This challenge was definitely interesting. Real threats in today’s world use DDE’s and embed malware or droppers in malicious documents. For instance, recently, Fancy Bear used malicious documents to deploy their signature GAMEFISH malware to target hotels.
Our task is to analyse a document called
notreallymalicious.doc which is true, it isn’t malicious, but it does have a bunch of hidden flags!
A couple people on my team tackled this problem in a few different ways. Initially we checked the strings in the file and got two flags.
Flag 1: L0Gm4cro
Flag 2: L0gh4x
One pair of our group used an interesting online tool called Hybrid Analysis. This runs the file inside a VM and collects a lot of information about it. Extremely useful for analyzing malware.
My strategy was to use a more specific approach. I found a repo called oletools that contains a bunch of tools to analyze MS Office Documents for use in malware analysis, forensics, and debugging.
I launched the program
olebrowse and stepped through all of the data in
We can clearly see that there is a plaintext flag in the screenshot with the phrase
W0wS0L33t. We can also see a base64 encoded string. If we echo that and pipe it to
base64 -d, we can decipher the message.
[EVERSEC]λ echo "ZWNobyBNNGNyMHMOUjBjaw==" | base64 -d echo M4cr0sR0ck
Flag 3: W0wS0L33t
Flag 4: M4cr0sR0ck
All in all, a simple challenge with an insane amount of points. I hope I introduced you to a new tool!