Game Invitation

Personal Rating: Medium

We have a dcom file. I extracted it to have a look at the contents. There is an ovfuscated VB script inside. I beautified each XML file to make them more readable. The only interesting files are vbaProject.bin

From core.xml you can read that the file was created and last modified by 'developer'.

In document.xml, only this might be interesting:

olevba can be used to extract the VBA script and attempt to deobfuscate it: https://github.com/decalage2/oletools

python3 olevba.py /HTBfolder/CTF-2024-HTB/Game\ Invitation/invitation.docm

I deobfuscated the file and wrote some explanatory comments:

After understanding the script, I decided that the easiest way to proceed would be to just execute it to obtain the generated "mailform.js" file. For this to work on a test laptop, I removed the AutoClose() function and the domain check on the lines 26-33 so that the script would be executed no matter the user domain and the script would not be deleted upon closing the document.

Executing the script in the document worked (I used a Windows PC with no internet and Office Word to test it)

No we stand before a javascript, once again obfuscated:

I beautified and deobfuscated it enough to understand roughly what it does:

Usually this script would execute the resulting string with eval(), so the resulting code is another javascript. But I edited the script to instead return it, as you can see at line 5.

The resulting string was another obfuscated JS. I once again deobfuscated and beautified it a little.

Before deobfuscating it further, I found this part:

I decoded the cookie, which was base64 encoded. This returned the flag, so I did not have to deobfuscate the JS further.

HTB{m4ld0cs_4r3_g3tt1ng_Tr1cki13r}

PreviousFlag CommandNextIt has begun

Last updated