Gian Klug

swiss hacking challenge 2024 - cheated-results

Posted on May 1, 2024
Tags: SHC24 Writeup

Difficulty: medium

Categories: misc, forensics

Author: NoRelect

Just as Susan was about to release the yearly statistics about who printed how many pages of paper in 2024, Steve thought something was strange and that the report got tampered with. Some of his coworkers that love trees suddenly print 1000’s of pages?!

Can you help uncover who wanted to skip paying the fees and who falsely got accused of printing?

The flag is the list of people that have been falsley accused of printing, in the order they would have appeared in the original document, separated by a dash. If the names of the people were all John Doe, and four people were affected, the flag would look like this:

shc2024{John Doe-John Doe-John Doe-John Doe}

Files

print-results.xlsx: Microsoft Excel 2007+ file

Exploitation

Excel files are basically just zip archives. Extracting the file and looking inside of the xl folder, we get the following files:

xl
├── calcChain.xml
├── _rels
│   └── workbook.xml.rels
├── sharedStrings.xml
├── styles.xml
├── theme
│   └── theme1.xml
├── workbook.xml
└── worksheets
    └── sheet1.xml

We’re interested in the calcChain.xml file as it contains some weird anomalies:

<c r="D19" i="1" />
<c r="D20" i="1" />
<c r="D21" i="1" />
<c r="D22" i="1" />
<c r="D158" i="1" />
<c r="D24" i="1" />
<c r="D25" i="1" />
<c r="D26" i="1" />
...
<c r="D95" i="1" />
<c r="D96" i="1" />
<c r="D97" i="1" />
<c r="D155" i="1" />
<c r="D152" i="1" />
<c r="D100" i="1" />
<c r="D101" i="1" />
...
<c r="D146" i="1" />
<c r="D147" i="1" />
<c r="D148" i="1" />
<c r="D149" i="1" />
<c r="D99" i="1" />
<c r="D153" i="1" />
<c r="D154" i="1" />
<c r="D98" i="1" />
<c r="D156" i="1" />
<c r="D157" i="1" />
<c r="D23" i="1" />

Because the numbers were not changed but only moved around, the file wasn’t updated when the “cheating” happened.

Based on these offsets and the Excel file contents we can reverse engineer the original order and get the flag:

Flag

shc2024{Michelle Price-Benjamin Patterson-Carol Hughes}

Conclusion

Took me some time to solve this. I initially looked at sharedStrings.xml, which had the same kind of switched up lines, but with an error. Nice challenge though, didn’t even think Excel would do this.