# "Hello World" Guide ## Problem It seemed that we're given a Microsoft Word 2007+ file. Download by click down below. {% file src="/files/qcxhZqBRfDqKstgmI2Gt" %} After opening the file, I didn't find anything particularly interesting to analyze at first glance. The document appeared straightforward with no immediate signs of hidden content or suspicious activity. However, I suspected that there might be something more to uncover beneath the surface. This led me to think that we might need a specialized tool to analyze the file further and extract any hidden figures, macros, or other embedded objects that could be lurking inside the `.docm` format. > `oledump.py` is a Python tool used to analyze and extract content from OLE (Object Linking and Embedding) files, such as Microsoft Office documents (.doc, .docx, .xls, .ppt, etc.) > > Access it through [here](https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py). After identifying that there might be hidden content within the file, I decided to use `oledump.py` to extract and analyze the different streams from the `.docm` file. Here's how I proceeded: 1. **Initial Analysis with `oledump.py`:** I ran the command `python3 oledump.py haruulzangi.docm` to inspect the embedded streams in the `.docm` file. The output revealed the following streams: ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ python3 oledump.py haruulzangi.docm A: word/vbaProject.bin A1: 405 'PROJECT' A2: 71 'PROJECTwm' A3: M 2502 'VBA/NewMacros' A4: m 938 'VBA/ThisDocument' A5: 2728 'VBA/_VBA_PROJECT' A6: 569 'VBA/dir' ``` * The streams labeled `A3` and `A4` looked interesting, especially given that stream `A3` had the name `'VBA/NewMacros'`, suggesting it might contain macros or other code that could be worth investigating. 2. **Extracting Stream A4 (ThisDocument):** I first decided to extract stream `A4`, which corresponds to `'VBA/ThisDocument'`. To do this, I ran the following command: ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ python3 oledump.py haruulzangi.docm -s A4 -d > a4_bin ``` After extracting it, I used the `strings` command to search for readable content within the binary file: ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ strings a4_bin Attribut e VB_Nam e = "Thi sDocumen 1Normal VGlobal! Spac Crea tabl Pre decla BExp Temp lateDeri $Custom ``` Nothing to find 3. **Extracting Stream A3 (NewMacros):** I then shifted my focus to stream `A3`, labeled `'VBA/NewMacros'`, as it might contain more significant data. I ran the following command: ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ python3 oledump.py haruulzangi.docm -s A3 -d > a3_bin ``` ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ strings a3_bin unsigned char s[] = SFpVMTh7TWFjcjBfVlNfc2hlbGxDMERFfQ== 0x22, 0x44, 0xc2, 0x91, 0x31, 0x9, 0x25, 0xe9, 0x4f, 0xaf, 0xfb, 0xb, 0x8b, 0x78, 0xee, 0xce,5, 0x95, 0xb4, 0xb5, 0x12, 0x41, 0xf6, 0x37, 0xb8, for (unsigned int m = 0; m < sizeof(s); ++m) unsigned char c = s[m]; c -= 0x9a;; ++m) c ^= 0xc6;signed c -= 0x23; c = (c >> 0x7) | (c << 0x1); c -= m; c = (c >> 0x5) | (c << 0x3);<< 0 c -= 0xfd;-= m; c = (c >> 0x2) | (c << 0x6); c -= m; c ^= 0xda;= (c > c += m; c = (c >> 0x7) | (c << 0x1); 0xd c = ~c; c = -c; c -= m; s[m] = c; printf("%s\n", s); Attribut e VB_Nam e = "New Macros" Sub Doc s1() unsigned char s[ ^SFpVMT h7TWFjcj BfVlNfc2 hlbGxDME RFfQ== 0x22@, 0x44 gf6I 4x43 Vfor ( nt m < sizeof (s); ++m/ c -=) = (c 7) |I 0xfjd /+= Q ("%s\n", End ``` Decoding the base64 string at the top will give you the flag. ``` SFpVMTh7TWFjcjBfVlNfc2hlbGxDMERFfQ== HZU18{Macr0_VS_shellC0DE} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zwique.gitbook.io/zwique_notes/writeups/random-ctf-writeup/local/hello-world-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.