Explanation
In the Naught Challenge, you are given an XLSX document that contains a “redacted” flag. The description for the challenge reads, “The Last Minute CTF has redacted the flag from this document. Please recover it.” The use of the word “recover” suggests that perhaps information has been deleted in the file.
The file extension XLSX is associated with the XML based Excel file format. If we open the document, we see there is Sheet1 and Sheet3 but not Sheet2.
Our challenge seems to be related to recovering information located in Sheet2. Since XLSX files can be opened in the same was as a compressed file, I choose to use 7zip to open it.
In Naught.xlsx\xl\worksheets, we see sheet1.xml, sheet2.xml, and sheet3.xml.
If we open sheet2.xml in a text editor, there is content that apears to be arranged in rows and columns which is consistent with that we would expect to see with a spreadsheet.
Since information in the xlsx file appears to be corrupted, I deleted sheet1.xml in the xlsx file and renamed sheet2.xml to sheet1.xml since the xlsx file already has the required information about sheet1.xml to display its data.
Now Naught.xlsx can be opened and we can access the data in what was sheet2 in the the new sheet1.
Each row has one cell hightlighted. Starting with the first row, I made a list of the values.
SHA-256
You
Incorrect
Yellow
Echo
Lima
Tango
Omega
Chelsea
Spaces
From those entries, it looks like we need to use SHA-256 to generate the hash value of those words as a string. The last highlighted cell is the word “Spaces” so we will add spaces between each word when we create the string to generate its hash value.
We can use a number of tools to calculate hash values of strings but in this case, I used CyberChef.
Since SHA-256 is really SHA2 using a size of 256, we will add SHA2 to our Recipe, select a 256 from the drop down box for the Size, and enter the words from Sheet1 with spaces between them.
CyberChef outputs the value a7f79674938f6e62fcce7c5aac4eaf3581fceffb88d7d17b83c72895a54aa0d7. When we add that between the curly brackets of BTC{}, it becomes BTC{a7f79674938f6e62fcce7c5aac4eaf3581fceffb88d7d17b83c72895a54aa0d7} and that is our flag.
Solving the Challenge
- Browse to http.//18.205.188.77/challenges.
- Click Naught
- Click Naught.xlsx to download the document.
- Using 7zip, open Naught.xlsx.
- Double click xl
- Double click worksheets
- Delete sheet1.xml
- Rename sheet2.xml to sheet1.xml
- Close Naught.xlsx that is open in 7zip.
- Open Naught.xlsx in Excel.
- When Excel prompts you if you want to try to recovery information, choose Yes.
- When Excel displays information on the repairs it made to the file, click Close.
- Click Sheet1
- Browse to https.//gchq.github.io/CyberChef/
- Sheet1 shows the hashing algorithm is SHA-256 (which is SHA2 with a size of 256), so drag SHA2 to the Recipe.
- Click Size and click 256.
- Type the highlighted words beginning with “You” from top to bottom into the Input for CyberChef. The last row of text has the word “Spaces” highlighted, so separate your words in the Input for CyberChef with spaces.
- Your value for the Input in CyberChef should be “Your Incorrect Yellow Echo Lima Tango Chelsea” (without quotation marks).
- Copy and paste the Output in CyberChef into Notepad. The Output in CyberChef will be a7f79674938f6e62fcce7c5aac4eaf3581fceffb88d7d17b83c72895a54aa0d7
- Add “BTC{“ (without quotes) to the string in Notepad.
- Add “}” (without quotes) to the string in Notepad.
- The flag is BTC{a7f79674938f6e62fcce7c5aac4eaf3581fceffb88d7d17b83c72895a54aa0d7}
- Paste the flag into the Flag field.
- Click Submit.
Instance address