Kick Tort Teen (50 pts)

Question:

Anagram, anyone?

data.xls

Write-Up:

Good to Know: The challenge name (Kick Tort Teen) is an anagram on the phrase "Rocket Kitten" (use anagrammer to find out the anagram).

Rocket Kitten is a malware which uses essentially the same method in this challenge to hide itself from an Email Gateway antivirus.

Open data.xls in Excel. It gives the following error; click "Yes".

The error is due to the fact that the file is actually not in .xls (Excel) format, but in .xlsm (macro-enabled Excel) format.

Upon openning the file, the following security warning states that it contains macros. Click "Enable Content".

In Excel, press AltF11 to see the macros:

Function FileExists(ByVal FileToTest As String) As Boolean
   FileExists = (Dir(FileToTest) <> "")
End Function

Sub DeleteFile(ByVal FileToDelete As String)
   If FileExists(FileToDelete) Then 'See above
      SetAttr FileToDelete, vbNormal
      Kill FileToDelete
   End If
End Sub

Sub DoIt()
    Dim filename As String
    filename = Environ("USERPROFILE") & "\fileXYZ.data"
    DeleteFile (filename)

    Open filename For Binary Lock Read Write As #2
        For i = 1 To 14747
            For j = 1 To 23
                Put #2, , CByte((Cells(i, j).Value - 78) / 3)
            Next
        Next

        Put #2, , CByte(98)
        Put #2, , CByte(13)
        Put #2, , CByte(0)
        Put #2, , CByte(73)
        Put #2, , CByte(19)
        Put #2, , CByte(0)
        Put #2, , CByte(94)
        Put #2, , CByte(188)
        Put #2, , CByte(0)
        Put #2, , CByte(0)
        Put #2, , CByte(0)

    Close #2
End Sub

Run the DoIt() subroutine. It generates a file called fileXYZ.data under the %USERPROFILE% directory.

Inspect the file: It's a Linux ELF.

Run it under Linux; it prints the flag:

5bd74def27ce149fe1b63f2aa92331ab