Diagnostics

Technical Walkthrough

Writeup

Challenge

• Name: Diagnostics
• Category: Forensics
• Difficulty: Easy
• Mode: remote

Summary

The phishing document is a DOCX/OOXML file disguised with a .doc extension. It does not contain macros. Instead, it uses an external OLE relationship to pull an HTML stage from diagnostic.htb. That HTML stage contains an ms-msdt: URI with an embedded Base64 PowerShell command. Static decoding and PowerShell format-string reconstruction reveals a flag-bearing payload filename.

Artifact Inventory

• Remote host: <TARGET>:30790.
• files/layoffs.doc: downloaded phishing document, ZIP/OOXML format.
• files/extracted/: extracted OOXML parts from the document.
• files/223_index_style_fancy.html: active hosted HTML stage.
• analysis/solver/stage1-powershell-redacted.txt: decoded active PowerShell payload with flags redacted.
• analysis/solver/reconstructed-strings-redacted.txt: reconstructed PowerShell format strings with flags redacted.
• solve/solve.py: reproducible static solver.

Analysis

The scenario gave the URL diagnostic.htb/layoffs.doc, so the first step was to request the document from the Docker host while preserving evidence. The downloaded file is a ZIP archive, and unzip -l shows a small Word OOXML structure rather than a binary OLE macro document.

The important file is:

files/extracted/word/_rels/document.xml.rels

It contains an external OLE object relationship:

http://diagnostic.htb/223_index_style_fancy.html!

Fetching the no-bang version of that URL returns an HTML stage. The stage assigns location.href to an ms-msdt: URI. Inside the URI, the active payload is a Base64 string passed to FromBase64String(...).

Decoding that Base64 gives PowerShell that reconstructs strings with the -f format operator. The first reconstructed string is a filename ending in .exe; the flag is embedded in that filename. No macro, MSDT URI, PowerShell, or downloaded executable was executed.

Solve

Run:

cd <local workspace>
python3 solve/solve.py

The solver:

1. Parses files/layoffs.doc as a ZIP/OOXML document.
2. Reads word/_rels/document.xml.rels.
3. Extracts the external OLE target and strips the trailing !.
4. Uses the live Docker host with Host: diagnostic.htb if the HTML stage needs to be fetched.
5. Extracts and decodes the active Base64 PowerShell payload.
6. Emulates PowerShell -f string formatting.
7. Extracts the HTB-format flag from the reconstructed filename.
8. Writes the flag candidate to loot/flag-candidate.txt.

The harness captures the final flag to loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• A .doc extension does not mean legacy OLE; inspect file type before choosing tooling.
• Malicious Office docs may use external OOXML relationships instead of embedded macros.
• The trailing ! in the OLE relationship is part of Word's link syntax; the server stage may live at the no-bang path.
• Follina-style payloads can be analyzed safely by decoding the ms-msdt: URI and emulating PowerShell string operations statically.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Diagnostics
• Category: Forensics
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:30790
• Start time: 2026-06-09T14:55:15Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service <TARGET>:30790 serves layoffs.doc from the phishing clue.
• files/layoffs.doc is a ZIP-based Word/OOXML document, not a legacy OLE .doc macro file.
• The document has no visible body text and no vbaProject.bin; the suspicious behavior is in OOXML relationships.
• word/_rels/document.xml.rels contains external OLE relationship rId996:

- Type: officeDocument/2006/relationships/oleObject

- Target: http://diagnostic.htb/223_index_style_fancy.html!

- TargetMode: External

• The relationship target with the trailing ! returned 404, but the no-bang path /223_index_style_fancy.html returned the active HTML stage.
• The HTML stage sets location.href to an ms-msdt: URI, matching Follina-style diagnostic handler abuse.
• The ms-msdt: URI embeds an active Base64 PowerShell payload in FromBase64String(...).
• The decoded PowerShell reconstructs a payload filename with the -f string format operator.
• The reconstructed filename contains the HTB-format flag; the solver extracts it statically without executing the document, MSDT URI, PowerShell, or binary.
• Reproducible solver: solve/solve.py.
• Raw flag captured by the harness and stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: Diagnostics
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Download the phishing document from the Docker host using the diagnostic.htb clue.
2. Identify the .doc as a ZIP/OOXML Word document.
3. Inspect word/_rels/document.xml.rels for external OLE relationships.
4. Find the external HTML stage referenced by the OLE relationship.
5. Fetch the no-bang version of the relationship target.
6. Decode the Follina-style ms-msdt: HTML stage statically.
7. Extract the active Base64 PowerShell payload from FromBase64String(...).
8. Emulate the PowerShell -f string format operator.
9. Extract the flag from the reconstructed payload filename.

Reusable Lessons

• Always inspect OOXML relationships for external targets when a malicious Office document has no macros.
• For OLE link targets ending in !, try the same URL without ! when fetching the hosted stage manually.
• Follina-style ms-msdt: payloads often hide the interesting string in Base64 PowerShell plus format-string reconstruction.

Dead Ends

• Treating the file as a legacy OLE macro document: not applicable; it is ZIP/OOXML.
• Fetching the relationship URL with the trailing bang: returned 404; the active stage is the no-bang path.
• Decoding long Base64 comment blobs in the HTML: they are decoy song lyrics, not the active payload.

Tool Quirks

• Optional tools such as exiftool, binwalk, and olevba were unavailable, but ZIP/XML/Python tooling was sufficient.
• The harness remote-profile gate required local-memory fallback before a Proceed evaluator, so <secret redacted>md was recorded as advisory context.

Evidence Paths

• files/layoffs.doc
• files/extracted/word/_rels/document.xml.rels
• files/223_index_style_fancy.html
• analysis/remote/223_index_style_fancy-no-bang.html
• analysis/solver/stage1-powershell-redacted.txt
• analysis/solver/reconstructed-strings-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: Diagnostics
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Download the phishing document from the Docker host using the diagnostic.htb clue.
2. Identify the .doc as a ZIP/OOXML Word document.
3. Inspect word/_rels/document.xml.rels for external OLE relationships.
4. Find the external HTML stage referenced by the OLE relationship.
5. Fetch the no-bang version of the relationship target.
6. Decode the Follina-style ms-msdt: HTML stage statically.
7. Extract the active Base64 PowerShell payload from FromBase64String(...).
8. Emulate the PowerShell -f string format operator.
9. Extract the flag from the reconstructed payload filename.

Reusable Lessons

• Always inspect OOXML relationships for external targets when a malicious Office document has no macros.
• For OLE link targets ending in !, try the same URL without ! when fetching the hosted stage manually.
• Follina-style ms-msdt: payloads often hide the interesting string in Base64 PowerShell plus format-string reconstruction.

Dead Ends

• Treating the file as a legacy OLE macro document: not applicable; it is ZIP/OOXML.
• Fetching the relationship URL with the trailing bang: returned 404; the active stage is the no-bang path.
• Decoding long Base64 comment blobs in the HTML: they are decoy song lyrics, not the active payload.

Tool Quirks

• Optional tools such as exiftool, binwalk, and olevba were unavailable, but ZIP/XML/Python tooling was sufficient.
• The harness remote-profile gate required local-memory fallback before a Proceed evaluator, so <secret redacted>md was recorded as advisory context.

Evidence Paths

• files/layoffs.doc
• files/extracted/word/_rels/document.xml.rels
• files/223_index_style_fancy.html
• analysis/remote/223_index_style_fancy-no-bang.html
• analysis/solver/stage1-powershell-redacted.txt
• analysis/solver/reconstructed-strings-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Diagnostics
• Category: Forensics
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:30790
• Start time: 2026-06-09T14:55:15Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service <TARGET>:30790 serves layoffs.doc from the phishing clue.
• files/layoffs.doc is a ZIP-based Word/OOXML document, not a legacy OLE .doc macro file.
• The document has no visible body text and no vbaProject.bin; the suspicious behavior is in OOXML relationships.
• word/_rels/document.xml.rels contains external OLE relationship rId996:

- Type: officeDocument/2006/relationships/oleObject

- Target: http://diagnostic.htb/223_index_style_fancy.html!

- TargetMode: External

• The relationship target with the trailing ! returned 404, but the no-bang path /223_index_style_fancy.html returned the active HTML stage.
• The HTML stage sets location.href to an ms-msdt: URI, matching Follina-style diagnostic handler abuse.
• The ms-msdt: URI embeds an active Base64 PowerShell payload in FromBase64String(...).
• The decoded PowerShell reconstructs a payload filename with the -f string format operator.
• The reconstructed filename contains the HTB-format flag; the solver extracts it statically without executing the document, MSDT URI, PowerShell, or binary.
• Reproducible solver: solve/solve.py.
• Raw flag captured by the harness and stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.