Rating:

# Kick Tort Teen

Anagram, anyone?

## Solution

We are given an xls document containing numbers.
If we unzip it, we can see that there are VBA macros.


mac:xl rainbowlyte$ls -la total 88 drwxr-xr-x@ 8 rainbowlyte wheel 272 Feb 7 17:11 . drwxrwxrwt 15 root wheel 510 Feb 7 17:11 .. drwxr-xr-x@ 3 rainbowlyte wheel 102 Feb 7 17:11 _rels -rw-r--r--@ 1 rainbowlyte wheel 16372 Jan 1 1980 styles.xml drwxr-xr-x@ 3 rainbowlyte wheel 102 Feb 7 17:11 theme -rw-r--r--@ 1 rainbowlyte wheel 22528 Jan 1 1980 vbaProject.bin -rw-r--r--@ 1 rainbowlyte wheel 641 Jan 1 1980 workbook.xml drwxr-xr-x@ 3 rainbowlyte wheel 102 Feb 7 17:11 worksheets  We used olevba to extract the macro. vb VBA MACRO Module1.bas in file: xl/vbaProject.bin - OLE stream: u'VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Function FileExists(ByVal FileToTest As String) As Boolean FileExists = (Dir(FileToTest) <> "") End Function Sub DeleteFile(ByVal FileToDelete As String) If FileExists(FileToDelete) Then 'See above SetAttr FileToDelete, vbNormal Kill FileToDelete End If End Sub Sub DoIt() Dim filename As String filename = Environ("USERPROFILE") & "\fileXYZ.data" DeleteFile (filename) Open filename For Binary Lock Read Write As #2 For i = 1 To 14747 For j = 1 To 23 Put #2, , CByte((Cells(i, j).Value - 78) / 3) Next Next Put #2, , CByte(98) Put #2, , CByte(13) Put #2, , CByte(0) Put #2, , CByte(73) Put #2, , CByte(19) Put #2, , CByte(0) Put #2, , CByte(94) Put #2, , CByte(188) Put #2, , CByte(0) Put #2, , CByte(0) Put #2, , CByte(0) Close #2 End Sub  The interesting part is  Open filename For Binary Lock Read Write As #2 For i = 1 To 14747 For j = 1 To 23 Put #2, , CByte((Cells(i, j).Value - 78) / 3) Next Next  We used the corresponding python code to process the numbers in the xls document. python numbers = [] s = '' with open('numbers', 'r') as f: for line in f.readlines(): l = [int(i) for i in line.split()] numbers.append(l) for i in numbers: for j in i: s += chr((j-78) / 3) with open('exe', 'w') as f: f.write(s)  The file exe is an executable that contains the flag. bash rainbowlyte@ns38534:/tmp$ file exe
exe: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
rainbowlyte@ns38534:/tmp$chmod +x exe rainbowlyte@ns38534:/tmp$ ./exe
SharifCTF{5bd74def27ce149fe1b63f2aa92331ab}


Original writeup (https://github.com/QuokkaLight/write-ups/blob/master/sharif-university-ctf-2016/forensics/Kick_Tort_Teen.md).