CyberDefenders: BlueTeam CTF Challenges

Emprisa Maldoc

SHA1SUM	e1c1405e3c1b6b252e5630889fa657e63c3dd5c0
Published	April 2, 2021
Author	Karlo Licudine
Size	1.6KB
Tags	Malicious Document RTF

Instructions	Use the password "cyberdefenders.org" to uncompress challenge files and inspect samples.

Your progress

0% Completed0/14 Questions

Your score

0/6100

Malware Analysis

Last solve

4 days ago by Abdibimantara

Case Overview:

As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.

Your job is to investigate the document further and confirm whether it's malicious or not.

Tools:

Microsoft office IDE
rtfdump.py
Scdbg or Speakeasy
Debugger

#	Question	Weight	Solved
#1	What is the CVE ID of the exploited vulnerability?	100	272
Hint Report an issue

#2	To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.	100	241
Hint Report an issue

#3	What is the magic signature in the object data?	100	228
Hint Report an issue

#4	What is the name of the spawned process when the document gets opened?	200	216
Hint Report an issue

#5	What is the full path of the downloaded payload?	200	188
Hint Report an issue

#6	Where is the URL used to fetch the payload?	300	221
Hint Report an issue

#7	What is the flag inside the payload?	300	183
Hint Report an issue

#8	The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)	500	170
Hint Report an issue

#9	What function was used to download the payload file from within the shellcode?	500	154
Hint Report an issue

#10	What function was used to execute the downloaded payload file?	500	151
Hint Report an issue

#11	Which DLL gets loaded using the "LoadLibrayA" function?	500	148
Hint Report an issue

#12	What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)	800	142
Hint Report an issue

#13	What is the GitHub link of the tool that was likely used to make this exploit?	1000	164
Hint Report an issue

#14	What is the memory address written by the exploit to execute the shellcode?	1000	126
Hint Report an issue

Submit Writeup