Files & Archives cheatsheet

Treat the file as a structure before touching pixels or samples. A huge share of "stego" challenges are really file-format tricks. Depth on the Files & Archives technique page; passwords on the brute-force cheatsheet.

Appended & embedded data

$ file target
$ tail -c 200 target | xxd            # inspect the trailer
$ binwalk target                       # list embedded signatures
$ binwalk -e target                    # auto-extract known signatures
$ foremost -i target -o out/           # header/footer carving when binwalk misses

The classic: a ZIP concatenated after an image — unzip reads the central directory at the end, so it often just opens:

$ unzip target          # or: 7z x target
$ 7z l target           # list contents without extracting

Polyglots

A file valid under two parsers (PDF/ZIP, JPEG/ZIP, GIF/JS). file reads only the start, so it will not flag them.

$ binwalk target                       # multiple signatures at nonzero offsets
$ xxd target | grep -iE '25504446|504b0304|ffd8ff|47494638'   # PDF/ZIP/JPEG/GIF magic

Build/verify with mitra or truepolyglot; Corkami's posters map where each format tolerates junk.

ZIP archives

$ 7z l target.zip                      # list; note encryption + compression method
$ unzip -l target.zip
  • Password-protected → see the brute-force cheatsheet (zip2john + john, or fcrackzip).
  • ZipCrypto + a known inner file → known-plaintext attack, no password needed:
$ bkcrack -L target.zip                # list entries + which are ZipCrypto
$ bkcrack -C target.zip -c secret.txt -P plain.zip -p plain.txt   # recover keys
$ bkcrack -C target.zip -k KEY0 KEY1 KEY2 -d out.txt              # decrypt
  • AES-256 zip → not vulnerable to bkcrack; brute-force only.

Documents (Office / PDF / Java / Android)

.docx / .pptx / .xlsx / .jar / .apk are ZIPs — unzip and inspect.

$ 7z x report.docx -o docx/            # media/, embeddings/, and XML parts
$ grep -rInE 'flag|CTF|http' docx/
$ unzip -o app.apk -d apk/ && cat apk/AndroidManifest.xml

PDFs:

$ pdfdetach -list target.pdf && pdfdetach -saveall target.pdf   # attachments
$ pdf-parser --search flag target.pdf          # objects/streams
$ pdfresurrect -w target.pdf                    # recover overwritten revisions
$ mutool extract target.pdf                      # dump embedded images/fonts

Other containers

  • SVG → XML; a <script> or off-canvas <text> can hide the flag — open the source, not the render.
  • NTFS ADSdir /R (Windows) or getfattr/7z lists alternate streams.
  • .gitgit log -p, git stash list, and unreferenced objects (git fsck --lost-found) hide history.