Points: 60 Category: Forensics
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
The best approach to finding files hidden inside other files is binwalk
If we perform binwalk "Forensics is fun.pptm"
we'll see there's a bunch of .zip
files. We can extract it using binwalk -e "Forensics is fun.pptm"
(-e
or --extract
for extract)
Now there's _Forensics is fun.pptm.extracted
folder which I will navigate using 7zip.
Since there's too many things in 0.zip
I decided I might as well automate the search process. I extracted 0.zip
then navigated to it in the terminal.
The rest was very guessy, I tried grep -r pico
(find recursively) for things like "pico" or "{" except none of it was useful. I tried find -D tree|grep flag
in hopes of finding a flag file which also didn't work. Eventually after some guessing I tried find -D tree|grep hidden
which returned:
./ppt/slideMasters/hidden
Navigate to cat ./ppt/slideMasters/hidden
:
Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q
This doesn't look like any kind of substitution cipher, might be base 64 so that's worth a try.
First we should write a script to get rid of the spaces:
s = "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q"
s = s.split(" ")
print("".join(s))
This gave "ZmxhZzogcGljb0NURntEMWRfdV9rbjB3X3BwdHNfcl96MXA1fQ" which we can then decode using this website
picoCTF{D1d_u_kn0w_ppts_r_z1p5}
P.S. I didn't know ppts are zips but hey, that's a cool fact