Official emo Discussion

Official discussion thread for emo. Please do not post any spoilers or big hints.

Comments

  • edited November 2020

    This is fun, I knew nothing about Word files before looking at this.

    • I learnt a new tool exists, thanks Didier!
    • I see a long (46) 'Copy*****' string, but doesn't seem to be our flag,
    • I find some obfuscated code, but it doesn't look to do anything fun and reversing would take too long.
    • Theres the 'frozen towels' too of course, thats interesting 🤔

    I'm a bit stuck now though...

  • Got the flag!
    Learned a lot, thanks @0xdf
    Too much fun in this challenge!.
    It was not that easy tho ;D

  • edited November 2020

    Any hints you could offer me @CaJiFan ?

  • A surprisingly difficult challenge for 40 points. I thought I had an idea but nothing I do seems to extract a flag.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I've been banging my head against this obfuscation for hours.. Feel like I'm thinking about it too hard. Could anyone give a nudge on how to decode?

  • That was really fun! hint: you don't have to deobfuscate the whole m****. execute it in a VM and you'll see another process, with the debofuscated commands !

  • Wow i though this would be easy, judging by the green bars in the rating...

    I find those pretty interesting, well done to the author ! I was a bit puzzled by the little bit which is very specific to HTB and didn't really know how to interpret that, if you're wondering about that, you're close to the end !

    lebutter
    eCPPT | OSCP

  • I was rather hoping I could complete this challenge without having to buy Microsoft Office, is there another way ?

  • edited December 2020

    OK, that was pretty convoluted, I'd love to see how experienced hackers are analysing these!
    Some Procmon and manually feeding lines into powershell and seeing what they evaluate to, combined with some judicious cyberchef'ing solved it for me.

  • edited December 2020

    Are all of the url's down which I can find or do I need to connect by VPN ?

    HKLM

  • It never fails to amaze me how broken powershell can be and still work.

  • So I found code decoded it and know what it is doing. but still can't find flag. the urls are not public so code can't download anything., not sure if this challenge requires connecting to VPN. Any tips would be welcomed.

  • Done, N!c3 simple easy Challenge. my recommendation to do it on windows. Event viewer is your best friend.

    Hint:
    its all about run and decode.

    Try!ng Hard3r, N3v3r G!v3Up.

  • Hint: Be on the VPN to finish this.

  • I feel like I am close, but having an issue accessing URLs. I am using the HTB VPN, but they don't resolve. I must be missing something. IP of a DNS server buried in an obfuscated variable maybe?

  • I'm in the same boat as you. Did you resolve this one? > @L0rdG1zm0 said:

    I feel like I am close, but having an issue accessing URLs. I am using the HTB VPN, but they don't resolve. I must be missing something. IP of a DNS server buried in an obfuscated variable maybe?

  • Same boat as you guys, I have a collection of URLs I am trying to access over the VPN but none of them are working..

  • None of the urls resolve, even if on the VPN. What am I missing?

  • edited January 11

    Ok, I totally took a long way round for a shortcut on this one. Solved now! (didn't use the VPN)

  • edited January 11

    I think there are number of way to solve it, as someone say there is a VPN needed, but I solved it without VPN.
    Its not an EASY challenge.

  • Honestly, one of the most fun challenges and rewarding challenges I've done. Absolutely destroyed me. Thank you @sooperc0w for pulling me out of the weeds. Also, thank you @0xdf for the challenge!
    Dm for nudges!

    Harbard

  • Solved it, but not in a very intelligent way... Would love to see a writeup of this

    ArtemisFY
    OSCP

  • Hey I solved with office but want to know without office can someone DM ?

  • Glad to hear so many people enjoyed this one. It's based off a real phishing document used by a prolific cyber-crime gang.

    Some tips I'll through out:

    • You don't need to resolve anything.
    • You don't need office. There are tools out there to dump office documents and their pieces from linux. There are also parts where having office will make this somewhat easier.
  • It took me 3 days to get the flag. xD
    Thank you @0xdf, learned a lot!

  • This was harder than most boxes!

    When you find what the evil document is doing, you can pare that down to something that is ALMOST readable, but definately works when you run it.

    Inspect all of the things, and don't skip any of them. Assume everything is important.

  • I just finished doing this challenge but without any static analysis, is there any official writeup regarding this challenge? Appreciate if any of you guys that done through static to share writeup. Thanks!

  • Same as many here, I got a bunch of urls and some decimal list with PS yet I don't get what's next...

  • dm for any nudges

  • Finally got it after a couple of days! First time doing malware analysis, so it was quite a learning experience for me :D Thanks for a cool challenge.

Sign In to comment.