forensicsPromedium

oBfsC4t10n

HackTheBox

Task: Multi-layer obfuscated phishing document — HTML email with embedded XLSM containing VBA macros that drop an HTA with injected shellcode. Solution: Extract XLSM from data URI, reassemble three base64 fragments from image alt text/form caption/cell value, decode HTA, reconstruct Chr()-obfuscated VBA, emulate Shikata Ga Nai shellcode with Unicorn Engine to reveal Metasploit reverse_tcp C2 URL containing the flag.

$ ls tags/ techniques/

obfuscation shellcode malware_analysis process_injection meterpreter phishing vba_macros shikata_ga_nai data_uri xlsm hta

olevba_macro_extractionbase64_fragment_reassemblychr_concatenation_deobfuscationshikata_ga_nai_emulationunicorn_engine_shellcode_decodeprocess_injection_analysisole_stream_extractionooxml_inspection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[forensics][free]oBfsC4t10n2— hackthebox
[forensics][free]emo— hackthebox
[misc][Pro]Who4reu— TaipanByte
[reverse][free]FFModule— HackTheBox
[forensics][free]Dream Job-2 Sherlock Scenario— hackthebox