Honestly, I don't know about forensics, I just only have a little knowledge.
One of my team member said "Hey, can you check this. there is some obfuscated code inside doc".
At first I read about the challenge description, Opps I need to find the address of Tom. The challenge provide doc file, I quick lookup with Microsoft office in vm,
I saw some text from wikipedia.
I thought, I need to find the real address of Tom -_-
yes! I did at that time.
I copy some text from wikipedia and try to diff, but nothing special. ( Some of challenge, the challenge creator hide the secret word in text that why I try to diff )
So moved to obfuscated code!!
I search in the doc file with microsoft office, I found another doc file? ( Tom History )
copy that file to desktop.
the file name change to mcsc2.bat
I open with Notepad++.
I saw the content of file.
There is two line.
First line is not readable, the second line is obfuscated powershell code
I removed the first line, and I change the view style to "word warp" ( In notepad++ View >> Word warp )
Now we can see some more code.
I try to decode obfuscated powershell code, but that take too much time may be I haven't not experienced it before.
So I ignored this challenge at that time. and I play with another challenge.
The first part of competition ended in 12:00PM.
After competition started the second part of time.
the challenge creator announces some hints to us.
"There is a malware in that doc, you need to find the command & control address, you don't need to do any decoding"
I look again the challenge, I already got the content of malware file.
So I search again in that poertshell code,something similar like that "mcsc|http|80|443|8080|8888".
and I saw something.
So, decode the a part of the flag
("{0}{4}{2}{1}{6}{7}{8}{5}{9}{3}"-f 'ht','c.','/mcs','uu:80','tp:/','f0UND','h3yJe','rr','y','u')
I decode with python
and got the flag.
mcsc{h3yJerryf0UNDuuu}
This challenge already came out the first part time of ctf, but we solved in second part of time.
(Note I made a submit so many wrong flags in this challenge )
This is sixth challenge that I solved in MCSC2018.
And the first solver team of that challenge, so we got another bonus (1 point ). yay!
I want to say thank you to challenge creator.
No comments:
Post a Comment