Stage 1 was a hidden file with reversed file inside:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage1.PNG

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage1_flag.PNG

Stage 2 was a system file with flag hex encoded

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage2.PNG

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage2_flag.PNG

Stage 3 I suppose the powershell script was intended to add the flag as an Alternate Data Stream, but honestly after simply unpacking the archive with 7zip I got the file as unnamed file. Flag was base64 and hex encoded:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage3.PNG

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage3_flag.PNG

Stage 4 was an executable file with javascript added to the end. Javascript was URL encoded and contained morse code encoded flag:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage4.PNG

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage4_flag.PNG

Stage 5 was a base64 encoded flag inside jpeg file:

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage5.PNG

https://github.com/lasq88/CTF/blob/main/ritsec2021/forensics/inception/writeup/stage5_flag.PNG

Original writeup (https://github.com/lasq88/CTF/tree/main/ritsec2021/forensics/inception).