For this challenge we're supposed to investigate a .lnk file. In case you didn't know, an lnk file is essentially Windows version of a hyperlink. You can create a shortcut to URLs, documents, or in this case, executables. Let's simply cat the file and see if we can spot anything suspicious.
*Note: If on windows you can manually edit a .lnk file by right-clicking it.*

We can see the first bit of the lnk seems to be linking to `C:\Windows\System32\cmd.exe`

Scrolling towards the end of the output we can also see a tinyurl link.

Lets navigate to `https://tinyurl[.]com/a7ba6ma` and see what's going on.
*Note: Only do this in a virtualized lab environment!*


Whoa! Looks like we were redirected to a google drive link with what looks to be a bunch of base32 data? Lets decode this and see what it actually is.


This is where knowledge of magic bytes come in hand, just from a glance I can tell this file is a dll. `MZ` identifies it as a DOS Executable **but** the output references `hello-world.dll` which makes me think this is a DLL file. Lets output it to a DLL and run it to see what happens.


Figuring out how the run this DLL took me awhile, at first I tried using rundll32.exe but that never worked (I believe because this dll has a GUI component). After some intense googling I remembered that Ollydbg has a run dll option! Lets load that up and run the DLL using that and see what happens.

*Opening out.dll in OllyDbg*

After running the dll we get the following output:


Success! This one was fairly simple but figuring out how to run a dll took me longer than it should have, I'll have to keep OllyDbg in mind for future competitions.

Original writeup (https://nburns.tech/docs/CTFs/NahamCon_2022/Malware/USB_Drive).