Tags: analysis malware
Rating:
For this challenge we're supposed to investigate a .lnk file. In case you didn't know, an lnk file is essentially Windows version of a hyperlink. You can create a shortcut to URLs, documents, or in this case, executables. Let's simply cat the file and see if we can spot anything suspicious.
*Note: If on windows you can manually edit a .lnk file by right-clicking it.*
We can see the first bit of the lnk seems to be linking to `C:\Windows\System32\cmd.exe`
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_cat_first.png)
Scrolling towards the end of the output we can also see a tinyurl link.
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_cat_tiny.png)
Lets navigate to `https://tinyurl[.]com/a7ba6ma` and see what's going on.
*Note: Only do this in a virtualized lab environment!*
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_tiny_redirect.png)
Whoa! Looks like we were redirected to a google drive link with what looks to be a bunch of base32 data? Lets decode this and see what it actually is.
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_data_decode.png)
This is where knowledge of magic bytes come in hand, just from a glance I can tell this file is a dll. `MZ` identifies it as a DOS Executable **but** the output references `hello-world.dll` which makes me think this is a DLL file. Lets output it to a DLL and run it to see what happens.
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_out_dll.png)
Figuring out how the run this DLL took me awhile, at first I tried using rundll32.exe but that never worked (I believe because this dll has a GUI component). After some intense googling I remembered that Ollydbg has a run dll option! Lets load that up and run the DLL using that and see what happens.
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_open_ollydbg.png)
*Opening out.dll in OllyDbg*
After running the dll we get the following output:
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_flag.png)
Success! This one was fairly simple but figuring out how to run a dll took me longer than it should have, I'll have to keep OllyDbg in mind for future competitions.