Overview
We get a file called report.docx, supposedly a Q3 audit report from a consulting firm.
Opening it in Word or LibreOffice shows a normal-looking infrastructure audit document, pretty much just fluff text. Let’s try running it through some basic recon tools?
$ file report.docx
report.docx: Microsoft Word 2007+
$ exiftool report.docx
File Name : report.docx
File Type : DOCX
Creator : Daniel Mercer
Title : Q3 Infrastructure Audit -- Harlow & Dent Consulting
Metadata tells us the author (Daniel Mercer) and the document title, but nothing that looks like a flag.
strings on the file gives back a lot of XML noise and some document text, but nothing really jumps out.
Let’s try going a bit deeper. Remember: .docx is just a ZIP file! Microsoft’s Office Open XML format is a ZIP archive containing XML files, and those XML files hold everything about the document, including things the user “deleted.”
$ unzip -l report.docx
Archive: report.docx
Length Date Time Name
--------- ---------- ----- ----
691 2024-11-14 09:41 [Content_Types].xml
450 2024-11-14 09:41 _rels/.rels
291 2024-11-14 09:41 word/_rels/document.xml.rels
4208 2024-11-14 09:41 word/document.xml
252 2024-11-14 09:41 word/settings.xml
346 2024-11-14 09:41 docProps/core.xml
word/document.xml is where the actual document content lives. Let’s pull it out and look.
$ unzip -p report.docx word/document.xml | grep -o 'MetaCTF{[^}]*}'
MetaCTF{tr4ck3d_ch4ng3s_4r3nt_r34lly_g0n3}
There it is! Word’s Track Changes feature records every deletion in the XML with a <w:del> element.
If you’d rather not unzip, you can also get to the flag from inside Word/LibreOffice by switching the markup view: in Word, Review → Display for Review → All Markup; in LibreOffice, Edit → Track Changes → Show Changes. The deleted block reappears with strikethrough.
Solve Script
unzip -p report.docx word/document.xml | grep -oP 'MetaCTF\{[^}]+\}'