[Forensics] oBfsC4t10n2

There are lots of ways to solve this challenge. You can guess, you can run, or you can analyze. I found the last option the most rewarding as I learned something new.

I would love to know how to analyze without excel, the tools I am aware off produce hard to follow output.

It’s a pretty new phishing maldoc. Kudos to @0xdf for replacing the malicious C2 with a innocuous one so that even if you open in Excel you are not downloading and executing anything. Having said that, I did the analysis in Linux, LibreOffice Calc to be exact. Expect lots of cells, formulas, and jumping here and there.

Hi guys,
without using excel, I’ve been able to find that the old “friends” are still around. I still miss the first part of the sentence tho.
Might be my bad, not beeing able to analize or jump among cells nad formulas…I’d need a hint.

Thanks

Personally, this article helped me a lot: Excel 4.0 Macro MalSpam Campaigns - SpiderLabs | Trustwave

pay atention to EXCEL.EXE parent process with sysinternals tools :wink:

Very, very interesting challenge.
Can anybody help me with flag format ?
I have so many pieces from sheet that I can’t figure out what is final goal as excel will not do evil exec. :smile:

ADDED:

I definitely NEED HELP:
Thanks to @win32k and @GlenRunciter which confirmed me, I know that I have correct flag.
What ever I tried, I am getting “Incorrect Flag” \n “Try Harder”.

Sent a message to @0xdf.
@0xdf Thank you for interesting challenge !

Type your comment> @goxy2101 said:

Very, very interesting challenge.
Can anybody help me with flag format ?
I have so many pieces from sheet that I can’t figure out what is final goal as excel will not do evil exec. :smile:

ADDED:

I definitely NEED HELP:
Thanks to @win32k and @GlenRunciter which confirmed me, I know that I have correct flag.
What ever I tried, I am getting “Incorrect Flag” \n “Try Harder”.

Sent a message to @0xdf.
@0xdf Thank you for interesting challenge !

I also facing the same problem , definitely i got the right flag but when trying to submit i get an error . anyone else had that issue ?

Same here… I put flag into a file and got the sha256sum
24D8789F68C452B101609B5D84C736019F060468A1781EEE9282431B225E5136

Same here, issue on several machines. So, I guess it’s the site.

Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I’m really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn’t have too much issue solving again if you went the intended path.

Sorry again for the trouble, and hope everyone enjoys!

@0xdf said:

Sorry again for the trouble, and hope everyone enjoys!

It shouldn’t be too much trouble, as far as I can see you can get the flag pretty much the same way. Nice work reacting to the issue so quickly though.

Type your comment> @0xdf said:

Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I’m really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn’t have too much issue solving again if you went the intended path.

Sorry again for the trouble, and hope everyone enjoys!

Hey I just downloaded the file today and tried to solve it. I am also still getting the “old” flag. If I google that flag i see a lot of results in any.run. sooo I got the feeling, that the flag is new, but the file on the HTB-Servers are still the old ones. Anyone having the same issue?

@0xdf ,
Thank you for an amazing challenge!

Hi everyone… I am new here with very little experience, tried out 0xdf forensic challenge now i have been stuck & going in circle for like 3 days now… didnt switch off my pc to avoid loosing progress any pointers help or assistance to get through this please…

Woah! The hints helped a lot! Thanks @0xdf for the enticing challenge! Hints by @limbernie and @GlenRunciter were on point, ■■■■. Big woah for me!

I’m lost…I extracted zlib file from the photo but have no idea what I’m supposed to do with that, or with the spreadsheet… I read the hints in this post, but I’m not making much sense of it all being new to this. Any help?

found fake flag

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

Hi again i managed to get the flag 7 days back, i still got a long way to go, the back n forth struggle helped me pick up on new stuff i never knew of, persistence and great content and tools from Didier Stevens and DissectMalware helped me successfully decode & deobfuscated the malicious MS Excel file.

Type your comment> @chm0dx said:

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

I believe I’m also getting the ‘old’ flag as of today after working with the file from a few days ago and re-downloading today.