Wimble

Once the file was downloaded and extracted from the zip I ran the file command on it.

OK so we’ll be doing the analysis for this one on a Windows box to start.

Move the file to windows and rename to Fetch.wim

Open the .wim with 7zip explorer

Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip

When we extract the contents of the zip file we have another directory of Prefetch files.

I extracted the .pf files to a folder.

I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress , ctf , and flag.

That was easy.

Opposable Thumbs

I know for a fact that Axiom can process thumbnail caches.

And BAM! there’s the flag.

Tragedy Redux

First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.

Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.

There’s a macro file with some curious fruit and vegetable related functions.

If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.

When opening the file in Word, there is a prompt to enable macros.

Once the document is open you see a document containing the definition of Tragedy.

From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.

The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.

This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.

When we run the Python script we get back:

powershell -enc JGZsYWc9ImZsYWd7NjNkY2M4MmMzMDE5Nzc2OGY0ZDQ1OGRhMTJmNjE4YmN9Ig==

Now we can echo the value to base64 decrypt and get our final flag value.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.