CrySyS Sec Challenge 2014 - Hide Your Flags writeups

This writeup was cross-posted from balazsrostas.me. Author: Balázs Rostás.

This task was given during the Security Challenge of 2014 under the “Word Processors FTW” group and was worth 80 points. The CrySys Lab at BME made the CTF possible.

Description: You should have received a document with a flag. The document is here, but where is the flag?

I downloaded the file. The document read:

I’m sending you the flag:

This file is a zipped, XML based file format (Office Open XML), so we can simply unzip it, using the ‘unzip’ command in the terminal.

unzip flag.doc

This will produce a bunch of folders, one of which called word. Opening that folder we will find some xml files, and if we take a look at the document.xml we will find the following:

<w:p w:rsidR="00C21BD3" w:rsidRDefault="00F276A0">
    <w:r>
    <w:t xml:space="preserve">I’m sending you the flag:</w:t>
    </w:r>
    <!--  f9fd7ff0c20c90277ed467b6780c7439  -->
    <w:bookmarkStart w:id="0" w:name="_GoBack"/>
    <w:bookmarkEnd w:id="0"/>
</w:p>

So the flag was truly sent to us in a form of a comment.