My Pentest Log -6- (Bypass Powerpoint Password + Information Disc.)
Greetings Everyone from Hippodrome (Constantinople),
Today, I would like to inform you about the information disclousure finding I encountered during application security tests.
Throughout the test, the target will be specified as private.com.
1. It was determined that the private.com security tests would be carried out by me by providing the necessary information about the target I will test by our project manager.
2. After verifying the scope form, I then started to perform the necessary penetration testing steps.
3. I have detected various vulnerabilities, but at the end of the day, it was the “information disclosure” finding that gave me new information.
4. While doing information disclosure research on the target application, I noticed that there is a file in the “.pptx” format under the “/private” directory.
5. As you know, this is a powerpoint file.
6. The name of the file resembled a presentation file containing various documents for the company (For example, 2021_budget_meeting.pptx)
7. First, to answer the question whether the file contains malware or not, it is necessary to use virustotal etc. I scanned with tools and then downloaded the file to a safe area.
8. I noticed that when I wanted to open the file, it asked for a password, and it started to make me feel more and more that I was in the right place.
9. So how can we open a powerpoint with password?
10. By doing a little research for this, I determined how to bypass the password stage in powerpoint files.
Let’s apply it together:
I have created an encrypted powerpoint file to show you these steps as an example.
As you can see, when we want to access the file, it asks us for password information.
As I explained in my previous article, we can decompile office files, which gives us the opportunity to analyze these files.
The first thing we need to do is to convert the plugin of the file we created from .pptx to .zip. In this way, we will be able to decompile the target file and access the source files contained in it.
After converting the file from pptx to zip, we open the zip file with winrar or similar software.
Then we open the “presentation.xml” file under the ppt folder with any editor.
(For more information: https://docs.microsoft.com/en-us/office/open-xml/structure-of-a-presentationml-document)
Afterwards, we detect the “modifyVerifier” part in the file, delete the “<p:modifyVerifier..>” tag from the entire file and save the file in this way.
We transfer the file we saved to the zip file and set the zip format again as a .pptx file.
And we can view the pptx file without the need for password information.
11. After applying these simulated steps on the existing application, I was able to access the presentation file containing some important documents of the target institution, exactly as I expected, and processed the current finding in my report.
Note :
The problem here is that an important document is accessible to everyone, rather than the password information on the target file can be bypassed.
In summary:
You can find vulnerabilities that can motivate you at the end of the day by trying to analyze files such as pdf, docx, pptx that you frequently encounter during the tests as precisely as possible.