Jun 19, 2022
📝 TryHackMe. Walkthrough: Mr. Phisher
- The Site: TryHackMe
- Name room: Mr. Phisher
- Difficulty: Easy
We need to examine a file with the extension .docm which was received in a phishing email. The file contains macros that can be dangerous when the file is opened.
This is a task we have to do in Ubuntu with the MATE shell. For me this is not very convenient, so the first thing I did was to download the file to my local machine by going to the directory /home/ubuntu/mrphisher/ in the terminal:
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
After that, from your local machine you can open http://machine_ip:8000/ and download the file MrPhisher.docm.
To analyze the file I used oletools.
$ olevba MrPhisher.docm
...
VBA MACRO NewMacros.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Format()
Dim a()
Dim b As String
a = Array(102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35
, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88)
For i = 0 To UBound(a)
b = b & Chr(a(i) Xor i)
Next
End Sub
Extract the Visual Basic code from the file and try to rewrite it in Python.
a = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118,
47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88]
for i in enumerate(a):
print(chr(i[1] ^ i[0]), end='')
Execute the script and get the flag.
Answer: f**g{*******a239aacd40c948d852a5c*****}