We start the VM and connect to the machine via tryhackme’s VNC service.
We encounter a file in /home/ubuntu/mrphisher/MrPhisher.docm
We open this file in openoffice Writer and edit the macros. Looking through the classes we find this:
It seems to get an array and for each character it gets the value and xors it to its position in the array and adds it to the “b” variable.
Let’s code it in python!
ar = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88]
sol = ""
for i in range(0, len(ar)):
sol += chr(ar[i] ^ i)
print(sol)
And now we run it!
$ python3 reverse.py
flag{a39a07a239aacd40....