Cyber Talents :DF : File Found

Abdelwahab A. Shandy 🦅Abdelwahab A. Shandy 🦅
3 min read

📍 First, Identification - Definition Goal: Determine the type and location of digital evidence.

The challenge included a file named foundfile without an extension.

Challenge text: "We found the following file on a machine. We know it contains a secret, but we do not know what this file is..."

The file was identified as a compiled Java class file (a compiled Java file in .class format).

📥 Second: Acquisition Goal: Download a copy of the digital directory without changing its content :

The file was downloaded using wget:

sansforensics@as: ~/DF-LAB
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/foundfile
--2025-07-25 16:18:47--  https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/foundfile
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 3.5.67.246, 52.218.45.130, 3.5.72.248, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|3.5.67.246|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 668 [binary/octet-stream]
Saving to: ‘foundfile’

foundfile                       100%[=====================================================>]     668  --.-KB/s    in 0s      

2025-07-25 16:18:48 (19.0 MB/s) - ‘foundfile’ saved [668/668]

The entire file has been downloaded, size 668 bytes.

File type: binary/octet-stream

🔒 Third: Preservation Goal: Preserve the file without any modification.

Non-destructive read commands such as: file , stat , strings , head

The file's permissions were preserved and unmodified.

For further confirmation, the hash can be calculated using:

sha256sum foundfile

Fourth: Analysis - Objective: Analyzing the file content and attempting to extract the secret or flag.

file type had to be known :

sansforensics@as: ~/DF-LAB
$ file foundfile 
foundfile: compiled Java class data, version 52.0 (Java 1.8)

The stat command is used to display detailed information about a file :

sansforensics@as: ~/DF-LAB
$ stat foundfile 
  File: foundfile
  Size: 668           Blocks: 8          IO Block: 4096   regular file
Device: 802h/2050d    Inode: 3149980     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/sansforensics)   Gid: ( 1000/sansforensics)
Access: 2025-07-25 16:20:33.600336979 +0000
Modify: 2024-11-27 09:01:46.000000000 +0000
Change: 2025-07-25 16:18:48.768937093 +0000
 Birth: -

To know the actual file size and its internal properties.

I tried to read the file to find out the content, but it was like this using head:

sansforensics@as: ~/DF-LAB
$ head foundfile 
����4)



StackMapTableLineNumberTablemain([Ljava/lang/String;)V
SourceFileHelloWorld.java

SYNT{SBERAFVPF_101}

                    !"#
                       $%&
                          '(
HelloWorldjava/lang/Objectjava/lang/Stringlength()IcharAt(I)Cjava/lang/SystemoutLjava/io/PrintStream;java/io/PrintStreamprint(C)V!

*��

�rL=+��g+�>a�m�
`�>�?A�M�
`�>�*n�z�
d�>�������    
          *

→ Show encrypted and random symbols for binary file

I decided to use strings To extract texts:

sansforensics@as: ~/DF-LAB
$ strings foundfile 
<init>
Code
LineNumberTable
main
([Ljava/lang/String;)V
StackMapTable
SourceFile
HelloWorld.java
SYNT{SBERAFVPF_101}
HelloWorld
java/lang/Object
java/lang/String
length
charAt
(I)C
java/lang/System
Ljava/io/PrintStream;
java/io/PrintStream
print
(C)V

I found this line SYNT{SBERAFVPF_101} and it seems that it ends the flag.

This is clearly the secret or flag inside the program.

But its appearance isn't immediately clear, is it?

SYNT{SBERAFVPF_101} doesn't appear random, and is likely encrypted using simple encryption.

🔐 High probability :

The encryption used is ROT13, which is a primitive encryption that replaces each letter with the next letter 13 places in the alphabet .

Search with: encryption used is ROT13

Here you will find the idea of how to do this encryption : https://www.geeksforgeeks.org/dsa/rot13-cipher/

After research, it seemed that the flag had been changed with Caesar Cipher, and we had to restore it as it was before : https://www.dcode.fr/rot-13-cipher

FLAG{FORENSICS_101}

I changed the key here several times, until I reached the correct number, which wasROT13

📝 Fifth: Reporting – Final Report

📂 File Name: foundfile

🧠 File Type: Java Class File – version 52.0

🔍 Analysis Result: A flag was found inside the file encoded with ROT13 🛠️ Tools Used: wget , file , stat , head , strings , dcode.fr

🏁 Flag Extracted:

SYNT{FORENSICS_101}

💬 "Control the code, and you control the world."

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber “)).

0
Subscribe to my newsletter

Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

foundfileStringsheadlessStatfilewget

Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅

Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!