oBfsC4t10n

edited November 2 in Challenges

Got the first part of the challenge with c*r().
Can't figure out what the CB and CR code means in the second part.
Is anybody familiar with it?

Comments

  • I got the shellcode hidden in the HTA file. Not sure if my interpretation of turning a negative integer into a byte is correct.

    limbernie
    Write-ups of retired machines

  • edited November 3

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • edited November 3

    I also dumped the shellcode to disk. (Carefully) used VB to do it which took care of the negative numbers and all. Now trying to make sense of that.

    Edit: Got it. This was a great challenge. Learned a lot. Interesting read I stumbled across about real attacks using this vector: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

    Feel free to ping me for nudges.

  • The Article is brilliant.
    I wonder why processes allow techniques such as PE Injection to be executed on them.

    tabacci

  • Type your comment> @Xentropy said:

    I'm at the same place as limbernie. Unfortunately the shellcode doesn't really look "right" during disassembly. Even wrote up a macro to output the shellcode to disk to make sure my conversion is right.

    The shellcode may look weird at first glance. Try to focus on first few instructions and remember that allocated memory is rwx.

  • Got it. Trust in yourself but bear in mind the target environment the shellcode is attacking.

    limbernie
    Write-ups of retired machines

  • Got it! What a great little challenge! :D

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • edited November 5

    It was hella good challenge . Thanks @0xdf

    azeroth

  • edited November 6

    I agree; I had tons of fun with it. For those who do not like reversing shellcode, there's always the possibility of dumping something to disk and then searching for something interesting ... just saying XD

    Sociaslkas

  • edited November 9

    @Kucharskov said:

    I also stuck with negative values in array. Stranger is that when running that in office I have a problem with variable types. Any hint how to manipulate that numbers?

    no need to use VBA to do this, it can be done just fine with python. Just remember to use the correct mask. This topic from stackoverflow is usefull.

  • Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn't make any sense. Could any kind soul review my approach?
    Disclaimers:
    - I don't have Microsoft Office
    - I don't have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

    Thanks for your time!
  • Type your comment> @davidlightman said:

    Hi there, I extracted the payload in the HTA file, trying to be super careful not to mess things up. However, the resulting binary payload doesn't make any sense. Could any kind soul review my approach?
    Disclaimers:

    • I don't have Microsoft Office
    • I don't have a clue on Blue Teamer/Malware analyst tasks (this could be a good opportunity to learn something new).

    Thanks for your time!

    You don't need Office for this - check the hint by kekburger for the shellcode and the challenge's author might have some clues on twitter as well :)

  • I don't know if I'm arriving to the solution.
    But I must download a Windows virtualbox machine for to test the VBA code for the injection(I don't want to use the windows of my physical machine :)

  • edited December 3

    OK :) my antivirus complain because identify the payload as a virus, I've managed to reach the point where I have isolated the bad payload.

    Edit: I got it, but I actually modified the vbscript and run in excel to get correct payload, I wonder if there is some way to get the very same result without resorting on running vbscript (some tool maybe?)

  • Got it! Took me way too long to solve this! My tip: when you see it, dbg it! Also, make sure that you extract the payload with extra care.

    Would be glad to help fellow hackers who are banging their heads against the wall. :) Just pm.

Sign In to comment.