Đề bài

Giải

Mình được cung cấp một file docx, mình sẽ phân tích file này xem sao

┌──(kali㉿kali)-[/BuckeyeCTF 2025/beginner/The Professor's Files]
└─$ file OSU_Ethics_Report.docx 
OSU_Ethics_Report.docx: Microsoft Word 2007+

Tiếp tục với binwalk 

┌──(kali㉿kali)-[/BuckeyeCTF 2025/beginner/The Professor's Files]
└─$ binwalk OSU_Ethics_Report.docx 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, name: [Content_Types].xml
429           0x1AD           Zip archive data, at least v2.0 to extract, name: _rels/.rels
720           0x2D0           Zip archive data, at least v2.0 to extract, name: docProps/app.xml
1093          0x445           Zip archive data, at least v2.0 to extract, name: docProps/core.xml
1515          0x5EB           Zip archive data, at least v2.0 to extract, name: docProps/custom.xml
1731          0x6C3           Zip archive data, at least v2.0 to extract, name: word/_rels/document.xml.rels
2017          0x7E1           Zip archive data, at least v2.0 to extract, name: word/document.xml
3558          0xDE6           Zip archive data, at least v2.0 to extract, name: word/fontTable.xml
3946          0xF6A           Zip archive data, at least v2.0 to extract, name: word/settings.xml
4275          0x10B3          Zip archive data, at least v2.0 to extract, name: word/styles.xml
5054          0x13BE          Zip archive data, at least v2.0 to extract, compressed size: 495, uncompressed size: 1310, name: word/theme/theme1.xml
6340          0x18C4          End of Zip archive, footer length: 22

Trong word/theme/theme1.xml sẽ có nội dung sau

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="ProfessorTheme_Loud">
  <a:themeElements>
    <a:clrScheme name="CustomLoud">
      <a:dk1><a:srgbClr val="1F1F1F"/></a:dk1>
      <a:lt1><a:srgbClr val="FFFFFF"/></a:lt1>
      <a:dk2><a:srgbClr val="2B2B2B"/></a:dk2>
      <a:lt2><a:srgbClr val="F4F4F4"/></a:lt2>

      <a:accent1><a:srgbClr val="FF4500"/></a:accent1>  <!-- vivid orange -->
      <a:accent2><a:srgbClr val="0066CC"/></a:accent2>  <!-- strong blue -->
      <a:accent3><a:srgbClr val="8A2BE2"/></a:accent3>  <!-- bright purple -->
      <a:accent4><a:srgbClr val="228B22"/></a:accent4>  <!-- strong green -->
      <a:accent5><a:srgbClr val="FFD700"/></a:accent5>  <!-- gold -->
      <a:accent6><a:srgbClr val="DC143C"/></a:accent6>  <!-- crimson -->
      <!-- bctf{docx_is_zip} -->

      <a:hlink><a:srgbClr val="0000FF"/></a:hlink>
      <a:folHlink><a:srgbClr val="800080"/></a:folHlink>
    </a:clrScheme>

    <a:fmtScheme name="CustomFmt">

      <a:fillStyleLst>
        <a:solidFill><a:srgbClr val="FFFFFF"/></a:solidFill>
      </a:fillStyleLst>
      <a:lnStyleLst/>
      <a:effectStyleLst/>
    </a:fmtScheme>
  </a:themeElements>

  <a:objectDefaults/>
  <a:extraClrSchemeLst/>
</a:theme>

Flag

Flag: bctf{docx_is_zip}

'WriteUp > Forensics' 카테고리의 다른 글

TrueSecrest - HackTheBox  (0) 2025.11.13
zip2john2zip - BuckeyeCTF 2025  (0) 2025.11.09
1985 - BuckeyeCTF 2025  (0) 2025.11.09
[Forensics] Please recover my files - Dreamhack  (0) 2025.11.04
investigation_encoded_2 - picoCTF  (0) 2025.11.04

티스토리툴바