Mr. Phisher TryHackMe Walkthrough

As always the first step is to gain access on the documents for the challenge. After spawning up the challenge we gain access to the document in the web virtual machine

Working with a brower based VM isn’t really a good idea if you are using a system with low resources so my first task was to download the files to my box. To be able to do this i first needed the IP Address of the system. I obtained the IP Address of the system by running the command

ip a

After obtaining the IP Address of the system i set up a python3 based web server using the command

python3 -m http.server

Then downloaded the documents to my system

Sweet the next step is analysis of the document. I normally use a tool called olevba to analysis any documents for macros. Oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.

To install run the command

pip3 install oletools

After installing the tool to run just use the command

oletools <document file>

Looking at the screenshot below it was able to extract a macro and it even marked the macro as suspicious

Sweet. Step 1 completed. The same can be achieved by using a document reader like LibreOffice and looking at the macro but i think it’s much more work. Secondly, Opening a macro that is suspected to be malicious is such a big gamble that am really not sure i would want to take. The next step is analysis. I went the route of dynamic analysis since it’s much simpler compared to static code analysis. First i needed a VB compiler and there is an online compiler that works pretty well.

online_vb_compiler

I decided to run the code from the online VB compiler and got some nasty errors

Because of variable declaration in Visual Basic. I spent about an hour debugging since it was my first time writing visual basic code.

The following websites helped me during the debugging process

  1. https://www.javatpoint.com/vb-net-arrays
  2. https://www.tutorialspoint.com/vb.net/vb.net_fornext_loops.htm
  3. https://stackoverflow.com/questions/31910324/variable-declaration-without-an-as-clause-type-of-object-assumed
  4. https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/arrays/how-to-initialize-an-array-variable
  5. https://docs.microsoft.com/en-us/dotnet/visual-basic/misc/bc42020

Finally, i found the right way of instantiating an array in Visual Basic

Below is the source code:

'                             Online VB Compiler.
' Code, Compile, Run and Debug VB program online.
' Write your code in this editor and press "Run" button to execute it.
Module VBModule
Sub Main()
Dim i As Byte
Dim a() = {102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88}
Dim b As String
For i = 0 To UBound(a)
b = b & Chr(a(i) Xor i)
'Console.WriteLine(b)
Next
Console.WriteLine(b)
End Sub
End Module

Below is the shared compiler that i used

https://onlinegdb.com/Yi2IcJ3eY

When i ran the code we get the following output which is the flag

We have the flag for the challenge. And that’s it for the walkthrough. I hope you liked the walkthrough if so clap for me down below and follow me so that you don’t miss any upcoming walkthroughs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store