Cyber Talents : DF : G&P List


🕵️♂️ 1. Identification
Challenge Name: G&P List
Challenge Type: Office File Analysis (Document Forensics)
Description: A Word file containing a hidden flag.
Flag Format: MD5 hash
File Name: G&P+lists.docx
Link: https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
📥 2. Acquisition
Loading Orders
sansforensics@as: ~/DF-LAB/CyberTalents
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
--2025-07-28 21:23:12-- https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 52.218.61.152, 52.92.33.250, 3.5.64.136, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|52.218.61.152|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12758 (12K) [application/vnd.openxmlformats-officedocument.wordprocessingml.document]
Saving to: ‘G&P+lists.docx’
G&P+lists.docx 100%[===================>] 12.46K --.-KB/s in 0.03s
2025-07-28 21:23:13 (371 KB/s) - ‘G&P+lists.docx’ saved [12758/12758]
Check file properties :
sansforensics@as: ~/DF-LAB/CyberTalents
$ stat 'G&P+lists.docx'
File: G&P+lists.docx
Size: 12758 Blocks: 32 IO Block: 4096 regular file
Device: 802h/2050d Inode: 3150077 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/sansforensics) Gid: ( 1000/sansforensics)
Access: 2025-07-28 21:23:13.000000000 +0000
Modify: 2024-10-13 07:46:28.000000000 +0000
Change: 2025-07-28 21:23:13.870043518 +0000
Birth: -
To know the file
type :
sansforensics@as: ~/DF-LAB/CyberTalents
$ file 'G&P+lists.docx'
G&P+lists.docx: Microsoft Word 2007+
Copy the file :
sansforensics@as: ~/DF-LAB/CyberTalents
$ cp 'G&P+lists.docx' GP_Copy.docx
Preparing for analysis without modifying the original :
sansforensics@as: ~/DF-LAB/CyberTalents
$ chmod -w 'G&P+lists.docx'
sansforensics@as: ~/DF-LAB/CyberTalents
$ ls -la
total 40
drwxrwxr-x 2 sansforensics sansforensics 4096 Jul 28 21:31 .
drwxrwxr-x 3 sansforensics sansforensics 4096 Jul 28 20:50 ..
-rw-rw-r-- 1 sansforensics sansforensics 12758 Jul 28 21:31 GP_Copy.docx
-r--r--r-- 1 sansforensics sansforensics 12758 Oct 13 2024 'G&P+lists.docx'
🧊 3. Preservation
- The original file was locked with read-only rights (
chmod -w
)
- A parsing copy was created named
GP_Copy.docx
- The original file data was not modified
- The directory was saved to a dedicated folder
~/DF-LAB/CyberTalents
with all commands documented
🔍 4. Analysis
Open a Word file in Zip format:
sansforensics@as: ~/DF-LAB/CyberTalents
$ mkdir doc_Extracted
Analysis output :
A file named Flag.txt appears after decompression .
sansforensics@as: ~/DF-LAB/CyberTalents
$ unzip GP_Copy.docx -d doc_Extracted/
Archive: GP_Copy.docx
creating: doc_Extracted/docProps/
inflating: doc_Extracted/docProps/app.xml
inflating: doc_Extracted/docProps/core.xml
extracting: doc_Extracted/Flag.txt
creating: doc_Extracted/word/
inflating: doc_Extracted/word/document.xml
inflating: doc_Extracted/word/fontTable.xml
inflating: doc_Extracted/word/settings.xml
inflating: doc_Extracted/word/styles.xml
inflating: doc_Extracted/word/stylesWithEffects.xml
creating: doc_Extracted/word/theme/
inflating: doc_Extracted/word/theme/theme1.xml
inflating: doc_Extracted/word/webSettings.xml
creating: doc_Extracted/word/_rels/
inflating: doc_Extracted/word/_rels/document.xml.rels
inflating: doc_Extracted/[Content_Types].xml
creating: doc_Extracted/_rels/
inflating: doc_Extracted/_rels/.rels
Reviewed by :
sansforensics@as: ~/DF-LAB/CyberTalents
$ cd doc_Extracted/
sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ ls
'[Content_Types].xml' docProps Flag.txt _rels word
Result :
sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ cat Flag.txt
877c1fa0445adaedc5365d9c139c5219
✅ The flag was successfully extracted from the file using Word file structure analysis.
📝 5. Reporting
Report Flag Name: 877c1fa0445adaedc5365d9c139c5219
Format: MD5 ✅
Location: Flag.txt
inside the internal archive of the .docx
file
Status: ✅ The flag was successfully extracted.
💬 "Control the code, and you control the world."
See You Soon
Abdelwahab Shandy "))
Subscribe to my newsletter
Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅
Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!