Office Hazard


The office is a dangerous place. Last week Pam (the secretary) got an email, containing an archive. She ALMOST opened it, but then she remembered the IT security training from last month and fortunately decided to send the file to you. Somethings was phishy about the sender address to her. It was a close call to say the least…


  1. This challenge cannot be solved on any file systems other than NTFS.
  2. If you want to see the challenge in action, you have to use a Windows box with Office installed. In addition, add the folder where the challenge is extracted to to Trusted Locations (help for that). The challenge can be solved without actually running anything.
  3. Windows Defender and other AVs might flag the files as dangerous, these are false positive alerts.


I’ve read enough stuff about CTFs and Word documents, to know, that we are looking at a VBA script challenge. Setting up a VM, and opening the Word doc, a totally not sus command prompt is opened. I quickly extracted the VBA script using olevba. Its a not so big script, so thankfully, it isn’t VBA reversing.

Private Sub Document_Open()

Dim DecodedCode
DecodedCode = DecodeBase64("Zm9yZmlsZXMgL1AgQzpcV2luZG93c1xTeXN0ZW0zMiAvbSBjYWxjLmV4ZSAvYyAlY2QlXHNlY3JldC50eHQ6aGFjay5leGU=")

CreateObject("WScript.Shell").Exec ("cmd /c " & DecodedCode)

End Sub

Function DecodeBase64(b64$)
    Dim b
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
        .DataType = "bin.base64": .Text = b64
        b = .nodeTypedValue
        With CreateObject("ADODB.Stream")
            .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
            DecodeBase64 = .ReadText
        End With
    End With
End Function

The code above is run once on opening the document. Decoding the base64 string, we can see, that we are running the following command:

cmd /c forfiles /P C:\Windows\System32 /m calc.exe /c %cd%\secret.txt:hack.exe

This basically runs the command forfiles, which is just a magic for running the command defined with the second /c only once (since calc.exe is matched once only in the C:\Windows\System32 directory). It does some magic with the secret.txt file. And what is that syntax with the colon? Turns out the reason why NTFS was requested is Alternate Datastreams. I wrote a quick few-liner in python to extract the data (I suck at ps, sorry):

with open('secret.txt:hack.exe', 'rb') as f:
    with open('hack.exe', 'wb') as f2:

All is left for us, to dig the flag out from the hack.exe binary. Loading the binary into Ghidra and doing a quick search for “flag” gets the job done:


← Back to SecChallenge22

all tags