Alabaster Snowball is in dire need of your help. Santa's file server has been hit with malware. Help Alabaster Snowball deal with the malware on Santa's server by completing several tasks.
For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.
Objective 9.2: Hey, you're pretty good at this security stuff. Could you help me further with what I suspect is a malicious Word document? All the elves were emailed a cookie recipe right before all the infections. Take this document with a password of elves and find the domain it communicates with.
Note: Shinny Upatree can be found on Floor 1, on the South Eastern side of the lobby area
"Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie? Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted. Many elves were affected, so Alabaster went to go see if he could help out. I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer. An elf I follow online said he analyzed Wannacookie and that it communicates over DNS. He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way. Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie! Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt. Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need. If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files."
"Whoa, Chris Davis' talk on PowerShell malware is crazy pants! You should check it out!" (https://www.youtube.com/watch?v=wd12XRq2DNk)
"Word docm macros can be extracted using olevba. Perhaps we can use this to grab the ransomware source."
The objective can be accessed directly via this link:
Download "CHOCOLATE_CHIP_COOKIE_RECIPE.zip" from https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip and unzip the file with the password "elves" as per Alabaster's instructions.
root@kali:~# cd /tmp root@kali:/tmp# wget https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip --2019-01-01 17:28:51-- https://www.holidayhackchallenge.com/2018/challenges/CHOCOLATE_CHIP_COOKIE_RECIPE.zip Resolving www.holidayhackchallenge.com (www.holidayhackchallenge.com)... 220.127.116.11 Connecting to www.holidayhackchallenge.com (www.holidayhackchallenge.com)|18.104.22.168|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 110699 (108K) [application/zip] Saving to: 'CHOCOLATE_CHIP_COOKIE_RECIPE.zip' CHOCOLATE_CHIP_COOKIE_RECIPE.zi 100%[=======================================================>] 108.10K 149KB/s in 0.7s 2019-01-01 17:28:53 (149 KB/s) - 'CHOCOLATE_CHIP_COOKIE_RECIPE.zip' saved [110699/110699] root@kali:/tmp# unzip -P elves /tmp/CHOCOLATE_CHIP_COOKIE_RECIPE.zip Archive: /tmp/CHOCOLATE_CHIP_COOKIE_RECIPE.zip skipping: CHOCOLATE_CHIP_COOKIE_RECIPE.docm need PK compat. v5.1 (can do v4.6) root@kali:/tmp# 7z e CHOCOLATE_CHIP_COOKIE_RECIPE.zip -p'elves' 7-Zip  16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_AU.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz (306C3),ASM,AES-NI) Scanning the drive for archives: 1 file, 110699 bytes (109 KiB) Extracting archive: CHOCOLATE_CHIP_COOKIE_RECIPE.zip -- Path = CHOCOLATE_CHIP_COOKIE_RECIPE.zip Type = zip Physical Size = 110699 Everything is Ok Size: 113540 Compressed: 110699 root@kali:/tmp#
Analyze the file CHOCOLATE_CHIP_COOKIE_RECIPE.docm using the tool olevba
Please note that because this code is detected by anti-virus as a real virus, this website will only display a picture of the source code. For the full output, please download the file "olevba_output.zip" and use password "infected" to unzip.
Install PowerShell in Kali Linux
root@kali:/tmp# apt update && apt -y install curl gnupg apt-transport-https root@kali:/tmp# curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - root@kali:/tmp# echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch main" > /etc/apt/sources.list.d/powershell.list root@kali:/tmp# apt update root@kali:/tmp# apt -y install powershell
Edit the PowerShell script retrieved from OleVBA to remove "iex" and run the script.
Please note that because this code is detected by anti-virus as a real virus, this website will only display a picture of the source code. For the full output, please download the file "pwsh_output.zip" and use password "infected" to unzip.
The domain that the malware communicates with is revealed in the unpacked script: