PicoCTF 2021 Writeups

our team's writeups for the 2021 PicoCTF competition

View on GitHub

Weird File

Overview

Points: 20 Category: Forensics

Description

What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.

Hints

https://www.youtube.com/watch?v=Y7IJjnLGqTQ

Approach

I watched about 3 minutes of the video. The description and the video are both pointing towards macros which are potentially malicious programs which is a wonderful feature for hackers! After opening the file in Microsoft word, I navigated to view, and macros. view Here is a better explanation on how to view macros.

Inside the macros, this code is found:

 Sub runpython()

Dim Ret_Val
Args = """" '"""
Ret_Val = Shell("python -c 'print(\"cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9\")'" & " " & Args, vbNormalFocus)
If Ret_Val = 0 Then
   MsgBox "Couldn't run python script!", vbOKOnly
End If

cGljb0NURnttNGNyMHNfcl9kNG5nM3IwdXN9 this string looks promising. It looks like base 64

Flag

picoCTF{m4cr0s_r_d4ng3r0us}