Diagnostic

Challenge Description

Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company.

The emails all contain a link to diagnostic.htb/layoffs.doc.

The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document (your docker). Take a look and figure out what's going on.

Start the instance to begin the challenge.

Challenge Solving

First step is getting the document from the domain. Do so by connecting to the remote machine and routing to the domain mentioned in the challenge description.

Documents can easily be opened as a zip file to analyze the contents of the file.

There are many files that we can take a look at. One that is always interesting is document.xml.rels .

If you are not familiar with how a document is formed, investigate to see what is different compared to the rest. In doing so a link to the domain mentioned in the challenge description can be found.

The source of the html is a script. Just with some familiarity with Windows, you can rapidly find out that the script is in Powershell.

The first part of the code is encoded in Base64. Once the string is decoded, we can find part of the flag.

The easiest way to solve the challenge is to create a short script to order the strings in the correct order.

Unfortunately, you will need to change the precision of the order by 1, as we did not uncover the flag.

An example of the code could gather all the different strings and the position. For each string, order as it is instructed and print the iteration.

Executing the code will give the flag. Nearly.

Notice the last part of the result. Clean that up and submit the flag.