DownUnderCTF

Forensic

Doxme

Difficulty: Beginner

Statement: Office is my safe word…

The challenge provides the doxme file.

The statement refers to the office suite, so I will use binwalk to see if the file has embedded files or executable code:

binwalk doxme

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 349, uncompressed size: 1362, name: [Content_Types].xml
426           0x1AA           Zip archive data, at least v1.0 to extract, name: _rels/
490           0x1EA           Zip archive data, at least v2.0 to extract, compressed size: 233, uncompressed size: 590, name: _rels/.rels
792           0x318           Zip archive data, at least v1.0 to extract, name: docProps/
859           0x35B           Zip archive data, at least v2.0 to extract, compressed size: 454, uncompressed size: 983, name: docProps/app.xml
1387          0x56B           Zip archive data, at least v2.0 to extract, compressed size: 364, uncompressed size: 751, name: docProps/core.xml
1826          0x722           Zip archive data, at least v1.0 to extract, name: word/
1889          0x761           Zip archive data, at least v2.0 to extract, compressed size: 1263, uncompressed size: 4336, name: word/document.xml
3227          0xC9B           Zip archive data, at least v2.0 to extract, compressed size: 484, uncompressed size: 1658, name: word/fontTable.xml
3787          0xECB           Zip archive data, at least v1.0 to extract, name: word/media/
3856          0xF10           Zip archive data, at least v2.0 to extract, compressed size: 4038, uncompressed size: 9430, name: word/media/image1.png
7973          0x1F25          Zip archive data, at least v2.0 to extract, compressed size: 3278, uncompressed size: 8812, name: word/media/image2.png
11330         0x2C42          Zip archive data, at least v2.0 to extract, compressed size: 1071, uncompressed size: 3129, name: word/settings.xml
12476         0x30BC          Zip archive data, at least v2.0 to extract, compressed size: 2905, uncompressed size: 29455, name: word/styles.xml
15454         0x3C5E          Zip archive data, at least v1.0 to extract, name: word/theme/
15523         0x3CA3          Zip archive data, at least v2.0 to extract, compressed size: 1699, uncompressed size: 8393, name: word/theme/theme1.xml
17301         0x4395          Zip archive data, at least v2.0 to extract, compressed size: 327, uncompressed size: 894, name: word/webSettings.xml
17706         0x452A          Zip archive data, at least v1.0 to extract, name: word/_rels/
17775         0x456F          Zip archive data, at least v2.0 to extract, compressed size: 256, uncompressed size: 949, name: word/_rels/document.xml.rels
19741         0x4D1D          End of Zip archive, footer length: 22

I will then extract the content to recover the files:

binwalk -e doxme

Searching the files, I find the flag in the images:

image image

Flag: DUCTF{WOrd_D0Cs_Ar3_R34L1Y_W3ird}