[原创][Flare-on7] Challenge4 report -Writeup

发表于: 2020-10-28 17:34 3185

[原创][Flare-on7] Challenge4 report -Writeup

Harmonica_11 活跃值

2020-10-28 17:34

3185

题目描述

Nobody likes analysing infected documents, but it pays the bills. Reverse this macro thrill-ride to discover how to get it to show you the key.

0x0

这题给了一个名为report.xls的文件，打开后是一种常见的社工手法
图片描述
但如果启用宏，会显示

这是因为对文件进行了一些特殊操作，可以参考https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
这里先不管它，直接分析宏

0x1

Private Declare Function InternetGetConnectedState Lib "wininet.dll" _
(ByRef dwflags As Long, ByVal dwReserved As Long) As Long
 
Private Declare PtrSafe Function mciSendString Lib "winmm.dll" Alias _
   "mciSendStringA" (ByVal lpstrCommand As String, ByVal _
   lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
   hwndCallback As Long) As Long
 
Private Declare Function GetShortPathName Lib "kernel32" Alias "GetShortPathNameA" _
    (ByVal lpszLongPath As String, ByVal lpszShortPath As String, ByVal lBuffer As Long) As Long
 
Public Function GetInternetConnectedState() As Boolean
  GetInternetConnectedState = InternetGetConnectedState(0&, 0&)
End Function
 
Function rigmarole(es As String) As String
    Dim furphy As String
    Dim c As Integer
    Dim s As String
    Dim cc As Integer
    furphy = ""
    For i = 1 To Len(es) Step 4
        c = CDec("&H" & Mid(es, i, 2))
        s = CDec("&H" & Mid(es, i + 2, 2))
        cc = c - s
        furphy = furphy + Chr(cc)
    Next i
    rigmarole = furphy
End Function
 
Function folderol()
    Dim wabbit() As Byte
    Dim fn As Integer: fn = FreeFile
    Dim onzo() As String
    Dim mf As String
    Dim xertz As Variant
 
    onzo = Split(F.L, ".")
 
    If GetInternetConnectedState = False Then
        MsgBox "Cannot establish Internet connection.", vbCritical, "Error"
        End
    End If
 
    Set fudgel = GetObject(rigmarole(onzo(7)))
    Set twattling = fudgel.ExecQuery(rigmarole(onzo(8)), , 48)
    For Each p In twattling
        Dim pos As Integer
        pos = InStr(LCase(p.Name), "vmw") + InStr(LCase(p.Name), "vmt") + InStr(LCase(p.Name), rigmarole(onzo(9)))
        If pos > 0 Then
            MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
            End
        End If
    Next
 
    xertz = Array(&H11, &H22, &H33, &H44, &H55, &H66, &H77, &H88, &H99, &HAA, &HBB, &HCC, &HDD, &HEE)
 
    wabbit = canoodle(F.T.Text, 0, 168667, xertz)
    mf = Environ(rigmarole(onzo(0))) & rigmarole(onzo(1))
    Open mf For Binary Lock Read Write As #fn
      Put #fn, , wabbit
    Close #fn
 
    mucolerd = mciSendString(rigmarole(onzo(2)) & mf, 0&, 0, 0)
End Function
 
Function canoodle(panjandrum As String, ardylo As Integer, s As Long, bibble As Variant) As Byte()
    Dim quean As Long
    Dim cattywampus As Long
    Dim kerfuffle() As Byte
    ReDim kerfuffle(s)
    quean = 0
    For cattywampus = 1 To Len(panjandrum) Step 4
        kerfuffle(quean) = CByte("&H" & Mid(panjandrum, cattywampus + ardylo, 2)) Xor bibble(quean Mod (UBound(bibble) + 1))
        quean = quean + 1
        If quean = UBound(kerfuffle) Then
            Exit For
        End If
    Next cattywampus
    canoodle = kerfuffle
End Function

代码对用到的数据进行了隐藏，放在了窗体F里，用rigmarole来解密使用
图片描述

L="9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64"
onzo = L.split(".")
def rigmarole(es):
    furphy = ""
    for i in range(0,len(es),4):
        c = eval('0x'+es[i:i+2])
        s = eval('0x'+es[i+2:i+4])
        cc = c - s
        furphy += chr(cc)
    print(furphy)
 
for i in range(len(onzo)):
    print(str(i)+"  ",end="")
    rigmarole(onzo[i])

可以得到

0  AppData
1  \Microsoft\stomp.mp3
2  play 
3  FLARE-ON
4  Sorry, this machine is not supported.
5  FLARE-ON
6  Error
7  winmgmts:\\.\root\CIMV2
8  SELECT Name FROM Win32_Process
9  vbox
10  WScript.Network
11  \Microsoft\v.png

根据代码的逻辑，得到一个stomp.mp3文件。

0x2

分析得到的mp3并没有flag，但是给了一个提示
图片描述
这个文件使用了VBA stomp技术，可以参考https://vbastomp.com/
使用pcode2code,得到

      Function folderol(id_FFFE As Variant)
        Dim wabbit As Byte
        Dim fn As Integer: fn = FreeFile
        Dim onzo As String
        Dim mf As String
        Dim xertz As Variant
        Dim buff(0 To 7) As Byte
 
        onzo = Split(F.L, ".")
 
        If GetInternetConnectedState = False Then
          MsgBox "Cannot establish Internet connection.", vbCritical, "Error"
          End
        End If
 
        Set fudgel = GetObject(rigmarole(onzo(7)))
        Set twattling = fudgel.ExecQuery(rigmarole(onzo(8)), , 48)
        For Each p In twattling
          Dim pos As Integer
          pos = Instr(LCase(p.Name), "vmw") + Instr(LCase(p.Name), "vmt") + Instr(LCase(p.Name), rigmarole(onzo(9)))
          If pos > 0 Then
            MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
            End
          End If
        Next
 
        xertz = Array(&H11, &H22, &H33, &H44, &H55, &H66, &H77, &H88, &H99, &HAA, &HBB, &HCC, &HDD, &HEE)
 
        Set groke = CreateObject(rigmarole(onzo(10)))
        firkin = groke.UserDomain
        If firkin <> rigmarole(onzo(3)) Then
          MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
          End
        End If
 
        n = Len(firkin)
        For i = 1 To n
          buff(n - i) = Asc(Mid$(firkin, i, 1))
        Next
 
        wabbit = canoodle(F.T.Text, 2, 285729, buff)
        mf = Environ(rigmarole(onzo(0))) & rigmarole(onzo(11))
        Open mf For Binary Lock Read Write As #fn
' a generic exception occured at line 68: cannot concatenate 'str' and 'NoneType' objects
'    # Ld fn
'    # Sharp
'    # LitDefault
'    # Ld wabbit
'    # PutRec
        Close #fn
 
        Set panuding = Sheet1.Shapes.AddPicture(mf, False, True, 12, 22, 600, 310)
      End Function

生成MP3的部分改为了生成图片

def canoodle(panjandrum):
    bibble="NO-ERALF"
    kerfuffle=[]
    quean = 0
    for i in range(0,len(panjandrum),4):
        kerfuffle.append(eval('0x'+panjandrum[i+2:i+4])^ord(bibble[quean%8]))
        quean+=1
 
    with open(r"C:\Users\My\Desktop\flareon4",'ab')as F:
        for i in range(len(kerfuffle)):
            F.write(bytes([kerfuffle[i]]))

图片描述

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

report.xls （1.47MB，1次下载）

收藏・0

免费・1

支持

最新回复 (1)
wmsuper 雪币： 10868 活跃值： (14664) 能力值： ( LV13，RANK：400 ) 在线值：发帖 36 回帖 136 粉丝 327 关注私信	wmsuper 7 2 楼太强了 2020-10-28 18:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Harmonica_11

发帖

回帖

RANK

关注

私信

他的文章

[原创][Flare-on7] Challenge4 report -Writeup 3186

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
wmsuper 雪币： 10868 活跃值： (14664) 能力值： ( LV13，RANK：400 ) 在线值：发帖 36 回帖 136 粉丝 327 关注私信	wmsuper 7 2 楼太强了 2020-10-28 18:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复