Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. Challenge/

(Writeup) LetsDefend Challenge - MSHTML

LetsDefend Challenge Hard Malware Oletools Security_Analyst Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is a challenge on LetsDefend.

Challenge Details:
#

  • Role targeted: Security Analyst
  • Skill Level: Hard

Description:
#

2021’s 0-Day MSHTML

file location: /root/Desktop/ChallengeFiles/Employee_W2_Form.docx
file location2: /root/Desktop/ChallengeFiles/Employees_Contact_Audit_Oct_2021.docx
file location3: /root/Desktop/ChallengeFiles/Work_From_Home_Survey.doc
file location4: /root/Desktop/ChallengeFiles/income_tax_and_benefit_return_2021.docx

This challenge prepared by @Bohan Zhang Malware samples: MalwareBazaar

Lab Start:
#

Setting up Environment:
#

Since we’ll be using oletools (and maybe XLMMacroDeobfuscator), let’s set up the environment.

mkdir /tmp/analyst
cp ~/Desktop/ChallengeFiles/* /tmp/analyst
chown -R analyst:analyst /tmp/analyst
cd /tmp/analyst
su analyst
pip install -U XLMMacroDeobfuscator oletools[full]
export PATH=$PATH:$HOME/.local/bin
# Next command is long.
find ~ -path "*/xlrd2/formula.py" -exec sed -i 's/assert bv >= 80 #### this function needs updating ####/assert bv >= 70/' {} +

Explanation: The LetsDefend lab runs as root. Python’s pip hates being run as root and ends up destroying packages in the process. So, we need to swap to another user. Luckily, analyst exists. We create the directory /tmp/analyst, copy all the files to it, make the folder and its content owned by analyst, switch to analyst, install the tools, and add tools to $PATH so they can be used easily. Finally, we patch xlrd2’s formula.py because it has a bug that breaks XLMMacroDeobfuscator.

Alright, we have a working environment!

oletools
#

Using: oleid ./*

I’ll skip you the repeating screenshots. They all essentially say the same thing: use oleobj!

Using: oleobj ./*

Oh, that’s enough to answer the questions.

Questions:
#

  1. Examing the Employees_Contact_Audit_Oct_2021.docx file, what is the malicious IP in the docx file?
    • Answer: 172.24.190.249
  2. Examing the Employee_W2_Form.docx file, what is the malicious domain in the docx file?
    • Answer: arsenal.30cm.tw
  3. Examing the Work_From_Home_Survey.doc file, what is the malicious domain in the doc file?
    • Answer: trendparlye.com
  4. Examing the income_tax_and_benefit_return_2021.docx, what is the malicious domain in the docx file?
    • Answer: hidusi.com
  5. What is the vulnerability the above files exploited?
    • Answer: CVE-2021-40444
Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+