Description
I've hidden a flag in this PowerPoint file. Can you retrieve it? Download 'Forensics is fun.pptm'.
Setup
Download 'Forensics is fun.pptm'.
Solution
- Step 1Extract the PPTM as a ZIP archivePPTM files (like DOCX, XLSX, and all OOXML formats) are ZIP archives containing XML files, images, and other resources. Rename or use unzip directly on the file to extract its contents.unzip "Forensics is fun.pptm" -d forensics_extractedls forensics_extracted/
Learn more
Office Open XML (OOXML) is a ZIP-based format used by all modern Microsoft Office documents (.docx, .xlsx, .pptx, .pptm, etc.). The "m" suffix indicates macro-enabled files. Inside the ZIP you find XML files describing content, a
_rels/directory for relationships, and appt/(orword/) directory for the main content.Treating Office documents as ZIP archives is standard practice in forensics, malware analysis, and CTF challenges. Many attackers hide payloads or embed data in the less-examined subdirectories of these archives.
- Step 2Find and decode the hidden fileInside the extracted archive, navigate to ppt/slideMasters/. There is an unusual file called 'hidden' containing a base64 string with spaces between each character. Remove the spaces with tr, then decode with base64.cat forensics_extracted/ppt/slideMasters/hiddencat forensics_extracted/ppt/slideMasters/hidden | tr -d ' ' | base64 -d
Learn more
The
ppt/slideMasters/directory normally contains XML files defining slide master layouts. A file simply namedhidden(with no extension) is anomalous and immediately suspicious. The spaces between base64 characters are an obfuscation trick --tr -d ' 'strips all spaces before decoding.tr (translate) with the
-dflag deletes specified characters from the input stream.tr -d ' 'removes all space characters, leaving a clean base64 string forbase64 -dto decode.
Flag
picoCTF{...}
Office OOXML formats (.pptm, .docx, .xlsx) are renamed ZIP archives -- always try extracting them with unzip to find hidden files.