Skip to content

Gandp List (Cyber Talents)

๐Ÿ•ต๏ธโ€โ™‚๏ธ 1. Identification

Challenge Name: G\&P List

Challenge Type: Office File Analysis (Document Forensics)

Description: A Word file containing a hidden flag.

Flag Format: MD5 hash

File Name: G\&P+lists.docx

Link: https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx

๐Ÿ“ฅ 2. Acquisition

Loading Orders

sansforensics@as: ~/DF-LAB/CyberTalents
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
--2025-07-28 21:23:12--  https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/G%26P+lists.docx
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 52.218.61.152, 52.92.33.250, 3.5.64.136, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|52.218.61.152|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12758 (12K) [application/vnd.openxmlformats-officedocument.wordprocessingml.document]
Saving to: โ€˜G&P+lists.docxโ€™

G&P+lists.docx      100%[===================>]  12.46K  --.-KB/s    in 0.03s   

2025-07-28 21:23:13 (371 KB/s) - โ€˜G&P+lists.docxโ€™ saved [12758/12758]

Check file properties :

sansforensics@as: ~/DF-LAB/CyberTalents
$ stat 'G&P+lists.docx' 
  File: G&P+lists.docx
  Size: 12758       Blocks: 32         IO Block: 4096   regular file
Device: 802h/2050d  Inode: 3150077     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/sansforensics)   Gid: ( 1000/sansforensics)
Access: 2025-07-28 21:23:13.000000000 +0000
Modify: 2024-10-13 07:46:28.000000000 +0000
Change: 2025-07-28 21:23:13.870043518 +0000
 Birth: -

To know the file typeย :

sansforensics@as: ~/DF-LAB/CyberTalents
$ file 'G&P+lists.docx' 
G&P+lists.docx: Microsoft Word 2007+

Copy the file :

sansforensics@as: ~/DF-LAB/CyberTalents
$ cp 'G&P+lists.docx' GP_Copy.docx

Preparing for analysis without modifying the original :

sansforensics@as: ~/DF-LAB/CyberTalents
$ chmod -w 'G&P+lists.docx' 
sansforensics@as: ~/DF-LAB/CyberTalents
$ ls -la
total 40
drwxrwxr-x 2 sansforensics sansforensics  4096 Jul 28 21:31  .
drwxrwxr-x 3 sansforensics sansforensics  4096 Jul 28 20:50  ..
-rw-rw-r-- 1 sansforensics sansforensics 12758 Jul 28 21:31  GP_Copy.docx
-r--r--r-- 1 sansforensics sansforensics 12758 Oct 13  2024 'G&P+lists.docx'

๐ŸงŠ 3. Preservation

  • The original file was locked with read-only rights (chmod -w)

  • A parsing copy was created named GP_Copy.docx

  • The original file data was not modified

  • The directory was saved to a dedicated folder ~/DF-LAB/CyberTalents with all commands documented

๐Ÿ” 4. Analysis

Open a Word file in Zip format:

sansforensics@as: ~/DF-LAB/CyberTalents
$ mkdir doc_Extracted

Analysis output :

A file named Flag.txt appears after decompression .

sansforensics@as: ~/DF-LAB/CyberTalents
$ unzip GP_Copy.docx -d doc_Extracted/
Archive:  GP_Copy.docx
   creating: doc_Extracted/docProps/
  inflating: doc_Extracted/docProps/app.xml  
  inflating: doc_Extracted/docProps/core.xml  
 extracting: doc_Extracted/Flag.txt  
   creating: doc_Extracted/word/
  inflating: doc_Extracted/word/document.xml  
  inflating: doc_Extracted/word/fontTable.xml  
  inflating: doc_Extracted/word/settings.xml  
  inflating: doc_Extracted/word/styles.xml  
  inflating: doc_Extracted/word/stylesWithEffects.xml  
   creating: doc_Extracted/word/theme/
  inflating: doc_Extracted/word/theme/theme1.xml  
  inflating: doc_Extracted/word/webSettings.xml  
   creating: doc_Extracted/word/_rels/
  inflating: doc_Extracted/word/_rels/document.xml.rels  
  inflating: doc_Extracted/[Content_Types].xml  
   creating: doc_Extracted/_rels/
  inflating: doc_Extracted/_rels/.rels

Reviewed by :

sansforensics@as: ~/DF-LAB/CyberTalents
$ cd doc_Extracted/

sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ ls
'[Content_Types].xml'   docProps   Flag.txt   _rels   word

Result :

sansforensics@as: ~/DF-LAB/CyberTalents/doc_Extracted
$ cat Flag.txt 
877c1fa0445adaedc5365d9c139c5219

โœ… The flag was successfully extracted from the file using Word file structure analysis.

๐Ÿ“ 5. Reporting

Report Flag Name: 877c1fa0445adaedc5365d9c139c5219

Format: MD5 โœ…

Location: Flag.txt inside the internal archive of the .docx file

Status: โœ… The flag was successfully extracted.

๐Ÿ’ฌ "Control the code, and you control the world."

Linkedin

GitHub

See You Soon

Abdelwahab Shandy "))