Cyber Talents : DF : G&P List

🕵️‍♂️ 1. Identification

Challenge Name: G&P List

Challenge Type: Office File Analysis (Document Forensics)

Description: A Word file containing a hidden flag.

Flag Format: MD5 hash

File Name: G&P+lists.docx

Link: https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx


📥 2. Acquisition

Loading Orders

sansforensics@as: ~/DF-LAB/CyberTalents
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
--2025-07-28 21:23:12--  https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 52.218.61.152, 52.92.33.250, 3.5.64.136, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|52.218.61.152|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12758 (12K) [application/vnd.openxmlformats-officedocument.wordprocessingml.document]
Saving to: ‘G&P+lists.docx’

G&P+lists.docx      100%[===================>]  12.46K  --.-KB/s    in 0.03s   

2025-07-28 21:23:13 (371 KB/s) - ‘G&P+lists.docx’ saved [12758/12758]

Check file properties :

sansforensics@as: ~/DF-LAB/CyberTalents
$ stat 'G&P+lists.docx' 
  File: G&P+lists.docx
  Size: 12758         Blocks: 32         IO Block: 4096   regular file
Device: 802h/2050d    Inode: 3150077     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/sansforensics)   Gid: ( 1000/sansforensics)
Access: 2025-07-28 21:23:13.000000000 +0000
Modify: 2024-10-13 07:46:28.000000000 +0000
Change: 2025-07-28 21:23:13.870043518 +0000
 Birth: -

To know the file type :

sansforensics@as: ~/DF-LAB/CyberTalents
$ file 'G&P+lists.docx' 
G&P+lists.docx: Microsoft Word 2007+

Copy the file :

sansforensics@as: ~/DF-LAB/CyberTalents
$ cp 'G&P+lists.docx' GP_Copy.docx

Preparing for analysis without modifying the original :

sansforensics@as: ~/DF-LAB/CyberTalents
$ chmod -w 'G&P+lists.docx' 
sansforensics@as: ~/DF-LAB/CyberTalents
$ ls -la
total 40
drwxrwxr-x 2 sansforensics sansforensics  4096 Jul 28 21:31  .
drwxrwxr-x 3 sansforensics sansforensics  4096 Jul 28 20:50  ..
-rw-rw-r-- 1 sansforensics sansforensics 12758 Jul 28 21:31  GP_Copy.docx
-r--r--r-- 1 sansforensics sansforensics 12758 Oct 13  2024 'G&P+lists.docx'

🧊 3. Preservation

  • The original file was locked with read-only rights (chmod -w)
  • A parsing copy was created named GP_Copy.docx
  • The original file data was not modified
  • The directory was saved to a dedicated folder ~/DF-LAB/CyberTalents with all commands documented

🔍 4. Analysis

Open a Word file in Zip format:

sansforensics@as: ~/DF-LAB/CyberTalents
$ mkdir doc_Extracted

Analysis output :

A file named Flag.txt appears after decompression .

sansforensics@as: ~/DF-LAB/CyberTalents
$ unzip GP_Copy.docx -d doc_Extracted/
Archive:  GP_Copy.docx
   creating: doc_Extracted/docProps/
  inflating: doc_Extracted/docProps/app.xml  
  inflating: doc_Extracted/docProps/core.xml  
 extracting: doc_Extracted/Flag.txt  
   creating: doc_Extracted/word/
  inflating: doc_Extracted/word/document.xml  
  inflating: doc_Extracted/word/fontTable.xml  
  inflating: doc_Extracted/word/settings.xml  
  inflating: doc_Extracted/word/styles.xml  
  inflating: doc_Extracted/word/stylesWithEffects.xml  
   creating: doc_Extracted/word/theme/
  inflating: doc_Extracted/word/theme/theme1.xml  
  inflating: doc_Extracted/word/webSettings.xml  
   creating: doc_Extracted/word/_rels/
  inflating: doc_Extracted/word/_rels/document.xml.rels  
  inflating: doc_Extracted/[Content_Types].xml  
   creating: doc_Extracted/_rels/
  inflating: doc_Extracted/_rels/.rels

Reviewed by :

sansforensics@as: ~/DF-LAB/CyberTalents
$ cd doc_Extracted/

sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ ls
'[Content_Types].xml'   docProps   Flag.txt   _rels   word

Result :

sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ cat Flag.txt 
877c1fa0445adaedc5365d9c139c5219

✅ The flag was successfully extracted from the file using Word file structure analysis.


📝 5. Reporting

Report Flag Name: 877c1fa0445adaedc5365d9c139c5219

Format: MD5 ✅

Location: Flag.txt inside the internal archive of the .docx file

Status: ✅ The flag was successfully extracted.

💬 "Control the code, and you control the world."

Linkedin

GitHub

See You Soon

Abdelwahab Shandy "))

0
Subscribe to my newsletter

Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅

Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!