![](./brief.png) The challenge provides us with a simple web page ![](./images/start.png) It only allows us to upload a `.fods` file (OpenDocument Flat XML Spreadsheet) Uploading a simple file like the example below: ```xml TEXT ``` Produces the document: ![](./images/test_pdf.png) This will be used as our minimal working example later. After attempts trying XXE (XML External Entity) attack and doing some reading I decided to actually look at the pdf produced Downloading this `pdf` and running `exiftools` on it gives us: ``` [..] Creator : Calc Producer : LibreOffice 6.0 [..] ``` This shows us that the web application is converting the `.fods` file to a PDF using LibreOffice 6.0 Calc. Doing some research on LibreOffice gives us [CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871) ``` LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function. ``` Further research also provided a [proof of concept](https://github.com/jollheef/libreoffice-remote-arbitrary-file- disclosure) on GitHub. Stripping this proof of concepts lets us access local files using `=WEBSERVICE`, this gives us this minimal example: ```xml #VALUE! ``` When placed in the compiler we get this output! ![](./images/passwd.png) This is the last line of the `/etc/passwd` file and shows the arbitrary file read attack was successful. This attack is very interesting because it can be executed through normally innate files such as a spreadsheet or word document. Using the home directory we can see `/home/libreoffice_admin` as the users home directory. With a little trial and error, the file path used was `/home/libreoffice_admin/flag`. ![](./images/flag.png) FLAG ``` fb{wh0_7h0u6h7_l1br30ff1c3_c4n_b3_u53ful} ``` Original writeup (https://github.com/AidanFray/CTF_Writeups/blob/master/2019/FacebookCTF/pdfme/README.md).