CrySyS Sec Challenge 2014 - Changing Flags writeup

This task was given during the Security Challenge of 2014 under the “Word Processors FTW” group and was worth 50 points. The CrySys Lab at BME made the CTF possible.

Description: Your friend sent you a document with some flag inside. You tried it, but it did not work. Why?

So I downloaded the file called flag.doc. When I opened the file it asked me if I want to allow macros and when I did allow it a line appeared which read:

The flag is: 5552168921F74BBF457F1B53B9CD70D9

(I had problems using Word on OSX but I was able to solve the problem in Windows)

Then I checked out the source code of the macro by enabling the developer option in word:

Private Sub Document_Open()
    Txt = "The flag is: "
    Rnd (-1)
    Randomize (CInt(Format(Now(), "mmdd")))
    For i = 1 To 16
        Txt = Txt + Hex(Round(Rnd() * 256))
    Next i
    ActiveDocument.Range.Text = Txt
End Sub

The Rnd(-1) part makes sure that it produces the same random number every time with the seed of -1 (because -1 is less than zero). The Randomize() function sets the seed and Now() returns the current date and time. So the reason why we can’t see the correct flag is obvious, the Randomize() function needs to use the date when the file was created. We can easily check the date of creation in Word and it was September 27, 2014 at 6:52 PM. We only need the month and the day since the Format function has the “mmdd” as argument. So by editing the code like this:

Private Sub Document_Open()
    Txt = "The flag is: "
    Rnd (-1)
    Randomize (CInt("0927"))
    For i = 1 To 16
        Txt = Txt + Hex(Round(Rnd() * 256))
    Next i
    ActiveDocument.Range.Text = Txt
End Sub

We get the following flag which is correct:

The flag is: 5CAFB0ADE41E87FBC07CD613AA6B4649

If you liked this post, you can share it with your followers or follow me on Twitter!
comments powered by Disqus