H4CK1T CTF 2016: China – RTFspy (150 points)


RU: Все же любят хранить пароли в txt файликах? А наш подопытный пошел намного дальше! Он начал хранить в них информацию под грифом “СОВЕРШЕННО СЕКРЕТНО”! Докажите ему, что это не безопасно.

EN: Everybody likes to store passwords in txt files? And our guinea pig has gone much further! He has begun to store the information under a signature stamp “TOP SECRET” in them! Prove to him that it isn’t secure.


After extracting the ZIP archive we were given, I looked at its contents:

There is an .rtf file. Considering that the title of this challenge is RTFspy, there must be something in this file.

First, of course, I tried to open it in the regular way, but none of the programs I tried could open the file.

Clearly, the file is not meant to be looked at in the normal way. Therefore, let’s look at the first part of the file manually (it was quite a big file, hence the ‘-c 1000′):

In the output above, the file consists of pairs of two characters, delimited by the symbols \ and ‘. This looks pretty hexadecimal to me. I therefore stripped out the parts that are not hexadecimal (the first 3 lines) and the last character (}). While I could have done that in bash too, I chose to do it manually. I saved the output to a file called hexstuff.txt.

Now, I still have to strip the \ and ‘ symbols to be able to decode the hex values to ASCII text. To do that, I cat  the hexstuff.txt file, pipe it so sed with which I strip out the \ symbol, then pipe it to sed again and strip out the ‘ symbol. That output is piped to xxd which decodes it from hex to ASCII text, and then written to a file called hexdump.txt.

A quick look at the output, hexdump.txt, showed that the content was not entirely humand-readble. Therefore, let’s look at the file using the command hexdump.

It seems that there is some info on a file called flag.txt. Let’s carve hexdump.txt to see if it can be extracted:

Cool! Let’s look at the contents of the ./output directory foremost created for us:

My first guess was to look in the zip directory.

Unpack the ZIP archive:

Alright, so let’s have a look now:

…and look at the contents of flag.txt:

That’s it, the flag is h4ck1t{rtf_d0cs_4r3_awesome}.

Leave a Comment

Your email address will not be published.