Rating:
## [See original writeup on site](https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#pleaseclickallthethings-1-begineersritsechtml)
### PleaseClickAlltheThings 1: BegineersRITSEC.html
> Note: this challenge is the start of a series of challenges. The purpose of this CTF challenge is to bring real world phishing attachments to the challengers and attempt to find flags (previously executables or malicious domains) within the macros. This is often a process used in IR teams and becomes an extremely valuable skill. In this challenge we’ve brought to the table a malicious html file, GandCrab/Ursnif sample, and a IceID/Bokbot sample. We’ve rewritten the code to not contain malicious execution however system changes may still occur when executing, also some of the functionalities have been snipped and will likely not expose itself via dynamic analysis.
>
> * Outlook helps, with proper licensing to access necessary features
> * Otherwise oledump or similar would also help but isn’t necessary
> * CyberChef is the ideal tool to use for decoding
> Part 1: Start with the HTML file and let’s move our way up, open and or inspect the HTML file provide in the message file. There is only one flag in this document.
We're given a file to download, `Please_Click_all_the_Things.7z`.
We can extract using 7z:
```bash
7z x Please_Click_all_the_Things.7z
```
... which gives us a Microsoft outlook message, `Please Click all the Things.msg`:
```bash
file Please\ Click\ all\ the\ Things.msg
Please Click all the Things.msg: CDFV2 Microsoft Outlook Message
```
I plugged this file into [Cyberchef to decode it](https://gchq.github.io/CyberChef/#recipe=URL_Decode()), and then downloaded that resulting file.
This is the file that is downloaded after the URL decode:
```bash
file ../../url_decoded.txt
../../url_decoded.txt: Composite Document File V2 Document, Can't read SSAT
```
CyberChef just sticks the .txt on there. If we look at what's inside this blob, we see the aforementioned HTML file:
```bash
binwalk -e ../../url_decoded.txt
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5824 0x16C0 XML document, version: "1.0"
15360 0x3C00 Zip archive data, at least v2.0 to extract, compressed size: 255, uncompressed size: 540, name: [Content_Types].xml
15664 0x3D30 Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 310, name: _rels/.rels
15897 0x3E19 Zip archive data, at least v2.0 to extract, compressed size: 131, uncompressed size: 138, name: theme/theme/themeManager.xml
16086 0x3ED6 Zip archive data, at least v2.0 to extract, compressed size: 1933, uncompressed size: 8399, name: theme/theme/theme1.xml
18071 0x4697 Zip archive data, at least v2.0 to extract, compressed size: 182, uncompressed size: 283, name: theme/theme/_rels/themeManager.xml.rels
18671 0x48EF End of Zip archive, footer length: 22
33367 0x8257 HTML document header
35738 0x8B9A HTML document footer
41264 0xA130 Zip archive data, at least v2.0 to extract, compressed size: 427, uncompressed size: 1637, name: [Content_Types].xml
42260 0xA514 Zip archive data, at least v2.0 to extract, compressed size: 239, uncompressed size: 590, name: _rels/.rels
43060 0xA834 Zip archive data, at least v2.0 to extract, compressed size: 4960, uncompressed size: 29315, name: word/document.xml
48067 0xBBC3 Zip archive data, at least v2.0 to extract, compressed size: 322, uncompressed size: 1214, name: word/_rels/document.xml.rels
48711 0xBE47 Zip archive data, at least v2.0 to extract, compressed size: 3855, uncompressed size: 11264, name: word/vbaProject.bin
52615 0xCD87 Zip archive data, at least v1.0 to extract, compressed size: 28872, uncompressed size: 28872, name: word/media/image1.jpeg
81537 0x13E81 Zip archive data, at least v2.0 to extract, compressed size: 1746, uncompressed size: 8393, name: word/theme/theme1.xml
83334 0x14586 Zip archive data, at least v2.0 to extract, compressed size: 191, uncompressed size: 277, name: word/_rels/vbaProject.bin.rels
83585 0x14681 Zip archive data, at least v2.0 to extract, compressed size: 576, uncompressed size: 2310, name: word/vbaData.xml
84207 0x148EF Zip archive data, at least v2.0 to extract, compressed size: 1027, uncompressed size: 2864, name: word/settings.xml
85281 0x14D21 Zip archive data, at least v2.0 to extract, compressed size: 199, uncompressed size: 306, name: customXml/item1.xml
85569 0x14E41 Zip archive data, at least v2.0 to extract, compressed size: 225, uncompressed size: 341, name: customXml/itemProps1.xml
85888 0x14F80 Zip archive data, at least v2.0 to extract, compressed size: 2906, uncompressed size: 29216, name: word/styles.xml
88839 0x15B07 Zip archive data, at least v2.0 to extract, compressed size: 295, uncompressed size: 655, name: word/webSettings.xml
89184 0x15C60 Zip archive data, at least v2.0 to extract, compressed size: 453, uncompressed size: 1419, name: word/fontTable.xml
89685 0x15E55 Zip archive data, at least v2.0 to extract, compressed size: 361, uncompressed size: 741, name: docProps/core.xml
90357 0x160F5 Zip archive data, at least v2.0 to extract, compressed size: 462, uncompressed size: 982, name: docProps/app.xml
91129 0x163F9 Zip archive data, at least v2.0 to extract, compressed size: 194, uncompressed size: 296, name: customXml/_rels/item1.xml.rels
92834 0x16AA2 End of Zip archive, footer length: 22
99630 0x1852E Zip archive data, at least v2.0 to extract, compressed size: 399, uncompressed size: 1503, name: [Content_Types].xml
100598 0x188F6 Zip archive data, at least v2.0 to extract, compressed size: 239, uncompressed size: 590, name: _rels/.rels
101398 0x18C16 Zip archive data, at least v2.0 to extract, compressed size: 1040, uncompressed size: 3590, name: word/document.xml
102485 0x19055 Zip archive data, at least v2.0 to extract, compressed size: 300, uncompressed size: 1071, name: word/_rels/document.xml.rels
103107 0x192C3 Zip archive data, at least v2.0 to extract, compressed size: 7424, uncompressed size: 20480, name: word/vbaProject.bin
110580 0x1AFF4 Zip archive data, at least v1.0 to extract, compressed size: 224577, uncompressed size: 224577, name: word/media/image1.png
335200 0x51D60 Zip archive data, at least v2.0 to extract, compressed size: 1746, uncompressed size: 8393, name: word/theme/theme1.xml
336997 0x52465 Zip archive data, at least v2.0 to extract, compressed size: 191, uncompressed size: 277, name: word/_rels/vbaProject.bin.rels
337248 0x52560 Zip archive data, at least v2.0 to extract, compressed size: 604, uncompressed size: 2424, name: word/vbaData.xml
337898 0x527EA Zip archive data, at least v2.0 to extract, compressed size: 957, uncompressed size: 2655, name: word/settings.xml
338902 0x52BD6 Zip archive data, at least v2.0 to extract, compressed size: 2906, uncompressed size: 29216, name: word/styles.xml
341853 0x5375D Zip archive data, at least v2.0 to extract, compressed size: 295, uncompressed size: 655, name: word/webSettings.xml
342198 0x538B6 Zip archive data, at least v2.0 to extract, compressed size: 453, uncompressed size: 1419, name: word/fontTable.xml
342699 0x53AAB Zip archive data, at least v2.0 to extract, compressed size: 367, uncompressed size: 741, name: docProps/core.xml
343377 0x53D51 Zip archive data, at least v2.0 to extract, compressed size: 461, uncompressed size: 982, name: docProps/app.xml
345123 0x54423 End of Zip archive, footer length: 22
347262 0x54C7E LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 4587520 bytes
```
Notice the
```
33367 0x8257 HTML document header
35738 0x8B9A HTML document footer
```
in the above. Use `binwalk` to extract, either specifically those offsets, or just everything (which is what I did):
```bash
binwalk --dd=".*" ../../url_decoded.txt --directory output
```
And then from the carved out files, we know that the HTML file we're interested in starts at offset `0x8257`, so we can do the following:
```bash
mv output/_url_decoded.txt.extracted/8257 output/_url_decoded.txt.extracted/8257.html
```
And then inspect this HTML file:
```html
cat output/_url_decoded.txt.extracted/8257.html | head -n 150
<html>
<head>
<title>Its just another friendly file from you're local CTF</title>
<style type="text/css">
html {
height: 100%;
width: 100%;
}
#feature {
width: 980px;
margin: 95px auto 0 auto;
overflow: auto;
}
#content {
font-family: "Segoe UI";
font-weight: normal;
font-size: 22px;
color: #ffffff;
float: left;
width: 460px;
margin-top: 68px;
margin-left: 0px;
vertical-align: middle;
}
#content h1 {
font-family: "Segoe UI Light";
color: #ffffff;
font-weight: normal;
font-size: 60px;
line-height: 48pt;
width: 980px;
}
p a, p a:visited, p a:active, p a:hover {
color: #ffffff;
}
#content a.button {
background: #0DBCF2;
border: 1px solid #FFFFFF;
color: #FFFFFF;
display: inline-block;
font-family: Segoe UI;
font-size: 24px;
line-height: 46px;
margin-top: 10px;
padding: 0 15px 3px;
text-decoration: none;
}
#content a.button img {
float: right;
padding: 10px 0 0 15px;
}
#content a.button:hover {
background: #1C75BC;
}
/* loading dots */
.loading:after {
content: '.';
animation: dots 1s steps(5, end) infinite}
@keyframes dots {
0%, 20% {
color: rgba(0,0,0,0);
text-shadow:
.25em 0 0 rgba(0,0,0,0),
.5em 0 0 rgba(0,0,0,0);}
40% {
color: white;
text-shadow:
.25em 0 0 rgba(0,0,0,0),
.5em 0 0 rgba(0,0,0,0);}
60% {
text-shadow:
.25em 0 0 white,
.5em 0 0 rgba(0,0,0,0);}
80%, 100% {
text-shadow:
.25em 0 0 white,
.5em 0 0 white;}}
</style>
</head>
<body bgcolor="#00abec">
<div id="feature">
<div id="content">
<h1 id="unavailable" class="loading">Try Harder</h1>
The Defender That Could
<head>
<flag="UklUU0VDe0gzcjMhdCEkfQ==">
</body>
</html>'));</script>
```
And look at that, a nice little flag entity!
```bash
echo UklUU0VDe0gzcjMhdCEkfQ== | base64 -d
RITSEC{H3r3!t!$}
```
Flag is `RITSEC{H3r3!t!$}`.
**n.b.**: I did this challenge initially without having `oledump.py`. If you wanted to go that route (which is better, imo), it looks like so:
```bash
# Check the file
python ./oledump_V0_0_60/oledump.py Please\ Click\ all\ the\ Things.msg
# Now that we know the data for our beginner html file is object 24, get that:
python ./oledump_V0_0_60/oledump.py Please\ Click\ all\ the\ Things.msg -s 24
# Decode that object, so we can store in a file and URL decode it:
python ./oledump_V0_0_60/oledump.py Please\ Click\ all\ the\ Things.msg -s 24 -d > url_encoded
# URL Decode that file, and get the flag
```
