Tags: hexeditor stego 

Rating: 5.0

**Description**

> Is this the access codes to the Zion mainframe?. We have only bits and pieces of information.

**Files provided**

- `zion.tar.gz` - archive:
- `YouKnow`

**Solution**

After extracting the `YouKnow` file, we can see that there are many references to Word, e.g. `word/document.xml`. If we make Word open the file, it complains a bit, but it opens it just fine as an Office Open XML document. The contents show some flavour text and a red rabbit:

![](https://raw.githubusercontent.com/Aurel300/empirectf/master/writeups/2018-05-31-SecurityFest/screens/zion1.png)

At first I thought this might be encoding a program in some [esoteric language](https://esolangs.org/wiki/Main_Page), but I didn't have much hope, since there was very little actual text data shown in the image.

Back to looking at the file in a hex editor, we can first notice that it starts with `PK`, just like a zip file. And indeed, we can unzip the file and it contains various XML files, as well as the red rabbit in a `media` folder. But there is one more weird thing – if we scroll all the way to the end, we see `KP`. And not far behind that, `sler./sler_`? In the extracted data, we did get a `_rels/.rels` folder. It is reversed, but why? Around the middle of the file we see where the reversal happens, but the mirror images are not exactly the same.

0003820: 0000 382e 0000 776f 7264 2f74 6865 6d65 ..8...word/theme
0003830: 2f74 6865 6d65 312e 786d 6c50 4b01 0214 /theme1.xmlPK...
0003840: 0014 0008 0808 00bc 94b6 4c29 ef3d 8b4a ..........L).=.J
0003850: 0100 0016 0500 0013 0000 0000 0000 0000 ................
0003860: 0000 0000 002f 3400 005b 436f 6e74 656e ...../4..[Conten
0003870: 745f 5479 7065 735d 2e78 6d6c 504b 0506 t_Types].xmlPK..
0003880: 0000 0000 0b00 0b00 c202 0000 ba35 0000 .............5..
0003890: 0000 0000 0000 340e 0000 0303 000c 000c ......4.........
00038a0: 0000 0000 0605 4b50 6c6d 782e 5d73 6570 ......KPlmx.]sep
00038b0: 7954 5f74 6e65 746e 6f43 5b00 0032 7900 yT_tnetnoC[..2y.
00038c0: 0000 0000 0000 0000 0000 0000 1300 0005 ................
00038d0: 9300 0001 54a6 0075 bf4c b694 7c00 0808 ....T..u.L..|...
00038e0: 0800 1400 1402 014b 506c 6d78 2e31 656d .......KPlmx.1em
00038f0: 6568 742f 656d 6568 742f 6472 6f77 0000 eht/emeht/drow..
0003900: 2c82 0000 0000 0000 0000 0000 0000 0015 ,...............

Some of the numbers don't match. So let's finally reverse the file and unzip it again. And indeed, there is another image, but this time showing the flag!

![](https://raw.githubusercontent.com/Aurel300/empirectf/master/writeups/2018-05-31-SecurityFest/screens/zion2.png)

`sctf{m41nfr4m3_4cc3ss_c0d3_1337_4lw4s}`