LabyREnth Capture the Flag (CTF): Document Track Solutions

Aug 18, 2016
12 minutes
... views

Thanks to the incredibly talented community of threat researchers that participated in LabyREnth, the Unit 42 Capture the Flag (CTF) challenge. Now that the challenge is closed, we can finally reveal the solutions of each challenge track. We’ll be rolling out the solutions for one challenge track per week. First up, the Document track.

Document 1 Challenge: Maaa, why you clickz such macro?

Challenge Created By: Tyler Halfpop @0xtyh

When we open the document, we see this image that is commonly found in a lot of document malware. We also have a prompt on top to enable macros.

Untitled1

If we enable macros and have a tool like FakeNet running, then we get the following output:

Untitled2

This looks interesting, it is trying to download an evil.exe from an RFC 1918 internal IP address 10.1.133.7. We can look at the macros using the macro viewer in Word or by dumping them with a tool like olevba from decalge.

As we can see, this code has its strings encoded and is obfuscated, and when we clean it up, it’s pretty simple:

Now we can see this matches what we saw in FakeNet. It looks like the URL that it’s looking up is in base64. If we decode it, we get:

This looks like an ascii hex string, but if we convert it to bytes, we don’t get anything interesting. However, the URI also includes another single byte (we assume since it starts with x) of x58. If we try decoding the hex string with that byte, we get the key. Here is an example Python script to print the key from the URI.

 

Document 2 Challenge: Can you crack doc?

Challenge Created By: Tyler Halfpop @0xtyh

For this challenge, we’re provided a file named “CrackDoc.doc” and when we open it, we’re presented with a ‘UsersForm1’ prompt for ‘Key’ value.

Untitled3

Typing in the wrong key displays a message “U can do. Try harder…” accompanied by a sweet picture of doge.

Untitled4

If we attempt to look at the underlying macros, we can see that the VBProject is password protected.

Untitled4

To circumvent this, we’ll simply load the document up in our favorite hex editor and modify the string ‘DPB=”’ to ‘DPX=”’.

Untitled5

We’ve now corrupted the document so that when we re-open the file and it parses this string, it will find it to be an invalid key. However, it still allows us to load the project, thus bypassing the protection ‘DPB’ provided.

Untitled6

Once inside the project, you can go into the ‘Project Properties’ and uncheck ‘Lock project for viewing’ under the ‘Protection’ tab to remove the password permanently.

Looking at the code, we have a form called ‘UserForm1’ and a module called ‘NewMacros’. If we right click on the form and go to ‘View Code’, we see the underlying macro we’re interested in and immediately see a byte-array for the key.

Untitled7

We can see that if X equals the string of bytes, then we get our win message. The value X is derived from the ‘suchcrypto’ function being passed our input and the IV ‘General Vidal’. The function doesn’t look particularly difficult to reverse.

Untitled8

But I opted to take an even lazier route to beat this challenge. I decided to fight macro with macro. By creating an array of potential values and passing each of them to the ‘suchcrypto’ function, I am able to easily enumerate what the key is and when I find a matching value, move on to the next.

By using the full array and Notepad++, I record a small macro of hitting the up arrow a few times and deleting the last byte, before copying and pasting the result then doing it again. What I’m left with is a long list of ‘For’ loops that I can copy into the ‘UserForm()’ macro.

Starting with:

Untitled9

Ending with:

Untitled10

Now we just hit enter a few times and watch the key unwind itself for us!

Untitled11


Untitled12


PAN{L4$t_Night_@f@iry_Vizited_M3}

Document 3 Challenge: Adobe, pls

Challenge Created By: Curtis Carmony @c1fe

I started out debugging the extracted javascript. I was feeling pretty clever when I found the decoded YouTube URL until Rick Astley started singing that he was never going to give me up. Nice Rick Roll Curtis! I hope it got some of you out there as well.

Untitled13

Next, I went through the different streams in Cerbero profiler and saw the JS tag with hex in the first object.

Untitled14

I put that into a hex editor and then tested the key to complete the challenge.

Untitled15

Untitled16

Document 4 Challenge: Macros are fun.

Challenge Created By: Curtis Carmony @c1fe

For this challenge, we’re provided a file “fun.docm”, with the extension implying that we’ll be having (no)fun with macros!

After opening the document, we’re presented with the text “MORE MACROS = MORE FUN” in large color-changing font with a lovely air-horn sound that plays on repeat. Attempting to open the VB Project reveals that it’s password protected, so we’ll need to bypass this first.

Untitled17

As the new format for Doc files are archives, we’ll open it up in 7z and look for the ‘vbaProject.bin’ file under the ‘\word\’ directory. Open this up in a hex editor and search for the string ‘DPB=”’ then simply change it to something like ‘DPX=”’ and save the file. When you load the file now you’ll receive an error about the project containing an invalid key with an option to continue loading it anyway. Now you’ll be able to access the VB Project and can go into the Project Properties and unselect ‘Lock project for viewing’ to remove the password protection.

Untitled18

Looking at the project, we can see that there are two forms, ‘NpuXrzgq’ and ‘U8pblvDZuAh8Gy’, along with one module ‘Z1yiWeP’. Looking at the code in the main document and the module, it looks like there are a lot of functions so we’ll start by debugging it and get a feel for what it’s trying to do. Putting a ‘Stop’ after the initial ‘Document_Open()’ function starts the process.

Untitled19

Before even getting into the meat of the macro we can see we may have a problem as it’s checking if there are four ‘VBcomponents’ when we only have three. Stepping through the ‘zkceuV405Q5LjUp587OYxTI7OR9zTyPdvz8k’ function, we find this to be the series of events that decode the embedded WAV file and continuously play the air-horn while changing the text in the document.

If we adjust the code so it doesn’t fail the first check, we follow the macro to ‘XiqyXdC809pP5esSrC633ag92w0x6otQylY0’ function, which immediately calls ‘zoycqKJvqznJMeMpHe7Z61xYJfLLmbObxBVy’ and then begins to enumerate the function names.

Untitled20

The function ‘BqNFmKCS7cTPv9XNFOd2mCLrdqCfmdNm6HBz’ begins a process of base-64 decoding the function name and then modifying the byte-values based on various fields of the document.

Untitled21

Both of the functions are one-byte XoR’s, 44 and 32 respectively, which then get compared to the base-64 decoded value of ‘U8pblvDZuAh8GY.Label1.Caption’, which is ‘xRgWTqWr7ipEjFBfESrOiaYFu9i9Jml3Q171’.

Untitled21

Based on this, we can grab all of the function names and quickly determine the match by base64 decoding each and XoR’ing the bytes by 44 and 32.

Now that we have our interesting function name, we can force the macro to use this value and continue debugging it.

Back in the ‘XiqyXdC809pP5esSrC633ag92w0x6otQylY0’ function, it will take another function name, ‘d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql’ and pass it along with our matching name to another function, which base64 decodes ‘d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql’ into an array before sending us to function ‘XWn5TNdoykQb0QoitVEG7sLOxIRSi97XmqmM’ which has a ‘MsgBox’ call, presumably to print our flag!

Looking at the function we can see there are a few more XoR and comparison checks against property values for the forms within the VBProject.

Untitled22

Untitled23

At this point it XoR’s the ‘d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql’ function name by 144 and 85, takes the result of that and XoR’s it against the base-64 decoded value of ‘XJCR/DogZt7bduvvusJgAQu6QX9DmtKN+bZB’ to see if they match…which they won’t.

Since we know two parts of the puzzle, we can just work backwards to figure out what the initial second function name should be and go from there. We’ll base-64 decode the ‘XJCR’ string and ‘yRQa’ string, XoR them together, then XoR each resulting byte by 144 and 85.

Document 5 Challenge: EXCEL.EXE not just CALC.EXE

Challenge Created By: Curtis Carmony @c1fe

We are given an Excel document that has a Crackme. When we try to test a key, a cheeky popup appears, tells us we are wrong, closes Excel, and launches calc.exe.

Untitled24

When we open the document back up and look at the macros there is only one very simple macro to close the document, so there are definitely some shenanigans.

 

If we right click on the sheets on the bottom and click unhide there is a secret hidden sheet.

Untitled24

 

If we go to the secret sheet, click “Show Formulas” and make the font black then we can see there are Excel functions in the cells. There is one cell that looks interesting at A14 that is referring to a super secret sheet that we cannot see.

Untitled25

I modified the macro to try and make all of the sheets visible and clicked the button.

We can now see a super secret sheet with more formulas. It is pretty amazing that there can be hidden and then super hidden sheets in Excel.

Untitled26

If we remove uncheck “Show Formulas” and remove everything from F13 besides the concatenate function, Excel will print the formula for us.

=CONCATENATE(D7,A5,C5,B4,E20,B6,A8,B8,A12,B10,E10,C9,B13,D12,C11,B16,A25,A18,B19,C20,B21,B2,D23,B24,E4,B26,D16,A21,C14,A16)

Untitled27

If we enter that key into the original file we get the winning message and find that we are the EXCELULATOR! It is pretty amazing all the things you can do with Excel.

Untitled28

Leave a comment below to share your thoughts about these challenges. Be sure to also check out how other threat researchers solved these challenges:

Document 1 Challenge

Document 2 Challenge

Document 3 Challenge

Document 4 Challenge

Document 5 Challenge

 


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.