MrPhisher | TryHackMe Walkthrough

SolveniteSolvenite
2 min read

Introduction

This is an “easy” (I believe it's not :/) room on TryHackMe that covers malicious VBAs. This guide will give you a comprehensive overview of the steps advised to solve the challenge.

Task 1 — Mr. Phisher

Uncover the flag in the email attachment!

Start the machine by clicking the green “Start Machine” button at the top of the task. Once it loads, we can find some files; particularly a .docm file and a .zip file

Opening the document returns an image

Click Tools>Macros>Edit Macros to see the current macros in the document. There’s a macro under the “Modules” section that looks odd.

Reading the code, it looks like the loop runs an XOR for every value inside the array with the iteration and then converts it to a character.

This could be solved more easily by just coding on our own, but my programming isn't that strong, so I tried finding another way out for this.

I figured we could start by enabling macros from the security settings and see what it does. Go to Options>Security>Macro Security>Low. We do this so that we can run the macro and see what it does.

Now, we can set a breakpoint on the End line to prevent the macro from stopping.

You can set a breakpoint by either double tapping or by pressing the breakpoint button on the top of the window

In the bottom window, set a variable to watch. In this case, we’re looking at ‘b’ because it is the variable that contains the flag.

Click run and get the output. The macro runs, the program does not end, and we can see the final value of ‘b’, which is the flag.

flag{a39a07a*******************}

Conclusion

Overall this is a great room in TryHackMe and offers something new. I spent well over a day in this room, racking my brain to find the solution. I’ve worked with macros a little bit earlier so eventually I was able to come to an answer. I believe this could be easier with a script and that’s probably the better way to do the room but as I mentioned earlier, I'm not really that well-versed in scripting so I couldn't come up with a solution for the same.

0
Subscribe to my newsletter

Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.

phishinganalysisphishing#cybersecuritytryhackmeTryHackMe WalkthroughtryhackmewalkthroughcybersecurityCyberSecSecuritymacrosVBA

Written by

Solvenite
Solvenite