KnowYou

We just have a [KnowYou] file. Doing a quick check gives some information:

$ file KnowYou.revert
KnowYou: Microsoft OOXML`

We try to open it with libreoffice but it appears to be corrupted.

We know that OOXML is just a ZIP archive, so we extract it and get:

├── [Content_Types].xml
├── docProps
│   ├── app.xml
│   └── core.xml
├── _rels
└── word
    ├── document.xml
    ├── fontTable.xml
    ├── media
    │   └── image1.png
    ├── _rels
    │   └── document.xml.rels
    ├── settings.xml
    ├── styles.xml
    └── theme
        └── theme1.xml

We checked the various document, checked the PNG file, etc etc … but at the end no flag.

Image 1

may we have miss something ? We looked again with binwalk/hachoir etc etc … and at the end, just cat’ed the file and noticed something interested:

$ tail -1 KnowYou.revert |hexdump -C
00000000  50 de df 5a a6 48 4c 9b  06 ee cc 90 80 7d 48 9b  |P..Z.HL......}H.|
00000010  d0 88 bd b3 64 44 55 b6  77 7b 99 62 9f 7b e0 06  |....dDU.w{.b.{..|
00000020  10 31 03 4a c1 d2 ad 73  6c 65 72 2e 2f 73 6c 65  |.1.J...sler./sle|
00000030  72 5f 00 00 00 0b 00 00  00 00 00 00 00 00 00 00  |r_..............|
00000040  00 00 4c b6 94 7c 00 08  08 08 00 14 04 03 4b 50  |..L..|........KP|

The file ends with \x04\x03\x4b\x50 which is, when inverted, \x50\x4b\x03\x04 ie, one of the ZIP headers. Can’t be a coincidence, so let’s revert the file.

#!/usr/bin/env python
with open('KnowYou','rb') as f:
    with open('KnowYou.revert','wb') as g:
        g.write(f.read()[::-1])

once again, we get a corrupted OOXML file. Once again, we extract it, check the files, and open the image, and here it is :

Flag