[Forensics] oBfsC4t10n2

Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I’m really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn’t have too much issue solving again if you went the intended path.

Sorry again for the trouble, and hope everyone enjoys!

@0xdf said:

Sorry again for the trouble, and hope everyone enjoys!

It shouldn’t be too much trouble, as far as I can see you can get the flag pretty much the same way. Nice work reacting to the issue so quickly though.

Type your comment> @0xdf said:

Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I’m really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn’t have too much issue solving again if you went the intended path.

Sorry again for the trouble, and hope everyone enjoys!

Hey I just downloaded the file today and tried to solve it. I am also still getting the “old” flag. If I google that flag i see a lot of results in any.run. sooo I got the feeling, that the flag is new, but the file on the HTB-Servers are still the old ones. Anyone having the same issue?

@0xdf ,
Thank you for an amazing challenge!

Hi everyone… I am new here with very little experience, tried out 0xdf forensic challenge now i have been stuck & going in circle for like 3 days now… didnt switch off my pc to avoid loosing progress any pointers help or assistance to get through this please…

Woah! The hints helped a lot! Thanks @0xdf for the enticing challenge! Hints by @limbernie and @GlenRunciter were on point, ■■■■. Big woah for me!

I’m lost…I extracted zlib file from the photo but have no idea what I’m supposed to do with that, or with the spreadsheet… I read the hints in this post, but I’m not making much sense of it all being new to this. Any help?

found fake flag

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

Hi again i managed to get the flag 7 days back, i still got a long way to go, the back n forth struggle helped me pick up on new stuff i never knew of, persistence and great content and tools from Didier Stevens and DissectMalware helped me successfully decode & deobfuscated the malicious MS Excel file.

Type your comment> @chm0dx said:

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

I believe I’m also getting the ‘old’ flag as of today after working with the file from a few days ago and re-downloading today.

Found by using a mix of guessing and automated tools.
Thanks to @joeblogg801 that gave me a more detailed explanation about the chall.

Thanks for the challenge @0xdf, interesting vector.

If anyone is stuck, check @GlenRunciter link, and remember that you can pretty much modify anything to suit your needs, doing everything by hand may be too painful :wink:

this challenge should be ‘easier’ rate now that there are tools out there to modify the ‘flag’ easily?
love this challenge though, so real. thanks @0xdf.

Hi there,

for some unknown reason, my libreoffice was messing up with the formulas. Not sure why, so I opened it on a Windows VM using Excel, saved the not visible thing as tabulated text, and then wrote a python script to process and de-obfuscate the thing. After that, the flag just appeared.

Nice challenge!

Cheers,

hmmmm… I did some basic stuff with the .xls-file and I think I found the 2nd part of the flag. Could it be or is that a rabbit hole? Submitting HTB{MY_FINDINGS} doesn’t work :slight_smile:

Edit: nvw. Found the flag. Cool challenge. But I don’t know, whether my way was the best solution or just “luck”

Got it!
It was easy and interesting. If you solve first challenge (oBfsC4t10n) it would be more easy, because you learn some new tactics.

Wow i didn’t you could do such nasty stuff with an Excel spreadsheet. What a nightmare to analyze, but ultimately i got it. I’m sure it was even more painful to put together so well done 0xdf for this challenge!

Did it manually, had problem to solve it with automated tools (X*****************r). Someone used this tools?

Certainly an interesting challenge. Working out that last step isn’t so bad, just work backwards. I didn’t have any joy using herusitcs or automation, I had to do it the hard way.