CyberDefenders: BlueTeam CTF Challenges

Emprisa Maldoc

SHA1SUM	e1c1405e3c1b6b252e5630889fa657e63c3dd5c0
Published	April 2, 2021
Author	Karlo Licudine
Size	1.6KB
Tags	Malicious Document RTF

Instructions	Use the password "cyberdefenders.org" to uncompress challenge files and inspect samples.

Your progress

0% Completed0/14 Questions

Your score

0/6100

Malware Analysis

Last solve

10 days ago by l4553

Case Overview:

As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.

Your job is to investigate the document further and confirm whether it's malicious or not.

Tools:

Microsoft office IDE
rtfdump.py
Scdbg or Speakeasy
Debugger

#	Question	Weight	Solved
#1	What is the CVE ID of the exploited vulnerability?	100	311
Hint Report an issue

#2	To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.	100	275
Hint Report an issue

#3	What is the magic signature in the object data?	100	260
Hint Report an issue

#4	What is the name of the spawned process when the document gets opened?	200	245
Hint Report an issue

#5	What is the full path of the downloaded payload?	200	215
Hint Report an issue

#6	Where is the URL used to fetch the payload?	300	253
Hint Report an issue

#7	What is the flag inside the payload?	300	201
Hint Report an issue

#8	The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)	500	191
Hint Report an issue

#9	What function was used to download the payload file from within the shellcode?	500	173
Hint Report an issue

#10	What function was used to execute the downloaded payload file?	500	169
Hint Report an issue

#11	Which DLL gets loaded using the "LoadLibrayA" function?	500	166
Hint Report an issue

#12	What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)	800	159
Hint Report an issue

#13	What is the GitHub link of the tool that was likely used to make this exploit?	1000	185
Hint Report an issue

#14	What is the memory address written by the exploit to execute the shellcode?	1000	143
Hint Report an issue

Submit Writeup