The Royal Archives of Eldoria have recovered a mysterious documentโan old resume once belonging to Lord Malakar before his fall from grace. At first glance, it appears to be an ordinary record of his achievements as a noble knight, but hidden within the text are secrets that reveal his descent into darkness.
First, I analyzed the attached file. I ran strings email.eml:
Strings
By analyzing the file, I realized it was a phishing email with a link leading to a malware. The file mentions storage.microsoftcloudservices.com:[PORT]/index.php, so I decided to replace the domain with the link provided by the challenge and visit the page:
index.php
This is where the supposed page used to spread the malware opened. After this initial analysis, let’s move on to the next phase.
๐ฏ Solution Path
Exploitation Steps
Exploitation
Clicking on View Full Resume, the following screen appeared:
Explorer Pop-Up
It asked for permission to open my Explorer. So, I decided to take a look at the page’s source and found the link to which I get redirected when clicking the button:
Path
I then searched for 3fe1690d955e8fd2a0b282501570e1f4/resumes on the web server, finding the file Resume.pdf.Ink. I downloaded it, and the first thing I did was check the metadata using exiftool:
Exiftool
Inside the file, I found embedded commands for execution with powershell. I then decoded them from base64:
Base64
This revealed a new path 3fe1690d955e8fd2a0b282501570e1f4/configs/client.py. Apparently, this malware runs the script client.py from the server. When I visited the new path, I found the client.py:
client.py
It seems everything is encoded in base64. After decoding the variable key, I found the flag:
The automatic exploit makes a GET request to fetch the contents of the client.py file and extracts the base64. Once decoded, it prints the result, which is the flag.
