Tags: analysis malware 

Rating:

For this challenge we're supposed to investigate a .lnk file. In case you didn't know, an lnk file is essentially Windows version of a hyperlink. You can create a shortcut to URLs, documents, or in this case, executables. Let's simply cat the file and see if we can spot anything suspicious.
*Note: If on windows you can manually edit a .lnk file by right-clicking it.*

We can see the first bit of the lnk seems to be linking to `C:\Windows\System32\cmd.exe`
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_cat_first.png)

Scrolling towards the end of the output we can also see a tinyurl link.
![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_cat_tiny.png)

Lets navigate to `https://tinyurl[.]com/a7ba6ma` and see what's going on.
*Note: Only do this in a virtualized lab environment!*

![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_tiny_redirect.png)

Whoa! Looks like we were redirected to a google drive link with what looks to be a bunch of base32 data? Lets decode this and see what it actually is.

![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_data_decode.png)

This is where knowledge of magic bytes come in hand, just from a glance I can tell this file is a dll. `MZ` identifies it as a DOS Executable **but** the output references `hello-world.dll` which makes me think this is a DLL file. Lets output it to a DLL and run it to see what happens.

![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_out_dll.png)

Figuring out how the run this DLL took me awhile, at first I tried using rundll32.exe but that never worked (I believe because this dll has a GUI component). After some intense googling I remembered that Ollydbg has a run dll option! Lets load that up and run the DLL using that and see what happens.

![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_open_ollydbg.png)
*Opening out.dll in OllyDbg*

After running the dll we get the following output:

![image](https://nburns.tech/img/CTFs/NahamCon_2022/USB_flag.png)

Success! This one was fairly simple but figuring out how to run a dll took me longer than it should have, I'll have to keep OllyDbg in mind for future competitions.

Original writeup (https://nburns.tech/docs/CTFs/NahamCon_2022/Malware/USB_Drive).