Cyber Talents :DF : File Found


📍 First, Identification - Definition Goal: Determine the type and location of digital evidence.
The challenge included a file named foundfile without an extension.
Challenge text: "We found the following file on a machine. We know it contains a secret, but we do not know what this file is..."
The file was identified as a compiled Java class file (a compiled Java file in .class format).
📥 Second: Acquisition Goal: Download a copy of the digital directory without changing its content :
The file was downloaded using wget:
sansforensics@as: ~/DF-LAB
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/foundfile
--2025-07-25 16:18:47-- https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/foundfile
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 3.5.67.246, 52.218.45.130, 3.5.72.248, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|3.5.67.246|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 668 [binary/octet-stream]
Saving to: ‘foundfile’
foundfile 100%[=====================================================>] 668 --.-KB/s in 0s
2025-07-25 16:18:48 (19.0 MB/s) - ‘foundfile’ saved [668/668]
The entire file has been downloaded, size 668 bytes.
File type: binary/octet-stream
🔒 Third: Preservation Goal: Preserve the file without any modification.
Non-destructive read commands such as: file
, stat
, strings
, head
The file's permissions were preserved and unmodified.
For further confirmation, the hash can be calculated using:
sha256sum foundfile
Fourth: Analysis - Objective: Analyzing the file content and attempting to extract the secret or flag.
file
type had to be known :
sansforensics@as: ~/DF-LAB
$ file foundfile
foundfile: compiled Java class data, version 52.0 (Java 1.8)
The stat command is used to display detailed information about a file :
sansforensics@as: ~/DF-LAB
$ stat foundfile
File: foundfile
Size: 668 Blocks: 8 IO Block: 4096 regular file
Device: 802h/2050d Inode: 3149980 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/sansforensics) Gid: ( 1000/sansforensics)
Access: 2025-07-25 16:20:33.600336979 +0000
Modify: 2024-11-27 09:01:46.000000000 +0000
Change: 2025-07-25 16:18:48.768937093 +0000
Birth: -
To know the actual file size and its internal properties.
I tried to read the file to find out the content, but it was like this using head
:
sansforensics@as: ~/DF-LAB
$ head foundfile
����4)
StackMapTableLineNumberTablemain([Ljava/lang/String;)V
SourceFileHelloWorld.java
SYNT{SBERAFVPF_101}
!"#
$%&
'(
HelloWorldjava/lang/Objectjava/lang/Stringlength()IcharAt(I)Cjava/lang/SystemoutLjava/io/PrintStream;java/io/PrintStreamprint(C)V!
*��
�rL=+��g+�>a�m�
`�>�?A�M�
`�>�*n�z�
d�>�������
*
→ Show encrypted and random symbols for binary file
I decided to use strings
To extract texts:
sansforensics@as: ~/DF-LAB
$ strings foundfile
<init>
Code
LineNumberTable
main
([Ljava/lang/String;)V
StackMapTable
SourceFile
HelloWorld.java
SYNT{SBERAFVPF_101}
HelloWorld
java/lang/Object
java/lang/String
length
charAt
(I)C
java/lang/System
Ljava/io/PrintStream;
java/io/PrintStream
print
(C)V
I found this line SYNT{SBERAFVPF_101}
and it seems that it ends the flag.
This is clearly the secret or flag inside the program.
But its appearance isn't immediately clear, is it?
SYNT{SBERAFVPF_101}
doesn't appear random, and is likely encrypted using simple encryption.
🔐 High probability :
The encryption used is ROT13, which is a primitive encryption that replaces each letter with the next letter 13 places in the alphabet .
Search with: encryption used is ROT13
Here you will find the idea of how to do this encryption : https://www.geeksforgeeks.org/dsa/rot13-cipher/
After research, it seemed that the flag had been changed with Caesar Cipher, and we had to restore it as it was before : https://www.dcode.fr/rot-13-cipher
FLAG{FORENSICS_101}
I changed the key here several times, until I reached the correct number, which wasROT13
📝 Fifth: Reporting – Final Report
📂 File Name: foundfile
🧠 File Type: Java Class File – version 52.0
🔍 Analysis Result: A flag was found inside the file encoded with ROT13 🛠️ Tools Used: wget
, file
, stat
, head
, strings
, dcode.fr
🏁 Flag Extracted:
SYNT{FORENSICS_101}
💬 "Control the code, and you control the world."
See You Soon
AS Cyber “)).
Subscribe to my newsletter
Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅
Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!