Intergalactic Federation stated that it managed to prevent a large-scale phishing campaign that targeted all space personnel across the galaxy. The enemy's goal was to add as many spaceships to their space-botnet as possible so they can conduct distributed destruction of intergalactic services (DDOIS) using their fleet. Since such a campaign can be easily detected and prevented, malicious actors have changed their tactics. As stated by officials, a new spear phishing campaign is underway aiming high value targets. Now Klaus asks your opinion about a mail it received from "sales@unlockyourmind.gal", claiming that in their galaxy it is possible to recover it's memory back by following the steps contained in the attached file.
Information
Challenge: Free Services
Category: Forensics
Difficulty: Easy
Files : ‘Free Services.zip’ 115 KB
free_decryption.xlsm 137 KB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/'Free Services.zip'SHA256SUM:
c2eca3cf104ec8cabdebe3e88aba3c5d544dc03957616c0c685cb851cfe0d791
Walkthrough
1. Document Analysis
Looking at the file with Olevba, vMonkey, or even xlmdeobfuscator returns nothing. So instead of waiting around, I’m going to open the file:
libreoffice free_decryption.xlsm
and this is basically what is going on. The integers in Column E, F G are xored with 24. So I export the Macro1 sheet as ‘macro1.csv’ and open it in Python.
import pandas
column_names = ['A','B','C','D','E','F','G']
df = pandas.read_csv("macro1.csv", names=column_names)
df['E'] = df['E'].astype("Int64")
df['F'] = df['F'].astype("Int64")
df['G'] = df['G'].astype("Int64")
df.F[257] = 0
df.G[257] = 0
xored_dict = []
for idx, rows in df.iterrows():
xored_dict.append(df.loc[idx, 'E'] ^ 24)
xored_dict.append(df.loc[idx, 'F'] ^ 24
xored_dict.append(df.loc[idx, 'G'] ^ 24)
''.join(chr(i) for i in xored_dict)
It returns some nonsense, but you can find the common flag strings at the end of the string:
it seems like every other character needs to be kicked out.
chars = [chr(i) for i in xored_dict]
print(''.join(chars[::2]))
and here is the flag!
