MacroHard WeakEdge picoCTF 2021 Solution

Description

1. Step 1Extract the PPTM as a ZIP archive
   PPTM files (like DOCX, XLSX, and all OOXML formats) are ZIP archives containing XML files, images, and other resources. Rename or use unzip directly on the file to extract its contents.
   bash

   unzip "Forensics is fun.pptm" -d forensics_extracted

   Copied!

   bash

   ls forensics_extracted/

   Copied!
   Learn more

   Office Open XML (OOXML) is a ZIP-based format used by all modern Microsoft Office documents (.docx, .xlsx, .pptx, .pptm, etc.). The "m" suffix indicates macro-enabled files. Inside the ZIP you find XML files describing content, a _rels/ directory for relationships, and a ppt/ (or word/) directory for the main content.

   Treating Office documents as ZIP archives is standard practice in forensics, malware analysis, and CTF challenges. Many attackers hide payloads or embed data in the less-examined subdirectories of these archives.

   What to look for inside an OOXML archive: The word/document.xml (or ppt/slides/slide1.xml) file contains the main document content as XML. Macros in .docm/.pptm files are stored as VBA source code in word/vbaProject.bin - a compound binary format that you can extract with olevba from the oletools suite. The _rels/ directories define relationships between parts (e.g., which image is embedded at which location). Any file present in the ZIP that does not correspond to a known OOXML component is worth inspecting.

   Security implications of macro-enabled Office files: The .pptm format is macro-enabled, which is why it is the most dangerous Office format variant. Malicious actors distribute .docm and .xlsm files containing VBA macros that download and execute malware when the user clicks "Enable Content." Microsoft's "Mark of the Web" (MotW) feature and the 2022 default-block policy for macros in files downloaded from the internet are direct responses to this attack vector. CTF challenges using macro-enabled files often have the actual payload in the XML structure or embedded files rather than the macros themselves.

2. Step 2Find and decode the hidden file
   Inside the extracted archive, navigate to ppt/slideMasters/. There is an unusual file called 'hidden' containing a base64 string with spaces between each character. Remove the spaces with tr, then decode with base64.
   bash

   cat forensics_extracted/ppt/slideMasters/hidden

   Copied!

   bash

   tr -d ' ' < forensics_extracted/ppt/slideMasters/hidden | base64 -d

   Copied!
   Learn more

   The ppt/slideMasters/ directory normally contains XML files defining slide master layouts. A file simply named hidden (with no extension) is anomalous and immediately suspicious. The spaces between base64 characters are an obfuscation trick - tr -d ' ' strips all spaces before decoding.

   tr (translate) with the -d flag deletes specified characters from the input stream. tr -d ' ' removes all space characters, leaving a clean base64 string for base64 -d to decode.

   Alternative approach with Python: If shell piping feels uncomfortable, Python handles this in one line: import base64; data = open('hidden').read().replace(' ', ''); print(base64.b64decode(data).decode()). Python's base64.b64decode is also more forgiving of whitespace if you pass validate=False, though it's good practice to clean the input explicitly so you know exactly what was decoded.

   Slide master forensics: In PowerPoint, slide masters define the default layout and appearance for all slides. They are frequently overlooked during manual review because their content does not appear on individual slides in the normal editing view. This makes them a favorite hiding place in CTF challenges - and in real malware, where attackers sometimes embed payload URLs or encoded scripts in master slide XML to evade document scanners that only inspect visible slide content.

Flag

Office OOXML formats (.pptm, .docx, .xlsx) are renamed ZIP archives - always try extracting them with unzip to find hidden files.