picoCTF 2021 MacroHard WeakEdge

MacroHard WeakEdge is a forensics puzzle worth 60 points.

The description is as follows:

I've hidden a flag in this file. Can you find it? Forensics is fun.pptm

Provided is a PowerPoint file Forensics is fun.pptm:

 % file Forensics\ is\ fun.pptm
Forensics is fun.pptm: Microsoft PowerPoint 2007+

First, I tried to dump macros out of this using olevba

PS C:\> olevba 'Forensics is fun.pptm'
olevba 0.60 on Python 3.9.6 - http://decalage.info/python/oletools
===============================================================================
FILE: Forensics is fun.pptm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: ppt/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub not_flag()
    Dim not_flag As String
    not_flag = "sorry_but_this_isn't_it"
End Sub
No suspicious keyword or IOC found.

Hrm.. Its probably elsewhere in the file. I blew this PowerPoint file apart with unzip and noticed this file:

 inflating: ppt/slideMasters/hidden

The contents of this file appears to be base64 encoded:

 % cat ppt/slideMasters/hidden
Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q

Decoding this in the terminal was easy:

 echo "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q" |tr -d ' ' |base64 -d

The command above yielded the flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s