Hi, my name is Vitalii Rudnykh 👋

Jun 19, 2022

📝 TryHackMe. Walkthrough: Mr. Phisher


We need to examine a file with the extension .docm which was received in a phishing email. The file contains macros that can be dangerous when the file is opened.

This is a task we have to do in Ubuntu with the MATE shell. For me this is not very convenient, so the first thing I did was to download the file to my local machine by going to the directory /home/ubuntu/mrphisher/ in the terminal:

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

After that, from your local machine you can open http://machine_ip:8000/ and download the file MrPhisher.docm.

To analyze the file I used oletools.

$ olevba MrPhisher.docm
...
VBA MACRO NewMacros.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Format()
Dim a()
Dim b As String
a = Array(102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35
, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88)
For i = 0 To UBound(a)
b = b & Chr(a(i) Xor i)
Next
End Sub

Extract the Visual Basic code from the file and try to rewrite it in Python.

a = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118,
47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88]

for i in enumerate(a):
  print(chr(i[1] ^ i[0]), end='')

Execute the script and get the flag.

pic 1

Answer: f**g{*******a239aacd40c948d852a5c*****}