Fixed challenge in fact had a little bit more data hidden in a previously discovered UserForm textfield. This time it was an encoded ROT-13 encrypted HTML document that got decrypted by the macro code, dropped to disk, and ran by copied mshta.exe (at least in the original, malicious version of this document). We could decode this HTML ourselves or just let malware drop it to the disc for us with a slight modification:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/click_all_the_things/writeup/iced/iceid_fixed_file.PNG

Decoded HTML document contained a hex-encoded javascript code that was later decoded and ran by other javascript.

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/click_all_the_things/writeup/iced/iceid_fixed_html.PNG

It also passed as a parameter to this code a following string: `261636e23757f6963696c616d6f2472756078756e2d7e603124704365357662603b7345435459425f2f2a307878786` in fact if we reversed it and decoded it gave us a flag. But if we didn't want to guess encoding mechanism (it could be xored on obfuscated in any other way) we can always relate on the malware to do the job for us. Unfortunately, the javascript seemed to be also "castrated" a little bit by the challenge authors but with few modifications, we could make it run and output the flag for us:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/click_all_the_things/writeup/iced/iceid_fixed_js.PNG

And after running this file with cscript.exe the final result was:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/click_all_the_things/writeup/iced/iceid_fixed_flag.PNG

Original writeup (https://github.com/lasq88/CTF/tree/main/ritsec2021/forensics/click_all_the_things).