Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough

 

 

 

We'll be looking at a tryhackme room called MrPhisher so it says that i received a suspicious email with a very weird looking attachment it keeps on asking me to enable Macros what are those so this straight away gives us a hint that we are going to deal with Macros So, Macros is a type of scripting language that you know you can embed in a excel or a word file so that it can even try to automate things to an extent so nothing challenging it just says that files you need are located in the home ubuntu MrPhisher on virtual machine and i have the vm(virtual machine) open up right here.
 

 

When we start the machine, we found two files in home directory. “MrPhisher.docm” is a document with the ability to run macros and the zip file has the same file but compressed.

 

 

 

 

 

If we try to get open the file, we see the document indeed contain macros.

 

 

The document shows this one image.


Now, to view and edit macros using Libre Office, go to Tools menu, choose Macros > Edit Macros. This opens a list of macros available in the currently open document.

This macro contains a visual basic script...

 

If you want copy this file in your loca;l machine then you can try this with netcat, To make easy the analysis and be able to download needed tools, I transferred the file to my local machine with netcat.

 

Local machine:

nc -nlvp <PORT> > MrPhisher.docm

Remote machine:

Setting listener and getting file.

nc <IP> <PORT> < MyPhisher.docm



As a note, is important to verify the integrity of the transferred file, in previous images you can see I checked MD5 hash, and it’s the same.

via md5sum

md5sum MrPhisher.docm
 

But we will use into vm direct.. this code is here...

 

 

 

Rem Attribute VBA_ModuleType=VBAModule
Option VBASupport 1

Sub Format()

Dim a()

Dim b As String

a = Array(102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88)

For i = 0 To UBound(a)

b = b & Chr(a(i) Xor i)

Next

End Sub

 

 

 

Three things are done here:

•     XOR operation is done with a value and it's index in the array.
•     The result of this operation is converted to a character.
•     This character is appended to a string. The resulting string is a flag for this challenge.

I wrote a Python script to solve this challenge. The code can be found down below.

 

 

#! /usr/bin/env python3

# Values array
a = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88]

# Array to store letters
flag = []

# Do XOR operation with a value and it's index
for i in range(len(a)):
    flag.append(chr(a[i] ^ int(i)))

# Join letters to a word
print("".join(flag))

 

 

Lets Run

 

 

 

 

 

ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
ubuntu@thm-mr-phisher:~/mrphisher$ python3 hackingtruth-oledump.py
flag{a39a07a239aacd40c948d852a5c9f8d1}
ubuntu@thm-mr-phisher:~/mrphisher$ #hackingtruth.org
ubuntu@thm-mr-phisher:~/mrphisher$ #hackingtruth.in
ubuntu@thm-mr-phisher:~/mrphisher$ 

 

 

Done.

 

 

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.