Categories : Rev / Misc

Points : 110

Solves : 101

Challenge Description

1
2
3
I developed a simple and useful program that attaches a file into word file. But... why I cannot open file?
I thought I developed perfect program, but it was not true. Wait, where is the source file?
I cannot find my attachment file! I think I need to extract attachment file from word.

We are given a RecoverMe.docx file to download. It is a Microsoft Word 2007+ file. If we try to open it we get an error saying that it is corrupted. We know that a docx or any microsoft file are in fact zip files , they have the same header PK

xxd

We can then unzip the file like a normal zip

unzip

If we unzip we get some other files attached to it.

The oleObject1.bin file inside the /word/embeddings looks interesting

ole

Looking at the hexdump we notice a string saying “Open-Me.bin” . looking back at the name of the file oleObject1.bin, If you will recall, OLE stands for Object Linking and Embedding. Microsoft documents allow a user to link or embed objects into a document. An object that is linked to a document will store that data outside of the document. If you update the data outside of the document, the link will update the data inside of your new document.

An embedded object becomes a part of the new file. It does not retain any sort of connection to the source file. This is perfect way for attackers to hide or obfuscate code inside a malicious document.

Usually when working with files like that there is a tool that comes in handy which is oledump.py , you can find it here https://blog.didierstevens.com/programs/oledump-py/

Basically we need to look for streams inside the docx file and extract them. To do this let’s use the following command 

1
sudo python /opt/oledump/oledump.py RecoverMe.docx

We get the following output and as you can see the second stream looks suspicious so let’s extract it

oledump

I am going to use the following command to extract the A2 stream and redirect the output to a file called Ole10Native.bin

1
sudo python /opt/oledump/oledump.py RecoverMe.docx -s A2 -d > Ole10Native.bin

extract

If we take a look at the hexdump we notice a png file chunks

pngchunk

Let’s open the file in HxD so we can extract the png image.

hxd

We need to select from the ‰PNG part all the way to the IEND chunk , copy the selection, open a new file in HxD and paste it in there , then save the file with a .png extension.

Looking at the png image we can see our flag :D

flag

References

https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/

https://blog.didierstevens.com/2014/12/17/introducing-oledump-py/