2016 Palo Alto Labyrenth CTF Doc 05
Again the fifth challenge is a zip file: 01E1B7BCFB39B4A666475991AF11C5762A489F9395C48B4E156526E1C6E4573F
But I have to first admit that I solved this one third, not fifth…in fact I got a message when I tried to submit the fifth challenge solution early that I had to do them in order. How did I do them out of order you ask? well remember in the very first document there was an extra
.7z file inside the zip. This was a 7Zip archive that contained ALL of the challenges (go look for yourself).
So running it through FileId showed only a little bit of macros:
So I crack the file open in Microsoft Excel….hmmm its only asking for a value and a button. You click the button and it says you stink and opens calc.exe. Wait what? there’s no macro’s how is this happening? So I open the file in eDoc. What is eDoc you say? its a GUI application for looking at the streams and folders inside an Ole Structured Storage container. I don’t have a link for it as the company that produced it no longer exists, but I still have the binary…besides a very similar tool is SSView by MiTec (in fact is in many ways better…but eDoc lets me search for hex/ascii values and do inline editing).
So perusing through the hex view of the
Workbook stream (i.e. where the actual workbooks live) we can easily see calc.exe (around stream offset 0x5b90 as well as other places) and several other strings that were NOT on the three sheets when we opened Excel eariler….HIDDEN SHEETS.
So open up excel, right click on and of the sheet names and click
unhide…a little dialog opens up and we can unhide the
secret sheet. But wait it looks empty. So we start looking through the formula values and eventually you will find cell A14 with this formula:
So here you need to know excel forumlas and you will see that the notation they’re using shows there is ANOTHER hidden sheet. what? how can this be you ask? well turns out that excel has something called a VeryHidden sheet (see KB213609, or just search the InterTubes yourself)
Hmmm, so how do we unhide a very hidden sheet? well just fix it in VBA. So there’s already a function
excelulate so I simply changed it to:
and then run it!
so we look at the newly discovered sheet and we find the crazy formula in F13:
So I copy this into another cell in the same sheet, but modifiy at so:
but wait it doesn’t run it! this sheet is showing the forumlas instead of running them. No problem, I go back to the
Sheet1 sheet and pick an empty cell and enter the formula:
and poof! we have this value:
we enter it into the CTF dialog