This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom. This time we’re looking at the last task – Attacker 5
We will use some familiar applications (oledump, cyberchef and vipermonkey) and a new one (scdbgc).
Question 1:
What is the caption you found in the maldoc?
We’re looking for a string caption, so lets try oledump to see what streams we’ve got in the document:
So we’ve got a few, and some with VBA macros as well. Lets try extracting the strings from all streams:
oledump.py attacker5.doc -s a -SThis gives us lots of strings. Using the same technique we’ve used before, let’s try to narrow it down with grep. We’re looking for a caption, so the string caption is a sensible place to start:
oledump.py attacker5.doc -s a -S | grep -i captionWhich gives us exactly what we want:
Question 2:
What is the XOR decimal value found in the decoded-base64 script?
The question speaks about a decoded base64 script, so first we need to find this script.
We can use vipermonkey to emulate the VBA macros and dump what the scripts are running:
vmonkey attacker5.docvipermonkey finds a potentially base64 encoded string:
Let’s start by trying to decode this in CyberChef. Adding the decode base64 and remove null bytes actions to the recipe gives us a decoded script:
Notice that this script still contains nonsense. Looking at this decoded script, we can notice two things:
- We can see a call to
FromBase64String, which suggests there is further base64 encoding happening here. - Towards the bottom, we can see the string
New-Object IO.Compression.GzipStream. This means the script has also been compressed, and will need decompressing
CyberChef can do this for us. Copy the further encoded base64 string and put it in a new CyberChef window. Add to the recipe the gunzip action, and disable the remove null bytes action. We get the fully decoded script.
We’re looking for the xor decimal value, so search the output for the phrase xor, and we will find the answer:
Question 3:
Provide the C2 IP address of the Cobalt Strike server
To get this answer, we need to do some further analysis of the script we’ve just decoded. At first glance, we can see there is yet more base64 encoded text in the script. We’ve also established that something is xor‘d with the decimal value 35. The odds are this is something to do with this base64 encoded string.
Copy the encoded string into a new CyberChef window, add the decode base64 action, and after that, add the xor action using the decimal value 35 as the key.
The output we get is still mostly nonsense, but there is some legible information in there. There is a user agent and, most importantly, there is an IP address as the bottom:
Question 4:
Provide the full user-agent found
You know we found a user-agent in the previous question, turns out it is important. Go back and copy it:
Question 5:
Provide the path value for the Cobalt Strike shellcode
The mixture of plaintext and nonsense that we’ve got from our previous question is shellcode. We can use shellcode analysis applications like scdbgc to look at this.
First of all, save the output that we’ve got from CyberChef to a file so we can use it with scdbgc:
Save this file with the default name, then in your terminal window, run scdbgc loading this file, and with the -s option with the argument of -1. This means that the application runs an unlimited number of steps and will, hopefully, give us as much information as possible:
scdbgc -f ~/Downloads/download.dat -s -1You get the contents of the shellcode:
In this output, we can see a path followed by a path:
Question 6:
Provide the port number of the Cobalt Strike C2 Server
We can find this in the output for the previous question too. Look for the port next to the IP address:
Question 7:
Provide the first two APIs found
This answer is also in the output we already have. Look at the first two calls that are made in the list:
Attacker 5 defeated, and so ends our walkthrough of the TryHackMe room Squid Game
