Mr. Phisher TryHackMe Walkthrough

Hello guys back again with another walkthrough. My vacation just begun meaning more writeups to be seen in the next few days depending on TryHackMe releases timeline. This time we are going to be tackling Mr. Phisher from TryHackMe. The room consist of a document that is supposed to simulate a phishing challenge and meant to teach how to reverse visual basic source code to understand what the Marco is supposed to be doing. There are two ways in which we can approach the challenge

1. Perform a static code analysis by reversing the source code and using a programing language you are familiar with to rewrite the code

2. Perform a dynamic analysis of the macro using a Visual Basic compiler and adding debug statement to understand what the program is supposed to do. (Just as a cautionary measure when performing dynamic analysis don’t run any code you don’t trust it on your system. Rather create a sand-boxed environment to test any samples that might appear to be malicious)

The room is rated as easy so without much say let’s jump in.

As always the first step is to gain access on the documents for the challenge. After spawning up the challenge we gain access to the document in the web virtual machine

Working with a brower based VM isn’t really a good idea if you are using a system with low resources so my first task was to download the files to my box. To be able to do this i first needed the IP Address of the system. I obtained the IP Address of the system by running the command

ip a

After obtaining the IP Address of the system i set up a python3 based web server using the command

python3 -m http.server

Then downloaded the documents to my system

Sweet the next step is analysis of the document. I normally use a tool called olevba to analysis any documents for macros. Oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.

To install run the command

pip3 install oletools

After installing the tool to run just use the command

oletools <document file>

Looking at the screenshot below it was able to extract a macro and it even marked the macro as suspicious

Sweet. Step 1 completed. The same can be achieved by using a document reader like LibreOffice and looking at the macro but i think it’s much more work. Secondly, Opening a macro that is suspected to be malicious is such a big gamble that am really not sure i would want to take. The next step is analysis. I went the route of dynamic analysis since it’s much simpler compared to static code analysis. First i needed a VB compiler and there is an online compiler that works pretty well.

online_vb_compiler

I decided to run the code from the online VB compiler and got some nasty errors

Because of variable declaration in Visual Basic. I spent about an hour debugging since it was my first time writing visual basic code.

The following websites helped me during the debugging process

1. https://www.javatpoint.com/vb-net-arrays
2. https://www.tutorialspoint.com/vb.net/vb.net_fornext_loops.htm
3. https://stackoverflow.com/questions/31910324/variable-declaration-without-an-as-clause-type-of-object-assumed
4. https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/arrays/how-to-initialize-an-array-variable
5. https://docs.microsoft.com/en-us/dotnet/visual-basic/misc/bc42020

Finally, i found the right way of instantiating an array in Visual Basic

Below is the source code:

'                             Online VB Compiler.
'                 Code, Compile, Run and Debug VB program online.
' Write your code in this editor and press "Run" button to execute it.
Module VBModule
    Sub Main()
        Dim i As Byte
        Dim a() = {102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88}
        Dim b As String
        For i = 0 To UBound(a)
            b = b & Chr(a(i) Xor i)
            'Console.WriteLine(b)
            Next
        Console.WriteLine(b)
    End Sub
End Module

Below is the shared compiler that i used

https://onlinegdb.com/Yi2IcJ3eY

When i ran the code we get the following output which is the flag

We have the flag for the challenge. And that’s it for the walkthrough. I hope you liked the walkthrough if so clap for me down below and follow me so that you don’t miss any upcoming walkthroughs