MacroHard WeakEdge is a forensics puzzle worth 60 points.
The description is as follows:
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
Provided is a PowerPoint file Forensics is fun.pptm:
% file Forensics\ is\ fun.pptm Forensics is fun.pptm: Microsoft PowerPoint 2007+
First, I tried to dump macros out of this using olevba
PS C:\> olevba 'Forensics is fun.pptm'
olevba 0.60 on Python 3.9.6 - http://decalage.info/python/oletools
===============================================================================
FILE: Forensics is fun.pptm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: ppt/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub not_flag()
Dim not_flag As String
not_flag = "sorry_but_this_isn't_it"
End Sub
No suspicious keyword or IOC found.
Hrm.. Its probably elsewhere in the file. I blew this PowerPoint file apart with unzip and noticed this file:
inflating: ppt/slideMasters/hidden
The contents of this file appears to be base64 encoded:
% cat ppt/slideMasters/hidden Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q
Decoding this in the terminal was easy:
echo "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q" |tr -d ' ' |base64 -d
The command above yielded the flag.
DMFR SECURITY 
Pingback: picoCTF Writeups – DMFR SECURITY