Alsavoudomila

MacroHard WeakEdge picoCTF Writeup

author:

rudy_candy

category:

Description

I’ve hidden a flag in this file. Can you find it? Forensics is fun.pptm

📝 Challenge Overview
In this challenge, we are given a .pptm file (PowerPoint with macros). By inspecting the file, we discover a hidden folder containing text data. Using CyberChef, we can process this text to reveal the hidden flag. This challenge demonstrates that many “complex” files like PowerPoint slides are essentially archives that can be explored manually.

🔹 Step 1: Download the .pptm file

  1. Save the provided PowerPoint macro-enabled file to your local machine.
  2. Make sure the file is accessible in a working directory for further analysis.

📝 Explanation: PowerPoint .pptm files are actually ZIP archives containing XML and media data. You can explore their contents by treating them like a compressed folder.

🔍 Step 2: Extract the .pptm file

  1. Rename the file with a .zip extension or use a decompression tool to open it.
  2. Inside, you will find a folder named hidden. This folder contains the data needed to find the flag.

📝 Explanation: Many Microsoft Office file types (.docx, .xlsx, .pptx, .pptm) are just ZIP archives internally. By unzipping, we can access embedded resources, images, or hidden text.

🧾 Step 3: Process the hidden text with CyberChef

  1. Open CyberChef (https://gchq.github.io/CyberChef/).
  2. Drag the text file from the hidden folder into CyberChef.
  3. Apply the appropriate operation (e.g., “From Base64” or other decoding/translation) to reveal the flag.

📝 Explanation: CyberChef is a beginner-friendly tool for encoding/decoding, converting, and analyzing data. It lets you experiment with transformations on text files without installing additional software.

🏁 Capture the Flag
📎 After decoding, the flag appears as:
picoCTF{D1d_u_kn0w_ppts_r_z1p5}

📊 Summary

StepCommand / ActionPurposeKey Result
1Download .pptm fileObtain challenge fileFile saved locally
2Unzip .pptm / extract contentsExplore hidden folders and resourceshidden folder found
3Open text in CyberChefDecode or analyze dataFlag revealed: picoCTF{D1d_u_kn0w_ppts_r_z1p5}

💡 Beginner Tips

  • 🧰 Rename Office files to .zip or use a decompression tool to inspect contents.
  • 🔍 Explore all folders inside the archive; sometimes the challenge data is hidden in hidden or media directories.
  • 🧾 CyberChef is excellent for decoding strings (Base64, ROT13, URL encoding) and testing transformations interactively.

🎓 What you learn (takeaways)

  • Office files are often just ZIP archives containing XML and media.
  • Hidden data can be embedded in seemingly normal files.
  • CyberChef is a powerful, beginner-friendly tool for decoding and analyzing file content.
  • Inspecting file structures manually can uncover hidden flags without complex scripting.

Short explanations for commands / techniques used

  • 🗂️ Unzip / Extract .pptm
    • What: Treat .pptm as a ZIP archive.
    • Why: Access internal folders and hidden files.
    • How: unzip file.pptm or change extension to .zip and double-click.
  • 🧰 CyberChef
    • What: Browser-based “Cyber Swiss Army Knife” for data transformations.
    • Why: Decodes obfuscated text quickly and interactively.
    • How: Drag-and-drop file, choose decoding operation (Base64, ROT13, etc.).
  • 🔑 Inspect hidden folders
    • What: Explore all extracted folders for clues.
    • Why: Flags are often hidden in unexpected directories like hidden.

Load more posts