MacroHard WeakEdge picoCTF 2021 Solution

Published: April 2, 2026

Description

I've hidden a flag in this PowerPoint file. Can you retrieve it? Download 'Forensics is fun.pptm'.

Download 'Forensics is fun.pptm'.

bash
wget '<url>/Forensics is fun.pptm'

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Extract the PPTM as a ZIP archive
    Observation
    I noticed the challenge file had a .pptm extension, which is a macro-enabled PowerPoint format; knowing that all OOXML Office formats are ZIP archives under the hood suggested unzipping it directly to expose every embedded resource.
    PPTM files (like DOCX, XLSX, and all OOXML formats) are ZIP archives containing XML files, images, and other resources. Rename or use unzip directly on the file to extract its contents.
    bash
    unzip "Forensics is fun.pptm" -d forensics_extracted
    bash
    ls forensics_extracted/

    Expected output

    picoCTF{D1d_u_kn0w_ppts_r_z1p5}
    What didn't work first

    Tried: Trying to open the .pptm in LibreOffice Impress to inspect it visually

    LibreOffice renders the visible slide content but hides auxiliary files stored in uncommon ZIP subdirectories. Files placed in directories like ppt/slideMasters/ with no extension never appear in the UI, so a visual inspection will not reveal anything. Extracting the ZIP with unzip exposes every file in the archive regardless of whether it is meant to be displayed.

    Tried: Renaming the file to .zip and double-clicking to open with a GUI archive manager before running unzip

    GUI archive managers sometimes filter out files with no extension or unknown MIME type, silently skipping the 'hidden' file in ppt/slideMasters/. The command-line unzip utility extracts every entry unconditionally. Always use the CLI tool when forensically examining an archive so no files are omitted.

    Learn more

    Office Open XML (OOXML) is a ZIP-based format used by all modern Microsoft Office documents (.docx, .xlsx, .pptx, .pptm, etc.). The "m" suffix indicates macro-enabled files. Inside the ZIP you find XML files describing content, a _rels/ directory for relationships, and a ppt/ (or word/) directory for the main content.

    Treating Office documents as ZIP archives is standard practice in forensics, malware analysis, and CTF challenges. Many attackers hide payloads or embed data in the less-examined subdirectories of these archives.

    What to look for inside an OOXML archive: The word/document.xml (or ppt/slides/slide1.xml) file contains the main document content as XML. Macros in .docm/.pptm files are stored as VBA source code in word/vbaProject.bin - a compound binary format that you can extract with olevba from the oletools suite. The _rels/ directories define relationships between parts (e.g., which image is embedded at which location). Any file present in the ZIP that does not correspond to a known OOXML component is worth inspecting.

    Security implications of macro-enabled Office files: The .pptm format is macro-enabled, which is why it is the most dangerous Office format variant. Malicious actors distribute .docm and .xlsm files containing VBA macros that download and execute malware when the user clicks "Enable Content." Microsoft's "Mark of the Web" (MotW) feature and the 2022 default-block policy for macros in files downloaded from the internet are direct responses to this attack vector. CTF challenges using macro-enabled files often have the actual payload in the XML structure or embedded files rather than the macros themselves.

  2. Step 2
    Find and decode the hidden file
    Observation
    I noticed an anomalous file named 'hidden' (no extension) inside ppt/slideMasters/, a directory that should only contain layout XML; its space-separated contents looked like obfuscated base64, suggesting I strip the spaces with tr and then decode with base64.
    Inside the extracted archive, navigate to ppt/slideMasters/. There is an unusual file called 'hidden' containing a base64 string with spaces between each character. Remove the spaces with tr, then decode with base64.
    bash
    cat forensics_extracted/ppt/slideMasters/hidden
    bash
    tr -d ' ' < forensics_extracted/ppt/slideMasters/hidden | base64 -d
    What didn't work first

    Tried: Piping the raw file directly into base64 -d without removing spaces first

    Running 'base64 -d forensics_extracted/ppt/slideMasters/hidden' produces 'invalid input' because the decoder treats each space as an illegal character and aborts. The base64 alphabet contains no spaces, so the spaced-out encoding is deliberate obfuscation that must be stripped with 'tr -d' before decoding will succeed.

    Tried: Using steghide or binwalk on the hidden file expecting another layer of steganography

    steghide operates on image or audio carriers (JPEG, BMP, WAV) and will reject a plain text file with 'could not extract any data'. binwalk scans for embedded binary signatures and finds nothing because the data is simple base64 text. The correct tool here is base64 -d after cleaning whitespace - no steganography library is involved.

    Learn more

    The ppt/slideMasters/ directory normally contains XML files defining slide master layouts. A file simply named hidden (with no extension) is anomalous and immediately suspicious. The spaces between base64 characters are an obfuscation trick - tr -d ' ' strips all spaces before decoding.

    tr (translate) with the -d flag deletes specified characters from the input stream. tr -d ' ' removes all space characters, leaving a clean base64 string for base64 -d to decode.

    Alternative approach with Python: If shell piping feels uncomfortable, Python handles this in one line: import base64; data = open('hidden').read().replace(' ', ''); print(base64.b64decode(data).decode()). Python's base64.b64decode is also more forgiving of whitespace if you pass validate=False, though it's good practice to clean the input explicitly so you know exactly what was decoded.

    Slide master forensics: In PowerPoint, slide masters define the default layout and appearance for all slides. They are frequently overlooked during manual review because their content does not appear on individual slides in the normal editing view. This makes them a favorite hiding place in CTF challenges - and in real malware, where attackers sometimes embed payload URLs or encoded scripts in master slide XML to evade document scanners that only inspect visible slide content.

Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.

Flag

Reveal flag

picoCTF{D1d_u_kn0w_ppts_r_z1p5}

Office OOXML formats (.pptm, .docx, .xlsx) are renamed ZIP archives - always try extracting them with unzip to find hidden files.

Key takeaway

Modern Office document formats (DOCX, XLSX, PPTX, PPTM) are ZIP archives containing XML and binary components, not opaque proprietary blobs. This structure means any standard archive tool can expose every embedded resource, including files placed in obscure subdirectories that never render in the normal editing view. In malware analysis and incident response, treating Office files as ZIP archives and inspecting all components (not just visible slide or document content) is a standard first step for finding embedded scripts, payload URLs, or exfiltrated data.

Related reading

Want more picoCTF 2021 writeups?

Tools used in this challenge

What to try next