CTFtime.org / RITSEC CTF 2021 / PleaseClickAllTheThings Part 2 / Writeup

## [See original writeup on site](https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#pleaseclickallthethings-2-gandcrab_ursnif)

### PleaseClickAlltheThings 2: GandCrab_Ursnif
> NOTE: this challenge builds upon BegineersRITSEC.html, and that challenge must be completed first.
>
> GandCrab/Ursnif are dangerous types of campaigns and malware, macros are usually the entry point, see what you can find, there are two flags in this document. Flag1/2

So, after a bit of digging on Google for Microsoft forensics tools, I [came across the site for didierstevens](https://blog.didierstevens.com/), and was reminded at how great a success I've had when using their previous tools.

As such, I ended up utilizing [oledump.py](https://blog.didierstevens.com/programs/oledump-py/) from their site, in order to examine the objects in the stream related to this Outlook message:

```bash
python ./oledump_V0_0_60/oledump.py -q -p ./oledump_V0_0_60/plugin_msg.py Please\ Click\ all\ the\ Things.msg
```

... which gives us:

```
2: "0FF9 0102: BIN ? b'\\x00\\x00\\x00\\x00'"
3: 3001 001F: UNI Display name IceID_Bokbot_RITSEC.docm
4: "3701 0102: BIN Attachment data b'PK\\x03\\x04\\x14\\x00\\x06\\x00\\x08\\x00\\x00"
5: "3702 0102: BIN ? b''"
6: 3703 001F: UNI Attach extension .docm
7: 3704 001F: UNI Attach filename IceID_Bokbot_RITSEC.docm
8: 3707 001F: UNI Attach long filename IceID_Bokbot_RITSEC.docm
9: "3709 0102: BIN ? b'\\x01\\x00\\t\\x00\\x00\\x03\\xdc\\x06\\x00\\x00"
10: 8000 001F: UNI ?
12: "0FF9 0102: BIN ? b'\\x01\\x00\\x00\\x00'"
13: 3001 001F: UNI Display name GandCrab_Ursnif_RITSEC.docm
14: "3701 0102: BIN Attachment data b'PK\\x03\\x04\\x14\\x00\\x06\\x00\\x08\\x00\\x00"
15: "3702 0102: BIN ? b''"
16: 3703 001F: UNI Attach extension .docm
17: 3704 001F: UNI Attach filename GandCrab_Ursnif_RITSEC.docm
18: 3707 001F: UNI Attach long filename GandCrab_Ursnif_RITSEC.docm
19: "3709 0102: BIN ? b'\\x01\\x00\\t\\x00\\x00\\x03\\xdc\\x06\\x00\\x00"
20: 8000 001F: UNI ?
22: "0FF9 0102: BIN ? b'\\x02\\x00\\x00\\x00'"
23: 3001 001F: UNI Display name BeginnersRITSEC.html
24: '3701 0102: BIN Attachment data b\'<script language="javascript">document'
25: "3702 0102: BIN ? b''"
26: 3703 001F: UNI Attach extension .html
27: 3704 001F: UNI Attach filename BEGINN~1.HTM
28: 3707 001F: UNI Attach long filename BeginnersRITSEC.html
29: "3709 0102: BIN ? b'\\x01\\x00\\t\\x00\\x00\\x03\\xdc\\x06\\x00\\x00"
30: 8000 001F: UNI ?
31: "0002 0102: BIN ? b'\\x7f\\x7f5\\x96\\xe1Y\\xd0G\\x99\\xa7FQ\\\\\\x1"
32: "0003 0102: BIN ? b'\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00\\"
33: "0004 0102: BIN ? b'*\\x00\\x00\\x00A\\x00t\\x00t\\x00a\\x00c\\x00"
34: "1000 0102: BIN Message body b'\\xacb\\x0c\\xff\\t\\x00\\x0e\\x00'"
35: "1003 0102: BIN ? b'\\x10\\x85\\x00\\x00\\x08\\x00\\x08\\x00'"
36: "1007 0102: BIN ? b'R\\x85\\x00\\x00\\x08\\x00\\x04\\x00\\xbf\\x85\\"
37: "1009 0102: BIN RTF Compressed b'T\\x85\\x00\\x00\\x08\\x00\\x05\\x00'"
38: "100C 0102: BIN ? b'\\xd5\\xc9\\x07\\x8e\\x07\\x00\\x01\\x00'"
39: "1010 0102: BIN ? b'\\x0e\\x85\\x00\\x00\\x08\\x00\\x07\\x00'"
40: "1012 0102: BIN ? b'\\xc8\\x8e1\\xa1\\x07\\x00\\x00\\x00'"
41: "1013 0102: BIN ? b'\\x01\\x85\\x00\\x00\\x08\\x00\\x03\\x00'"
42: "1014 0102: BIN ? b'\\xeb\\x85\\x00\\x00\\x08\\x00\\r\\x00'"
43: "1015 0102: BIN ? b'\\x03\\x85\\x00\\x00\\x08\\x00\\x02\\x00'"
44: "1018 0102: BIN ? b'\\x06\\x85\\x00\\x00\\x08\\x00\\x06\\x00'"
45: "101A 0102: BIN ? b'\\x18\\x85\\x00\\x00\\x08\\x00\\t\\x00\\xc2\\x85"
46: "101B 0102: BIN ? b'\\xc3\\x85\\x00\\x00\\x08\\x00\\x0c\\x00'"
49: "0FF6 0102: BIN ? b'\\x00\\x00\\x01k'"
50: "0FF9 0102: BIN ? b'\\x00\\x00\\x00\\x00\\x81+\\x1f\\xa4\\xbe\\xa3\\"
51: "0FFF 0102: BIN ? b'\\x00\\x00\\x00\\x00\\x81+\\x1f\\xa4\\xbe\\xa3\\"
52: 3001 001F: UNI Display name [email protected]
53: 3002 001F: UNI Address type SMTP
54: 3003 001F: UNI Email address [email protected]
55: "300B 0102: BIN ? b'SMTP:[email protected]\\x00'"
56: 5FF6 001F: UNI To (?) [email protected]
57: "5FF7 0102: BIN ? b'\\x00\\x00\\x00\\x00\\x81+\\x1f\\xa4\\xbe\\xa3\\"
58: 001A 001F: UNI Message class IPM.Note
59: 0037 001F: UNI Subject Please Click all the Things
60: 003D 001F: UNI Subject prefix
61: 0070 001F: UNI Topic Please Click all the Things
62: "0071 0102: BIN ? b'\\x01\\xd7\\x0b\\x95Y%\\xab+R\\xee`KN\\x07\\xa"
63: 0E02 001F: UNI Display BCC
64: 0E03 001F: UNI Display CC
65: '0E04 001F: UNI Display To [email protected]\x00'
66: 0E1D 001F: UNI Subject (normalized) Please Click all the Things
67: '1000 001F: UNI Message body Hey there Challengers,\r\n \r\nI’ve attached'
68: "1009 0102: BIN RTF Compressed b'\\xa0#\\x00\\x00v\\xaa\\x00\\x00LZFu^\\xd3w&\\"
69: "300B 0102: BIN ? b'Y\\x9b\\xa06%\\xc5%E\\x80\\xb0\\xc6\\xff\\xb8\\"
70: 8005 001F: UNI ? 16.0
71: "800B 0102: BIN ? b'PK\\x03\\x04\\x14\\x00\\x06\\x00\\x08\\x00\\x00"
72: '800C 0102: BIN ? b\'` flags):

```bash
python oledump.py -p ./oledump_V0_0_60/plugin_msg.py Please\ Click\ all\ the\ Things.msg -s 67 -d
```

Which gives:

```
Hey there Challengers,

I ve attached some malware, please do click them and infect your machines (seriously), wipe your systems after the CTF.

On a less troll note, for those new to analysis start with the HTML, move to GandCrab, and then if you re feeling smart try IceID/Bokbot.

If you feel the need to bang your head please take safety precautions, clear away breakables including computer screens and preferably choose a softer surface to avoid injuries.

Thanks for contributing to the botnet.

Sincerely,
CTF Challenge Creators
```

Nice. So now to get the `.docm` file out, we can grab the binary data that is represented by it, based on the output of the previous oledump (using the `-q` flag here to only output the plugin results):

```
python ./oledump_V0_0_60/oledump.py -q -p ./oledump_V0_0_60/plugin_msg.py Please\ Click\ all\ the\ Things.msg
...
13: 3001 001F: UNI Display name GandCrab_Ursnif_RITSEC.docm
14: "3701 0102: BIN Attachment data b'PK\\x03\\x04\\x14\\x00\\x06\\x00\\x08\\x00\\x00"
15: "3702 0102: BIN ? b''"
16: 3703 001F: UNI Attach extension .docm
17: 3704 001F: UNI Attach filename GandCrab_Ursnif_RITSEC.docm
18: 3707 001F: UNI Attach long filename GandCrab_Ursnif_RITSEC.docm
...
```

So we want to extract object **14**:

```
python ./oledump_V0_0_60/oledump.py -p ./oledump_V0_0_60/plugin_msg.py Please\ Click\ all\ the\ Things.msg -s 14 -d > GandCrab_Ursnif_RITSEC.docm
```

Double checking resulting file looks good:

```bash
file GandCrab_Ursnif_RITSEC.docm
GandCrab_Ursnif_RITSEC.docm: Microsoft Word 2007+
```

Now, we can run `oledump.py` again, this time against this file:

```
python ../../oledump_V0_0_60/oledump.py GandCrab_Ursnif_RITSEC.docm
A: word/vbaProject.bin
A1: 464 'PROJECT'
A2: 89 'PROJECTwm'
A3: M 975 'VBA/Module1'
A4: M 1504 'VBA/Module4'
A5: m 938 'VBA/ThisDocument'
A6: 3109 'VBA/_VBA_PROJECT'
A7: 585 'VBA/dir'
```

So it looks like it is a VBA project, which we can also summarize like so:

```
python ./oledump_V0_0_60/oledump.py -p ./oledump_V0_0_60/plugin_vba_summary.py GandCrab_Ursnif_RITSEC.docm
A: word/vbaProject.bin
A1: 464 'PROJECT'
A2: 89 'PROJECTwm'
A3: M 975 'VBA/Module1'
Plugin: VBA summary plugin
Attribute VB_Name = "Module1"
Sub autoopen()
A4: M 1504 'VBA/Module4'
Plugin: VBA summary plugin
Attribute VB_Name = "Module4"
Function TheDarkSide()
A5: m 938 'VBA/ThisDocument'
Plugin: VBA summary plugin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
A6: 3109 'VBA/_VBA_PROJECT'
A7: 585 'VBA/dir'
```

To my unexperienced eyes, it seems as if it would be auto running the `TheDarkSide()` function. For reference, we can look at that partially like so:

```
python ../../oledump_V0_0_60/oledump.py -p ../../oledump_V0_0_60/plugin_vba_routines.py GandCrab_Ursnif_RITSEC.docm
```

which dumps out this:

```
A: word/vbaProject.bin
A1: 464 'PROJECT'
A2: 89 'PROJECTwm'
A3: M 975 'VBA/Module1'
Plugin: VBA Routines plugin
Attribute VB_Name = "Module1"
--------------------------------------------------------------------------------
Sub autoopen()
TheDarkSide
End Sub

A4: M 1504 'VBA/Module4'
Plugin: VBA Routines plugin
Attribute VB_Name = "Module4"
--------------------------------------------------------------------------------
Function TheDarkSide()
On Error Resume Next
CTF = Array(ElonMusk, StarWars, HelloWorld, Interaction.Shell(CleanString(Chewbacca.TextBox1), 43 - 43), Mars)
Select Case Research
Case 235003991
CompetitorSkillz = That_of_a_Storm_Troopers_Aim_Research_Pending
Flag = RITSEC{M@CROS}
PendingResearch = Oct(Date + CStr(TimeStamp + Log(241371097) - PewPew / Hex(13775121)))
End Select
End Function

A5: m 938 'VBA/ThisDocument'
Plugin: VBA Routines plugin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

A6: 3109 'VBA/_VBA_PROJECT'
A7: 585 'VBA/dir'
```

The flag is right there in the output. But, let's say I didn't know about that plugin at the time. Going back to the original oledump output for the file, we can see two VBA modules, at **A3** and **A4**. Let's go ahead and extract those (same methodology as above, `-s <ID> -d`):

```
python ../../oledump_V0_0_60/oledump.py -s A3 GandCrab_Ursnif_RITSEC.docm -d > a3_bin
python ../../oledump_V0_0_60/oledump.py -s A4 GandCrab_Ursnif_RITSEC.docm -d > a4_bin
```

Looking at `a3_bin`, we don't see much in the way of `strings`:

```
strings a3_bin
Attribut
e VB_Nam
e = "Mod
ule1"
ub autoo
pen()
heDarkSi
End
```

However, on `a4_bin`, we can see the flag string:

```
strings a4_bin
Flag = RITSEC{M@CROS}
Attribut
e VB_Nam
e = "Mod
ule4"
unction
TheDarkS
ide()
n Error
Resu
hNex@t
rray(Elo
...
```

Flag is `RITSEC{M@CROS}`.

Original writeup (https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#pleaseclickallthethings-2-gandcrab_ursnif).

PleaseClickAllTheThings Part 2

Comments

Sign in with