CyberDefenders: BlueTeam CTF Challenges

Emprisa Maldoc

SHA1SUM	e1c1405e3c1b6b252e5630889fa657e63c3dd5c0
Published	April 2, 2021
Author	Karlo Licudine
Size	1.6KB
Tags	Malicious Document RTF

Instructions	Use the password "cyberdefenders.org" to uncompress challenge files and inspect samples.

Your progress

0% Completed0/14 Questions

Your score

0/6100

Malicious Document

Last solve

4 days ago by kaller

Case Overview:

As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.

Your job is to investigate the document further and confirm whether it's malicious or not.

Tools:

Microsoft office IDE
rtfdump.py
Scdbg or Speakeasy
Debugger

#	Question	Weight	Solved
#1	What is the CVE ID of the exploited vulnerability?	100	263
Hint Report an issue

#2	To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.	100	234
Hint Report an issue

#3	What is the magic signature in the object data?	100	221
Hint Report an issue

#4	What is the name of the spawned process when the document gets opened?	200	209
Hint Report an issue

#5	What is the full path of the downloaded payload?	200	181
Hint Report an issue

#6	Where is the URL used to fetch the payload?	300	214
Hint Report an issue

#7	What is the flag inside the payload?	300	175
Hint Report an issue

#8	The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)	500	162
Hint Report an issue

#9	What function was used to download the payload file from within the shellcode?	500	147
Hint Report an issue

#10	What function was used to execute the downloaded payload file?	500	145
Hint Report an issue

#11	Which DLL gets loaded using the "LoadLibrayA" function?	500	142
Hint Report an issue

#12	What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)	800	136
Hint Report an issue

#13	What is the GitHub link of the tool that was likely used to make this exploit?	1000	158
Hint Report an issue

#14	What is the memory address written by the exploit to execute the shellcode?	1000	120
Hint Report an issue

Submit Writeup