It took me 3 days to get the flag. xD
Thank you @0xdf, learned a lot!
This was harder than most boxes!
When you find what the evil document is doing, you can pare that down to something that is ALMOST readable, but definately works when you run it.
Inspect all of the things, and donāt skip any of them. Assume everything is important.
I just finished doing this challenge but without any static analysis, is there any official writeup regarding this challenge? Appreciate if any of you guys that done through static to share writeup. Thanks!
Same as many here, I got a bunch of urls and some decimal list with PS yet I donāt get whatās nextā¦
dm for any nudges
Finally got it after a couple of days! First time doing malware analysis, so it was quite a learning experience for me Thanks for a cool challenge.
Really entertaining challenge! Thanks a lot @0xdf! Finally got the flag but doing dynamic analysis. Iād love to know how to solve it doing static analysis only.
DM me if you need a hint.
Hi, I think Iāve reached the last phase, but I canāt decode the output. I donāt want to spoil anything so I cannot go any deeper. However some hint about that stage?
Solved. Best advice: donāt overthink this one (Thatās what I did). You can go pretty far down the rabbit hole. Just remember, itās an EASY challenge.
Hi @R3v4ng3l I am working on this EMO challenge and not able to solve it. Any hint?
Hey nice seeing ya in my scripts @0xdf
Great challenge, thanks a lot!!
Iām surprised that I actually enjoyed browsing vba / powershell!
My static approach was soooo clunky, I couldnāt help but find out what that next line was doing ^^ā
Hello, Iām stuck on this challenge. Like others have said I have got a bunch of non working urls. What else am I missing. Would appreciate a nudge.
Right. I got to the point where I can read the ps, yet no flags. What th. Spent much more time on this, than it deserves, can anyone give me a nudge?
Why canāt I decode this long base64 powershell command??? i really need to get some training on decoding.
Do I really have to deobv all the marcos found?
Man, this challenge blew me away. Learned so much (and also banged my head against the wall for about 3 days straight ).
@antmar904 : No, you were on the right track with the base64
@Thms84 : If you can read the PS, filter out the junk, see what the PS actually does. One thing that helped me : open the console and reproduce it
PS : If someone is willing to discuss this, DM
I have the decoded ps script but iām having issues with it. let me go through it again!
Itās heavily obfuscated which is the issue but Itās a learning curve.
Yes exactly. Look at the PS closely, if itās too obfuscated, find something that can peel off some layers for you, or do it manually.
Yeup, I am getting close. The last for loop is crazy obfuscated.
Iām soooo confused. I still havenāt figured out the VBA macro stuff - so far iāve just been trying to convert it to VBS so i can run it (since I donāt have Office to run the VBA - and iād rather not buy office).
Iām stuck at an error; It canāt create a w*nmg*t object. Iām so lost nowā¦