Files & Archives cheatsheet¶
Treat the file as a structure before touching pixels or samples. A huge share of "stego" challenges are really file-format tricks. Depth on the Files & Archives technique page; passwords on the brute-force cheatsheet.
Appended & embedded data¶
$ file target
$ tail -c 200 target | xxd # inspect the trailer
$ binwalk target # list embedded signatures
$ binwalk -e target # auto-extract known signatures
$ foremost -i target -o out/ # header/footer carving when binwalk misses
The classic: a ZIP concatenated after an image — unzip reads the central
directory at the end, so it often just opens:
$ unzip target # or: 7z x target
$ 7z l target # list contents without extracting
Polyglots¶
A file valid under two parsers (PDF/ZIP, JPEG/ZIP, GIF/JS). file reads only the
start, so it will not flag them.
$ binwalk target # multiple signatures at nonzero offsets
$ xxd target | grep -iE '25504446|504b0304|ffd8ff|47494638' # PDF/ZIP/JPEG/GIF magic
Build/verify with mitra or truepolyglot; Corkami's posters map where each format tolerates junk.
ZIP archives¶
$ 7z l target.zip # list; note encryption + compression method
$ unzip -l target.zip
- Password-protected → see the brute-force cheatsheet
(
zip2john+john, orfcrackzip). - ZipCrypto + a known inner file → known-plaintext attack, no password needed:
$ bkcrack -L target.zip # list entries + which are ZipCrypto
$ bkcrack -C target.zip -c secret.txt -P plain.zip -p plain.txt # recover keys
$ bkcrack -C target.zip -k KEY0 KEY1 KEY2 -d out.txt # decrypt
- AES-256 zip → not vulnerable to bkcrack; brute-force only.
Documents (Office / PDF / Java / Android)¶
.docx / .pptx / .xlsx / .jar / .apk are ZIPs — unzip and inspect.
$ 7z x report.docx -o docx/ # media/, embeddings/, and XML parts
$ grep -rInE 'flag|CTF|http' docx/
$ unzip -o app.apk -d apk/ && cat apk/AndroidManifest.xml
PDFs:
$ pdfdetach -list target.pdf && pdfdetach -saveall target.pdf # attachments
$ pdf-parser --search flag target.pdf # objects/streams
$ pdfresurrect -w target.pdf # recover overwritten revisions
$ mutool extract target.pdf # dump embedded images/fonts
Other containers¶
- SVG → XML; a
<script>or off-canvas<text>can hide the flag — open the source, not the render. - NTFS ADS →
dir /R(Windows) orgetfattr/7zlists alternate streams. .git→git log -p,git stash list, and unreferenced objects (git fsck --lost-found) hide history.
Related¶
- Tools: binwalk · foremost · file · strings.
- Depth: Files & Archives technique page.
- Passwords: Brute-force cheatsheet.
- Captures: Network / PCAP cheatsheet.