Really sorry for any confusion, all. The original challenge was broken a bit, in that you could upload it to sites like any.run or hybridanalysis and the flag would just show up on the page. It was patched earlier this week, and a new version with a new flag is available for download. I’m really sorry to anyone who worked hard and got the old flag. The good news is, the patched document is not that different, so you shouldn’t have too much issue solving again if you went the intended path.
Sorry again for the trouble, and hope everyone enjoys!
Hey I just downloaded the file today and tried to solve it. I am also still getting the “old” flag. If I google that flag i see a lot of results in any.run. sooo I got the feeling, that the flag is new, but the file on the HTB-Servers are still the old ones. Anyone having the same issue?
Hi everyone… I am new here with very little experience, tried out 0xdf forensic challenge now i have been stuck & going in circle for like 3 days now… didnt switch off my pc to avoid loosing progress any pointers help or assistance to get through this please…
I’m lost…I extracted zlib file from the photo but have no idea what I’m supposed to do with that, or with the spreadsheet… I read the hints in this post, but I’m not making much sense of it all being new to this. Any help?
The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?
Hi again i managed to get the flag 7 days back, i still got a long way to go, the back n forth struggle helped me pick up on new stuff i never knew of, persistence and great content and tools from Didier Stevens and DissectMalware helped me successfully decode & deobfuscated the malicious MS Excel file.
The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?
I believe I’m also getting the ‘old’ flag as of today after working with the file from a few days ago and re-downloading today.
Thanks for the challenge @0xdf, interesting vector.
If anyone is stuck, check @GlenRunciter link, and remember that you can pretty much modify anything to suit your needs, doing everything by hand may be too painful
this challenge should be ‘easier’ rate now that there are tools out there to modify the ‘flag’ easily?
love this challenge though, so real. thanks @0xdf.
for some unknown reason, my libreoffice was messing up with the formulas. Not sure why, so I opened it on a Windows VM using Excel, saved the not visible thing as tabulated text, and then wrote a python script to process and de-obfuscate the thing. After that, the flag just appeared.
hmmmm… I did some basic stuff with the .xls-file and I think I found the 2nd part of the flag. Could it be or is that a rabbit hole? Submitting HTB{MY_FINDINGS} doesn’t work
Edit: nvw. Found the flag. Cool challenge. But I don’t know, whether my way was the best solution or just “luck”
Wow i didn’t you could do such nasty stuff with an Excel spreadsheet. What a nightmare to analyze, but ultimately i got it. I’m sure it was even more painful to put together so well done 0xdf for this challenge!
Certainly an interesting challenge. Working out that last step isn’t so bad, just work backwards. I didn’t have any joy using herusitcs or automation, I had to do it the hard way.
I have decoded so far to an actual powershell script and I am stumped and I see partial pieces of the flag but looks to be scrambled. Any guidance would be appreciated.
(Sorry Wrong Thread was meant for EMO challenge)