Kick Tort Teen (50 pts)


Anagram, anyone?



Good to Know: The challenge name (Kick Tort Teen) is an anagram on the phrase "Rocket Kitten" (use anagrammer to find out the anagram).

Rocket Kitten is a malware which uses essentially the same method in this challenge to hide itself from an Email Gateway antivirus.

Open data.xls in Excel. It gives the following error; click "Yes".

The error is due to the fact that the file is actually not in .xls (Excel) format, but in .xlsm (macro-enabled Excel) format.

Upon openning the file, the following security warning states that it contains macros. Click "Enable Content".

In Excel, press AltF11 to see the macros:

Function FileExists(ByVal FileToTest As String) As Boolean
   FileExists = (Dir(FileToTest) <> "")
End Function

Sub DeleteFile(ByVal FileToDelete As String)
   If FileExists(FileToDelete) Then 'See above
      SetAttr FileToDelete, vbNormal
      Kill FileToDelete
   End If
End Sub

Sub DoIt()
    Dim filename As String
    filename = Environ("USERPROFILE") & "\"
    DeleteFile (filename)

    Open filename For Binary Lock Read Write As #2
        For i = 1 To 14747
            For j = 1 To 23
                Put #2, , CByte((Cells(i, j).Value - 78) / 3)

        Put #2, , CByte(98)
        Put #2, , CByte(13)
        Put #2, , CByte(0)
        Put #2, , CByte(73)
        Put #2, , CByte(19)
        Put #2, , CByte(0)
        Put #2, , CByte(94)
        Put #2, , CByte(188)
        Put #2, , CByte(0)
        Put #2, , CByte(0)
        Put #2, , CByte(0)

    Close #2
End Sub

Run the DoIt() subroutine. It generates a file called under the %USERPROFILE% directory.

Inspect the file: It's a Linux ELF.

Run it under Linux; it prints the flag: