Challenge Description#

Find the flag hidden in this suspicious Word Document. Flag format: texsaw{flag} ex: texsaw{orthogonal}

Analysis#

The file was a Microsoft Word .docx document, which matters because modern Office documents are really ZIP archives containing XML, media, and any other files someone decides to tuck inside. That made the fastest path simply extracting the archive and looking for anything unusual in the resulting file tree.

unzip -o /home/rei/Downloads/challenge.docx -d /tmp/ctf_docx_extract

Archive: /home/rei/Downloads/challenge.docx
inflating: /tmp/ctf_docx_extract/word/document.xml
inflating: /tmp/ctf_docx_extract/word/settings.xml
...
extracting: /tmp/ctf_docx_extract/secret.txt

That extraction immediately revealed the important clue: a file named secret.txt sitting at the archive root instead of inside the normal Word document structure. Once that file showed up, the problem stopped being about Word internals and became a simple hidden-data check.

cat /tmp/ctf_docx_extract/secret.txt

dGV4c2F3e3N1cnByMXNlIV93MHJkX2YxbGVzX2FyM196MXBfNHJjaGl2ZXNfNjA3MDkwMTM3NzF9

The contents matched Base64 immediately: it only used the expected character set and had the right padding-friendly length. Decoding it produced the flag directly.

echo "dGV4c2F3e3N1cnByMXNlIV93MHJkX2YxbGVzX2FyM196MXBfNHJjaGl2ZXNfNjA3MDkwMTM3NzF9" | base64 -d

texsaw{surpr1se!_w0rd_f1les_ar3_z1p_4rchives_60709013771}

The whole trick was recognizing that .docx is just a ZIP container and then noticing the nonstandard embedded file. The challenge name and the silence emoji pointed toward hidden content, but the decisive clue was the extracted secret.txt file itself.

Solution#

unzip -o /home/rei/Downloads/challenge.docx -d /tmp/ctf_docx_extract
cat /tmp/ctf_docx_extract/secret.txt
echo "dGV4c2F3e3N1cnByMXNlIV93MHJkX2YxbGVzX2FyM196MXBfNHJjaGl2ZXNfNjA3MDkwMTM3NzF9" | base64 -d

texsaw{surpr1se!_w0rd_f1les_ar3_z1p_4rchives_60709013771}