUser · January 10, 2021, 9:23pm

Same boat as you guys, I have a collection of URLs I am trying to access over the VPN but none of them are working…

blackaugust · January 11, 2021, 4:02pm

None of the urls resolve, even if on the VPN. What am I missing?

Pir00t · January 11, 2021, 4:44pm

Ok, I totally took a long way round for a shortcut on this one. Solved now! (didn’t use the VPN)