Tags: oletools

Rating:

We are given a file called Deep_Red_Rust which seems to be a ZIP archive.

However, looking at the hexdump, we see that the first 4 bytes are set to RBOY, which is a non-standard header. But the string IHDR seems to indicate a PNG image.

We used hexedit to replace the first 4 bytes with 89 50 4E 47, which are the PNG magic bytes.

We get an image which contains the text K33pItS3cr3t written in the sand:

The ZIP file detected by the file command is embedded in the image and we can extract it using binwalk with the -e flag. The ZIP file was password-protected and the password was, of course, K33pItS3cr3t.

On extracting the ZIP file, we are left with a file called Goodbye.docm. The .docm extension is used for MS Word documents with macros enabled.

Using [oletools](https://github.com/decalage2/oletools) to extract the macro VBA code, we can deduce that the macro takes an input from a text box and uses it to XOR the encrypted flag. Since we know the flag format, we can use this knowledge to obtain the first five letters from the key.

The first 5 characters of the key are 'Oppur'. Judging by the Mars-themed challenge, we suspected that the key might be 'Opportunity'. Luckily for us, this was correct.