📝 Challenge Overview
In this challenge, we are given a .pptm file (PowerPoint with macros). By inspecting the file, we discover a hidden folder containing text data. Using CyberChef, we can process this text to reveal the hidden flag. This challenge demonstrates that many “complex” files like PowerPoint slides are essentially archives that can be explored manually.
🔹 Step 1: Download the .pptm file
- Save the provided PowerPoint macro-enabled file to your local machine.
- Make sure the file is accessible in a working directory for further analysis.
📝 Explanation: PowerPoint .pptm files are actually ZIP archives containing XML and media data. You can explore their contents by treating them like a compressed folder.
🔍 Step 2: Extract the .pptm file
- Rename the file with a
.zipextension or use a decompression tool to open it. - Inside, you will find a folder named
hidden. This folder contains the data needed to find the flag.
📝 Explanation: Many Microsoft Office file types (.docx, .xlsx, .pptx, .pptm) are just ZIP archives internally. By unzipping, we can access embedded resources, images, or hidden text.
🧾 Step 3: Process the hidden text with CyberChef
- Open CyberChef (https://gchq.github.io/CyberChef/).
- Drag the text file from the
hiddenfolder into CyberChef. - Apply the appropriate operation (e.g., “From Base64” or other decoding/translation) to reveal the flag.
📝 Explanation: CyberChef is a beginner-friendly tool for encoding/decoding, converting, and analyzing data. It lets you experiment with transformations on text files without installing additional software.
🏁 Capture the Flag
📎 After decoding, the flag appears as:picoCTF{D1d_u_kn0w_ppts_r_z1p5}
📊 Summary
| Step | Command / Action | Purpose | Key Result |
|---|---|---|---|
| 1 | Download .pptm file | Obtain challenge file | File saved locally |
| 2 | Unzip .pptm / extract contents | Explore hidden folders and resources | hidden folder found |
| 3 | Open text in CyberChef | Decode or analyze data | Flag revealed: picoCTF{D1d_u_kn0w_ppts_r_z1p5} |
💡 Beginner Tips
- 🧰 Rename Office files to
.zipor use a decompression tool to inspect contents. - 🔍 Explore all folders inside the archive; sometimes the challenge data is hidden in
hiddenormediadirectories. - 🧾 CyberChef is excellent for decoding strings (Base64, ROT13, URL encoding) and testing transformations interactively.
🎓 What you learn (takeaways)
- Office files are often just ZIP archives containing XML and media.
- Hidden data can be embedded in seemingly normal files.
- CyberChef is a powerful, beginner-friendly tool for decoding and analyzing file content.
- Inspecting file structures manually can uncover hidden flags without complex scripting.
⚡ Short explanations for commands / techniques used
- 🗂️ Unzip / Extract
.pptm- What: Treat
.pptmas a ZIP archive. - Why: Access internal folders and hidden files.
- How:
unzip file.pptmor change extension to.zipand double-click.
- What: Treat
- 🧰 CyberChef
- What: Browser-based “Cyber Swiss Army Knife” for data transformations.
- Why: Decodes obfuscated text quickly and interactively.
- How: Drag-and-drop file, choose decoding operation (Base64, ROT13, etc.).
- 🔑 Inspect hidden folders
- What: Explore all extracted folders for clues.
- Why: Flags are often hidden in unexpected directories like
hidden.
Leave a Reply