Abraxus's Blog

picoCTF Weird File Write Up

Details:

Points: 20

Jeopardy style CTF

Category: Forensics

Comments: What could go wrong if we let Word documents run programs? (aka "in-the-clear")

Write up:

Based on the hint we want to see any macros in the file they provided us, we are going to use oletools:

olevba -c ./weird.docm                                                                                                                             100 тип
olevba 0.56 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: ./weird.docm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AutoOpen()
    MsgBox "Macros can run any program", 0, "Title"
    Signature

End Sub
 
 Sub Signature()
    Selection.TypeText Text:="some text"
    Selection.TypeParagraph
    
 End Sub
 
 Sub runpython()

Dim Ret_Val
Args = """" '"""
Ret_Val = Shell("python -c 'print(\"cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9\")'" & " " & Args, vbNormalFocus)
If Ret_Val = 0 Then
   MsgBox "Couldn't run python script!", vbOKOnly
End If
End Sub

I then used a base64 decoder to turn the string into the flag:

picoCTF{m4cr0s_r_d4ng3r0us}