Initial analysis

We are given a power point presentation as a challenge and if we open it we will see some images of emoji’s 🙊.

We can see that the power point presentation contains some macros which we are going to check out as first but the macro is password protected (🙈):

But the macros aren’t encrypted with the password so we could read them with olevba but unfortunately there isn’t anything interesting there:

I have used olevba for this but unfortunately there isn’t anything interesting there:

We have to go back to the presentation and search for something else because the flag is clearly not in the macro. If we take a closer look on page 4 we will see a packager shell object which contains an additional DOC file:

We could extract this object by right clicking on the image and go to Packager Shell Object Object and then click on Rename Package and we should see the file path which points to the temp directory:

Now we can save that extracted doc file to another directory for further analysis. The filename is for this object is “Plz find e needle in e heay stack.doc”

If we look further we can see that on page 8 there is one more object embedded:

We should also extract this one and copy it for further analysis. The name of this object is:

“Please help to find the n33dle.doc”

Embedded documents

Let’s start with the second file named “Please help to find the n33dle.doc”. If we open that file in MS Word we will see a David Bowie picture that contains a macro as well:

Using olevba we can extract the macro but again this is not the correct document:

Now we can start analysing “Plz find e needle in e heay stack.doc”. If we open this file in MS Word and we will see an empty page, without any macros of embedded objects and this looks interesting.

Plz find e needle in e heay stack

Using 7zip we could extract its contents and then we could see these files:

activeX1.bin looks interesting for us because it’s the only file with a bigger file size and if we open that in a hex editor we will see a OLE header (D0CF11E0 aka ‘DOCFILE’) but at offset 0x800 we will see something which looks like an alphanumeric shellcode which is usually used in exploits.

To verify this, we must extract that shellcode into a binary file and open it in a disassembler. After we have opened it in IDA we can see that the shellcode in this form is not executable because there is one invalid instruction:

The first 0x14 bytes are NOP sleds and we can ignore them, the real shellcode starts at offset 0x14 but after first instruction we already have an invalid instruction which we must fix. If we search for the first 3 bytes (89 E2 D9) in the shellcode we can see that it is repetitive and the shellcode is appended a few hundred times which is probably for heap spraying.

But in each shellcode and after ’89 E2 D9’ there is always 1 different byte. We can write a script to extract the different characters and print them out.

import re

f = open('shellcode.bin', 'rb')
buf = f.read()
f.close()

result = ""

offsets = [m.start() for m in re.finditer('\x89\xE2\xD9', buf)]
for offset in offsets:
    start = offset + 3
    result += buf[start:start+1]

print "Result: {}".format(result)

Executing that script will show us a hidden message from the author which tells us remove one extra byte from the shellcode to make it run without any errors.

Solution ========

To make the shellcode running we must remove an additional byte from the shellcode. We can do this manually or we can modify the previous script to do this for us:

import re

f = open('shellcode.bin', 'rb')
buf = f.read()
f.close()

new_shellcode = ""
last_offset = 0

offsets = [m.start() for m in re.finditer('\x89\xE2\xD9', buf)]
for offset in offsets:
    new_shellcode += buf[last_offset:offset + 3]
    last_offset = offset + 4

f = open('new_shellcode.bin', 'wb')
f.write(new_shellcode)
f.close()


Now we can make a EXE file out of it or we can binary copy the hex bytes and insert them in a debugger like OllyDbg. I have used Profiler to create a new PE file based on that shellcode:

Now we can run the executable and it will show us the final flag: