CSCBE20: Pt 3, Where in the Word is…

For my last part about Cyber Security Challenge Belgium 2020, I’m writing a post about another fun challenge. The challenge was pretty simple, extract the flag from the .doc file. When receiving a file created by an Office product (Word, Excel, Powerpoint,…) the first thing that always comes to my mind is that these files are basically a bunch of archived XML files. So what I usually do for these files is:

  • Unzip the archive & search through all files
  • Check metadata with exiftool
  • Check for strings in original file

Unzipping the .doc file and searching for the flag format “CSC” gave me a result, however as the text suggested, it was not the flag we were looking for.

So it was time to open the document and have a look. I noticed that macro’s are enabled and quickly navigated to the macro section of Word to take a look at the macro’s included in the Word document, as there was no other content in the document available.

I decided to try and edit the “demo” macro to take a look at the code inside, however the file seems to be corrupted and I couldn’t actually view the code.

So heading back to the search engines, I stumbled upon this tool called oledump. From what I could gather, this tool allows inspection of certain file streams, present in .doc files. I figured this might give me some hints on what’s inside that macro file.

Running the tool, I received the flag to the challenge! To be honest at first I thought this wasn’t the actual flag since usually flags try to make a sentence, but I guess this one was just random 😀

Leave a Reply

Your email address will not be published. Required fields are marked *