Emprisa Maldoc blue team ctf

Category : Malware Analysis

RTF

700 Players

4.4 (59)

Medium

What is the CVE ID of the exploited vulnerability?

Weight : 100 | Solved : 423

To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.

Weight : 100 | Solved : 379

What is the magic signature in the object data?

Weight : 100 | Solved : 360

What is the name of the spawned process when the document gets opened?

Weight : 200 | Solved : 334

What is the full path of the downloaded payload?

Weight : 200 | Solved : 295

Where is the URL used to fetch the payload?

Weight : 300 | Solved : 340

What is the flag inside the payload?

Weight : 300 | Solved : 268

The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)

Weight : 500 | Solved : 261

What function was used to download the payload file from within the shellcode?

Weight : 500 | Solved : 239

Q10

What function was used to execute the downloaded payload file?

Weight : 500 | Solved : 233

Q11

Which DLL gets loaded using the "LoadLibrayA" function?

Weight : 500 | Solved : 230

Q12

What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)

Weight : 800 | Solved : 223

Q13

What is the GitHub link of the tool that was likely used to make this exploit?

Weight : 1000 | Solved : 253

Q14

What is the memory address written by the exploit to execute the shellcode?

Weight : 1000 | Solved : 206

Instructions:

Use the password "cyberdefenders.org" to uncompress challenge files and inspect samples.

Case Overview:

As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.

Your job is to investigate the document further and confirm whether it's malicious or not.

Tools:

Microsoft office IDE
rtfdump.py
Scdbg or Speakeasy
Debugger

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

e1c1405e3c1b6b252e5630889fa657e63c3dd5c0
Password:

cyberdefenders.org
Size:

1.6KB
Published:

April 2, 2021, midnight

First blood

poisonous

793 days ago

Last solve

Elsayed_Shehata

today

Authors

BlueYard

Leaderboard

Store

Contact us

Media kit

Careers

Host a live CTF

Blog