Tags: oletools 


We are given a file called `Deep_Red_Rust` which seems to be a ZIP archive.

However, looking at the hexdump, we see that the first 4 bytes are set to `RBOY`, which is a non-standard header. But the string `IHDR` seems to indicate a PNG image.

We used `hexedit` to replace the first 4 bytes with `89 50 4E 47`, which are the PNG magic bytes.

We get an image which contains the text `K33pItS3cr3t` written in the sand:

The ZIP file detected by the `file` command is embedded in the image and we can extract it using `binwalk` with the `-e` flag. The ZIP file was password-protected and the password was, of course, `K33pItS3cr3t`.

On extracting the ZIP file, we are left with a file called `Goodbye.docm`. The `.docm` extension is used for MS Word documents with macros enabled.

Using [oletools](https://github.com/decalage2/oletools) to extract the macro VBA code, we can deduce that the macro takes an input from a text box and uses it to XOR the encrypted flag. Since we know the flag format, we can use this knowledge to obtain the first five letters from the key.

The first 5 characters of the key are `'Oppur'`. Judging by the Mars-themed challenge, we suspected that the key might be `'Opportunity'`. Luckily for us, this was correct.

Original writeup (https://github.com/SababaSec/ctf-writeups/tree/master/2019/Reply-Cyber-Security-Challenge/MISCELLANEOUS/Deep%20red%20dust).