- What is the username (email address of Grinch Enterprises) from the decoded script?
ANS: Grinch.Enterprises.2021@gmail.com
EXPLANATION:
Step 1:
oledump.py C:\Users\Administrator\Desktop\Santa_Claus_Naughty_List_2021\Santa_Claus_Naughty_List_2021.doc
Step 2:
oledump.py C:\Users\Administrator\Desktop\Santa_Claus_Naughty_List_2021\Santa_Claus_Naughty_List_2021.doc -s 8 -S
Step 3: Copy the hash and paste in Cyberchef
Step 4: Convert From base64 → XOR(Key: 35, Decimal) → From base64
Step 5: Copy the Details and Paste in Notepad( Just to view more clearly)
2. What is the mailbox password you found?
ANS: S@ntai$comingt0t0wn
EXPLANATION:
Step 1: The Answers are in the Notepad, we have pasted.
3. What is the subject of the email?
ANS: Christmas Wishlist
EXPLANATION:
Step 1: The Answers are in the Notepad, we have pasted.
4. What port is the script using to exfiltrate data from the North Pole?
ANS: 587
EXPLANATION:
Step 1: We know that the email that has been used is gmail smtp server, so we google it for the port number.
5. What is the flag hidden found in the document that Grinch Enterprises left behind? (Hint: use the following command oledump.py -s {stream number} -d, the answer will be in the caption).
ANS: YouFoundGrinchCookie
EXPLANATION:
Step 1:
oledump.py C:\Users\Administrator\Desktop\Santa_Claus_Naughty_List_2021\Santa_Claus_Naughty_List_2021.doc -s 7-S
and search for the caption
6. There is still a second flag somewhere… can you find it on the machine?
ANS: S@nt@c1Au$IsrEAl
EXPLANATION:
Step 1: Earlier in Question 1, We found the decoded script. In that, We noticed the child file refer to Pictures directory and have a folder called Grinch2021
*****************THANK YOU****KEEP LEARNING ******************
HOPE GUYS, THIS WALKTHROUGH MIGHT HELP YOU,IF SO LIKE THE WRITE UP ,LIKE & FOLLOW TO THE BLOG AND PROFILE WILL BE MUCH APPRECIATED
FOLLOW MY PROFILE FOR MORE WRITE-UPS
****************************PEACE********************************