Rating:

# Description

### Title: PleaseClickAlltheThings

Note: this challenge is the start of a series of challenges. The purpose of this CTF challenge is to bring real world phishing attachments to the challengers and attempt to find flags (previously executables or malicious domains) within the macros. This is often a process used in IR teams and becomes an extremely valuable skill. In this challenge we’ve brought to the table a malicious html file, GandCrab/Ursnif sample, and a IceID/Bokbot sample. We’ve rewritten the code to not contain malicious execution however system changes may still occur when executing, also some of the functionalities have been snipped and will likely not expose itself via dynamic analysis.

```
• Outlook helps, with proper licensing to access necessary features
◦ Otherwise oledump or similar would also help but isn’t necessary
• CyberChef is the ideal tool to use for decoding
```
This challenge is brought to you by SRA

PASSWORD: RITSEC

# Solution

Each solution is in the corresponding folder

### Sub-challenges
- [BeginnersRITSEC.html](/RITSEC-2021/forensics/Please%20Click%20All%20The%20Things/solve/BeginnersRITSEC.html/solve.md)
- [GandCrab](/RITSEC-2021/forensics/Please%20Click%20All%20The%20Things/solve/GandCrab_Ursnif/solve.md)
- Ursnif (Unsolvable, so the corresponding challenge was removed)
- [IceID](/RITSEC-2021/forensics/Please%20Click%20All%20The%20Things/solve/IceID_BokBot/solve_IceId.md)
- BokBot (Unsolved; Challenge was fixed after CTF; I have provided the fixed file)

Original writeup (https://github.com/black-tul1p/CTF-Writeups/tree/main/RITSEC-2021/forensics/Please%20Click%20All%20The%20Things).