[Forensics] oBfsC4t10n2

Hi everyone… I am new here with very little experience, tried out 0xdf forensic challenge now i have been stuck & going in circle for like 3 days now… didnt switch off my pc to avoid loosing progress any pointers help or assistance to get through this please…

Woah! The hints helped a lot! Thanks @0xdf for the enticing challenge! Hints by @limbernie and @GlenRunciter were on point, ■■■■. Big woah for me!

I’m lost…I extracted zlib file from the photo but have no idea what I’m supposed to do with that, or with the spreadsheet… I read the hints in this post, but I’m not making much sense of it all being new to this. Any help?

found fake flag

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

Hi again i managed to get the flag 7 days back, i still got a long way to go, the back n forth struggle helped me pick up on new stuff i never knew of, persistence and great content and tools from Didier Stevens and DissectMalware helped me successfully decode & deobfuscated the malicious MS Excel file.

Type your comment> @chm0dx said:

The flag I found didn’t work, either. Even downloaded the zip a couple more times. Will take another look and see if I found it via an unintended route where they old flag may have been left over, but should all be functional here now with the current zip file hosted at HTB?

I believe I’m also getting the ‘old’ flag as of today after working with the file from a few days ago and re-downloading today.

Found by using a mix of guessing and automated tools.
Thanks to @joeblogg801 that gave me a more detailed explanation about the chall.

Thanks for the challenge @0xdf, interesting vector.

If anyone is stuck, check @GlenRunciter link, and remember that you can pretty much modify anything to suit your needs, doing everything by hand may be too painful :wink:

this challenge should be ‘easier’ rate now that there are tools out there to modify the ‘flag’ easily?
love this challenge though, so real. thanks @0xdf.

Hi there,

for some unknown reason, my libreoffice was messing up with the formulas. Not sure why, so I opened it on a Windows VM using Excel, saved the not visible thing as tabulated text, and then wrote a python script to process and de-obfuscate the thing. After that, the flag just appeared.

Nice challenge!

Cheers,

hmmmm… I did some basic stuff with the .xls-file and I think I found the 2nd part of the flag. Could it be or is that a rabbit hole? Submitting HTB{MY_FINDINGS} doesn’t work :slight_smile:

Edit: nvw. Found the flag. Cool challenge. But I don’t know, whether my way was the best solution or just “luck”

Got it!
It was easy and interesting. If you solve first challenge (oBfsC4t10n) it would be more easy, because you learn some new tactics.

Wow i didn’t you could do such nasty stuff with an Excel spreadsheet. What a nightmare to analyze, but ultimately i got it. I’m sure it was even more painful to put together so well done 0xdf for this challenge!

Did it manually, had problem to solve it with automated tools (X*****************r). Someone used this tools?

Certainly an interesting challenge. Working out that last step isn’t so bad, just work backwards. I didn’t have any joy using herusitcs or automation, I had to do it the hard way.

I have decoded so far to an actual powershell script and I am stumped and I see partial pieces of the flag but looks to be scrambled. Any guidance would be appreciated.
(Sorry Wrong Thread was meant for EMO challenge)

Wow I really didn’t expect to solve this one statically!
Having no Windows / Excel helped xD
Some crazy work it is, thanks a ton @0xdf !

Is still the right flag there? Or is a fake one inside. Looks like I found it but it doesn’t work
flag md5: a5e10b45863045c643c4fca53db1de40

ahahah, my bad, there are 2 challenge with almost the same name, and i sent the flag to the wrong one. One is oBfsC4t10n the other one oBfsC4t10n2