oBfsC4t10n

edited November 2019 in Challenges

Got the first part of the challenge with c*r().
Can't figure out what the CB and CR code means in the second part.
Is anybody familiar with it?

Comments

  • I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

    limbernie
    Write-ups of retired machines

  • edited November 2019

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • edited November 2019

    I also dumped the shellcode to disk. (Carefully) used VB to do it which took care of the negative numbers and all. Now trying to make sense of that.

    Edit: Got it. This was a great challenge. Learned a lot. Interesting read I stumbled across about real attacks using this vector: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

    Feel free to ping me for nudges.

  • The Article is brilliant.
    I wonder why processes allow techniques such as PE Injection to be executed on them.

    tabacci

  • Type your comment> @Xentropy said:

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    The shellcode may look weird at first glance. Try to focus on first few instructions and remember that allocated memory is rwx.

  • Got it. Trust in yourself but bear in mind the target environment the shellcode is attacking.

    limbernie
    Write-ups of retired machines

  • Got it! What a great little challenge! :D

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • edited November 2019

    It was hella good challenge . Thanks @0xdf

    azeroth

  • edited November 2019

    I agree; I had tons of fun with it. For those who do not like reversing shellcode, there's always the possibility of dumping something to disk and then searching for something interesting ... just saying XD

    Sociaslkas

  • edited November 2019

    @Kucharskov said:

    I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    no need to use VBA to do this, it can be done just fine with python. Just remember to use the correct mask. This topic from stackoverflow is usefull.

  • Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn't make any sense. Could any kind soul review my approach?
    Disclaimers:
    - I don't have Microsoft Office
    - I don't have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

    Thanks for your time!
  • Type your comment> @davidlightman said:

    Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn't make any sense. Could any kind soul review my approach?
    Disclaimers:

    • I don't have Microsoft Office
    • I don't have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

    Thanks for your time!

    You don't need Office for this - check the hint by kekburger for the shellcode and the challenge's author might have some clues on twitter as well :)

  • I don't know if I'm arriving to the solution.
    But I must download a Windows virtualbox machine for to test the VBA code for the injection(I don't want to use the windows of my physical machine :)

  • edited December 2019

    OK :) my antivirus complain because identify the payload as a virus, I've managed to reach the point where I have isolated the bad payload.

    Edit: I got it, but I actually modified the vbscript and run in excel to get correct payload, I wonder if there is some way to get the very same result without resorting on running vbscript (some tool maybe?)

  • Got it! Took me way too long to solve this! My tip: when you see it, dbg it! Also, make sure that you extract the payload with extra care.

    Would be glad to help fellow hackers who are banging their heads against the wall. :) Just pm.

  • Type your comment> @limbernie said:

    I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

    three's a crowd.

  • amazing challenge, thanks 0xdf!

  • I really liked this one. Solid challenge. Good job @0xdf

    morph3

  • First stage with finding, decoding and joining pieces was fun and easy, but now I'm also stuck at the array stage. I tried hundreds of repices on it without luck. :( It does not contain any usable string or pattern in it no matter what I do with it.
    If that is a shellcode, what tool shall I use to analyze it? Do I need to find a windows vm add PE header to that and just run it :) ?
    Please PM me with any hint. It drives me crazy... another night and not moving forward.

  • I reversed shellcode to assembly but quite difficult to understand, anyone give some hint to understand this?

  • Step through several instructions and it will be clear what is going on. After that look at assembly again or just continue debugging and pay attention to parameters passed into various windows api calls

    joeblogg801

  • many thaks to @Kucharskov

    most difficult part for me was the hunt for the tool for the last part.

    I am interested in doing the analysis of last part manually.
    Doing it with olly somehow it fails.
    anybody has some pointers? or even a writeup to read?

Sign In to comment.