Jump to content











Photo

Challenge #17 - Find the key hidden in this document


  • Please log in to reply
22 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 12 September 2011 - 09:34 PM

By looking carefully at this document, you will get good clues at where the key might be found. The challenge is two staged. In both stages it helps if you are familiar with the format of the newer Office documents. When you have the key, it is a string starting with "key=". The key itself contains 12 alphanumerical characters. If you know the trick, the challenge should be solved in no time. Good luck.

Try it here.

Attached Files


  • Nuno Brito likes this

#2 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 12:12 AM

I'm more familiar with older word documents from 2003, but I tried changing to .zip to view all of the xml contents, and I haven't found anything yet. I have tried hex editing, but still in the process. This is a good challenge though joakim, thanks :) I hope this will help me learn about the updated word format.

The task is about retrieving hidden data inside this document. The data itself is compressed by deflate (standard compression method in most zip archives).


Is this related to the contents of the document itself or the key itself within the contents of the document? So far I have understood the format of the content is just a zipped archive containing xml files for the content.

#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 13 September 2011 - 12:18 AM

Original post updated with a link to try out the challenge.

#4 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 13 September 2011 - 12:23 AM

I think that I found where the key is hidden. But I don't know yet how to extract this stream.

#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 13 September 2011 - 12:24 AM

I think that I found where the key is hidden. But I don't know yet how to extract this stream.

Good work, Icecube :clap:

#6 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 04:17 AM

@AceInfinity
You must look at the file format (ie zip). Using any MS Office tool will do no good.

Icecube is on the right track. Did you find it?

#7 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 08:17 AM

@AceInfinity
You must look at the file format (ie zip). Using any MS Office tool will do no good.

Icecube is on the right track. Did you find it?


Yes I already viewed all of the files through Winrar and extracted them, but I don't have any regular docx to compare to on my computer. I'll create one and see if I can find something.

Edit: I still haven't found any entry for key= in the xml files after a second look from the time I first posted. I may be getting this wrong, but do you mean that there's a value in the xml somewhere as key="VALUE"?

#8 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 13 September 2011 - 08:32 AM

@ AceInfinity
A hint:
Spoiler


#9 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 08:38 AM

The only difference I see is the change in a newer file called stylesWithEffects.xml

#10 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 08:50 AM

The only difference I see is the change in a newer file called stylesWithEffects.xml

The trick is to look at those parts of the document that MS Office does not know about. Looking at the file in a hex-editor might reveal stuff. When found, the key will be in the form; key=a0ss98d765h5 and you would test the key by checking a0ss98d765h5.

#11 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 08:52 AM

Ahh... I was using key=" to start the value for key="something"

Edit: Nope, I'm still not finding anything, I searched through all of the xml files in Notepad++ with the search key:

key=

And it came up with nothing.

My hex editor isn't finding anything either for some reason.... I must be doing something really stupid, I know it lol. It's around 3am for me right now.

#12 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 09:05 AM

Looking at the xml parts of the file, is wrong. Searching for the string also leads nowhere, as it is compressed. As explained and visible when opening the file in MS Office/Word, the compression method is given. Searching google may give clues, if searching for the right words.

#13 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 09:10 AM

Looking at the xml parts of the file, is wrong. Searching for the string also leads nowhere, as it is compressed. As explained and visible when opening the file in MS Office/Word, the compression method is given. Searching google may give clues, if searching for the right words.


No I wasn't viewing the actual file in hex editor, I was viewing some of the compressed file contents in my hex editor.

#14 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 09:16 AM


No I wasn't viewing the actual file in hex editor, I was viewing some of the compressed file contents in my hex editor.

Viewing the actual file in a hex-editor would be recommended, and knowledge about zip will most likely help you.

#15 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 13 September 2011 - 09:24 AM

I use RAR most of the time, almost minimal knowledge for zip other than it's usually a base-64 compression method DEFLATE. I'm not going to bother with it until tomorrow though lol i'm not getting anywhere currently... I need to try again when I'm fully awake

#16 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 09:40 AM

You may get surprised to find out that you are dealing with yet another document...

#17 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 13 September 2011 - 11:44 AM

You may get surprised to find out that you are dealing with yet another document...

Powerpoint?

#18 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 11:51 AM

Powerpoint?

You will see when you get there.. The key is protected by at least 2 layers, and it is not possible to take any shortcuts. First layer must be solved before the second. Layers are logically somewhat similar.

#19 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 13 September 2011 - 11:54 AM

You will see when you get there.. The key is protected by at least 2 layers

I have a Powerpoint presentation, but no key.
And no idea yet. And far away from two ideas. :frusty:
And unfortunately my lunch break terminates.

#20 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 11:58 AM

I have a Powerpoint presentation, but no key.
And no idea yet. And far away from two ideas. :frusty:

If that's the case, then first layer is unpacked.

#21 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 13 September 2011 - 10:20 PM

Found the key.

#22 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2011 - 10:26 PM

Good work!! :clap:

#23 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2011 - 08:01 AM

For those still struggling with it:

Good hints and helpers may be found at forensicfocus. In the end you will need to change 1 byte to get the actual key (unless you did not use this "helper" and did everything by yourself, in which case you should be able to get the key without changing a single byte).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users