Misc - 043
备注
created by || eMVee
⏲️ Release Date // 2023-12-19
💀 Solvers // 12
🧩 Type // misc
Capture the flag from this MS Excel File.
就是一个 Excel 的 vba 宏,将 xlsm 文件作为 zip 压缩包进行解压,得到
./xl/vbaProject.bin
使用 python-oletools进行解码
┌─[randark@parrot]─[~/tmp]
└──╼ $olevba vbaProject.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1 on Python 3.11.2 - http://decalage.info/python/oletools
===============================================================================
......
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook
in file: vbaProject.bin - OLE stream: 'ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Blad1
in file: vbaProject.bin - OLE stream: 'Blad1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1
in file: vbaProject.bin - OLE stream: 'Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Flag()
Attribute Flag.VB_ProcData.VB_Invoke_Func = " \n14"
'Here is the flag: HMV{b63ce4efbf0b4214a470a707d34bc3ba}
MsgBox "This is not the flag"
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
flag
HMV{b63ce4efbf0b4214a470a707d34bc3ba}