oBfsC4t10n

Got the first part of the challenge with c*r().
Can’t figure out what the CB and CR code means in the second part.
Is anybody familiar with it?

I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

I’m at the same place as limbernie. Unfortunately the shellcode doesn’t really look “right” during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

I also dumped the shellcode to disk. (Carefully) used VB to do it which took care of the negative numbers and all. Now trying to make sense of that.

Edit: Got it. This was a great challenge. Learned a lot. Interesting read I stumbled across about real attacks using this vector: Ten process injection techniques: A technical survey of common and trending process injection techniques | Elastic Blog

Feel free to ping me for nudges.

Interesting read I stumbled across about real attacks using this vector: Ten process injection techniques: A technical survey of common and trending process injection techniques | Elastic Blog

The Article is brilliant.
I wonder why processes allow techniques such as PE Injection to be executed on them.

Type your comment> @Xentropy said:

I’m at the same place as limbernie. Unfortunately the shellcode doesn’t really look “right” during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

The shellcode may look weird at first glance. Try to focus on first few instructions and remember that allocated memory is rwx.

Got it. Trust in yourself but bear in mind the target environment the shellcode is attacking.

Got it! What a great little challenge! :smiley:

Cool :slight_smile:

It was hella good challenge . Thanks @0xdf

I agree; I had tons of fun with it. For those who do not like reversing shellcode, there’s always the possibility of dumping something to disk and then searching for something interesting … just saying XD

@Kucharskov said:

I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

no need to use VBA to do this, it can be done just fine with python. Just remember to use the correct mask. This topic from stackoverflow is usefull.

Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn’t make any sense. Could any kind soul review my approach?
Disclaimers:

  • I don’t have Microsoft Office
  • I don’t have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

Thanks for your time!

Type your comment> @davidlightman said:

Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn’t make any sense. Could any kind soul review my approach?
Disclaimers:

  • I don’t have Microsoft Office
  • I don’t have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

Thanks for your time!

You don’t need Office for this - check the hint by kekburger for the shellcode and the challenge’s author might have some clues on twitter as well :slight_smile:

I don’t know if I’m arriving to the solution.
But I must download a Windows virtualbox machine for to test the VBA code for the injection(I don’t want to use the windows of my physical machine :slight_smile:

OK :slight_smile: my antivirus complain because identify the payload as a virus, I’ve managed to reach the point where I have isolated the bad payload.

Edit: I got it, but I actually modified the vbscript and run in excel to get correct payload, I wonder if there is some way to get the very same result without resorting on running vbscript (some tool maybe?)

Got it! Took me way too long to solve this! My tip: when you see it, dbg it! Also, make sure that you extract the payload with extra care.

Would be glad to help fellow hackers who are banging their heads against the wall. :slight_smile: Just pm.

Type your comment> @limbernie said:

I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

three’s a crowd.

amazing challenge, thanks 0xdf!