CrySyS Sec Challenge 2014 - Changing Flags writeup30 Jul 2015
This writeup was cross-posted from balazsrostas.me. Author: Balázs Rostás.
This task was given during the Security Challenge of 2014 under the “Word Processors FTW” group and was worth 50 points. The CrySys Lab at BME made the CTF possible.
Description: Your friend sent you a document with some flag inside. You tried it, but it did not work. Why?
So I downloaded the file called flag.doc. When I opened the file it asked me if I want to allow macros and when I did allow it a line appeared which read:
The flag is: 5552168921F74BBF457F1B53B9CD70D9
(I had problems using Word on OSX but I was able to solve the problem in Windows)
Then I checked out the source code of the macro by enabling the developer option in word:
Private Sub Document_Open() Txt = "The flag is: " Rnd (-1) Randomize (CInt(Format(Now(), "mmdd"))) For i = 1 To 16 Txt = Txt + Hex(Round(Rnd() * 256)) Next i ActiveDocument.Range.Text = Txt End Sub
The Rnd(-1) part makes sure that it produces the same random number every time with the seed of -1 (because -1 is less than zero). The Randomize() function sets the seed and Now() returns the current date and time. So the reason why we can’t see the correct flag is obvious, the Randomize() function needs to use the date when the file was created. We can easily check the date of creation in Word and it was September 27, 2014 at 6:52 PM. We only need the month and the day since the Format function has the “mmdd” as argument. So by editing the code like this:
Private Sub Document_Open() Txt = "The flag is: " Rnd (-1) Randomize (CInt("0927")) For i = 1 To 16 Txt = Txt + Hex(Round(Rnd() * 256)) Next i ActiveDocument.Range.Text = Txt End Sub
We get the correct flag.