ctfwriteup
  • ✅/home/ret2basic.eth
  • Game Hacking
    • 👑Pwn Adventure 3: Pwnie Island
      • ✅Prep: Speed Hack
      • ✅Prep: Infinite Health and Mana (Offline)
      • ✅Prep: Analyze Network Packets with Wireshark
      • Prep: Build a Proxy in Python
      • ✅Until the Cows Come Home
      • Unbearable Revenge
      • Pirate's Treasure
    • Cheat Engine Tutorial
      • ✅Step 1: Setup
      • ✅Step 2: Scan for "Exact Value"
      • ✅Step 3: Scan for "Unknown initial value"
      • ✅Step 4: Scan for float and double
      • ✅Step 5: Replace instruction
      • Step 6: Pointer scanning
      • Step 7: Code injection
      • Step 8: Multilevel pointers
      • Step 9: Shared code
  • Web3 CTF
    • 👑Remedy CTF 2025 (Todo)
      • Diamond Heist
      • R vs Q
      • Rich Man's Bet
      • Casino Avengers
      • Frozen Voting
      • Lockdown
      • Proof of Thought
      • Maybe it's unnecessary?
      • Et tu, Permit2?
      • Not a very LUCKY TOKEN
      • risc4
      • HealthCheck as a Service
      • Restricted Proxy
      • Unstable Pool
      • Opaze Whisperer
      • "memorable" onlyOwner
      • World of Memecraft
      • Copy/Paste/Deploy
      • Peer-to-peer-to-me
      • Joe's Lending Mirage
      • Tokemak
      • OFAC Executive Order 13337
    • 👑Paradigm CTF 2023 (Todo)
      • Oven
      • Dragon Tyrant
    • Damn Vulnerable DeFi
      • ✅Unstoppable
      • ✅Naive Receiver
      • ✅Truster
      • ✅Side Entrance
      • ✅The Rewarder
      • ✅Selfie
      • ✅Compromised
      • ✅Puppet
      • ✅Puppet V2
      • ✅Free Rider
      • Backdoor
      • Climber
      • Wallet Mining (Todo)
      • Puppet V3 (Todo)
      • ABI Smuggling (Todo)
    • Milotruck Challs
      • ✅Greyhats Dollar
      • Escrow
      • Simple AMM Vault
      • Voting Vault
      • ✅Meta Staking
      • ✅Gnosis Unsafe
    • Secureum AMAZEX DSS Paris
      • ✅Operation magic redemption
      • Mission Modern WETH: Rescue the Ether
      • LendEx pool hack
      • Operation Rescue POSI Token!
      • Balloon Vault
      • Safe Yield?
      • ✅Crystal DAO
      • ✅Liquidatoooor
    • ✅Ethernaut
      • ✅Hello Ethernaut
      • ✅Fallback
      • ✅Fallout
      • ✅Coin Flip
      • ✅Telephone
      • ✅Token
      • ✅Delegation
      • ✅Force
      • ✅Vault
      • ✅King
      • ✅Re-entrancy
      • ✅Elevator
      • ✅Privacy
      • ✅Gatekeeper One
      • ✅Gatekeeper Two
      • ✅Naught Coin
      • ✅Preservation
      • ✅Recovery
      • ✅MagicNumber
      • ✅Alien Codex
      • ✅Denial
      • ✅Shop
      • ✅DEX
      • ✅DEX Two
      • ✅Puzzle Wallet
      • Motorbike
      • DoubleEntryPoint
      • ✅Good Samaritan
      • Gatekeeper Three
      • Switch
    • ✅Flashbots MEV-Share CTF
    • ✅Capture the Ether
      • ✅Lotteries
      • ✅Math
      • ✅Miscellaneous
    • ✅EVM Puzzles
      • ✅Puzzle 1
      • ✅Puzzle 2
      • ✅Puzzle 3
      • ✅Puzzle 4
      • ✅Puzzle 5
      • ✅Puzzle 6
      • ✅Puzzle 7
      • ✅Puzzle 8
      • ✅Puzzle 9
      • ✅Puzzle 10
    • ✅More EVM Puzzles
      • ✅Puzzle 1
      • ✅Puzzle 2
      • ✅Puzzle 3
      • ✅Puzzle 4
      • ✅Puzzle 5
      • ✅Puzzle 6
      • ✅Puzzle 7
      • ✅Puzzle 8
      • ✅Puzzle 9
      • ✅Puzzle 10
    • ✅QuillCTF
      • ✅MetaToken
      • ✅Temporary Variable
      • KeyCraft
      • ✅Lottery
      • ✅Private Club
      • Voting Machine
      • ✅Predictable NFT
      • ✅Invest Pool
      • PseudoRandom
      • ✅Gold NFT
      • Slot Puzzle
      • Moloch's Vault
      • ✅Donate
      • ✅WETH-11
      • Panda Token
      • Gate
      • ✅WETH10
      • ✅Pelusa
      • ✅True XOR
      • ✅Collatz Puzzle
      • ✅D31eg4t3
      • ✅Safe NFT
      • ✅VIP Bank
      • ✅Confidential Hash
      • ✅Road Closed
    • ✅unhacked
      • ✅reaper
  • RareSkills Puzzles
    • Solidity Exercises
    • Solidity Riddles
    • Yul Puzzles
      • ✅01 - ReturnBool
      • ✅02 - SimpleRevert
      • ✅03 - Return42
      • ✅04 - RevertWithError
      • ✅05 - RevertWithSelectorPlusArgs
      • 06 - RevertWithPanic
    • Huff Puzzles
    • Uniswap V2 Puzzles
    • Zero Knowledge Puzzles
  • Web2 CTF
    • Grey Cat CTF 2024
      • ✅Web Challs
    • pwn.college
      • Introduction
        • What is Computer Systems Security?
      • Program Interaction
        • Linux Command Line
        • 🚩embryoio
      • Program Misuse
        • Privilege Escalation
        • Mitigations
        • 🚩babysuid
      • Assembly Refresher
        • x86 Assembly
        • 🚩embryoasm
      • Shellcoding
        • Introduction
        • Common Challenges
        • Data Execution Prevention
        • 🚩babyshell
      • Sandboxing
        • chroot
        • seccomp
        • Escaping seccomp
        • 🚩babyjail
      • Debugging Refresher
        • x86 Assembly
        • 🚩embryogdb
      • Binary Reverse Engineering
        • Functions and Frames
        • Data Access
        • Static Tools
        • Dynamic Tools
        • Real-world Applications
        • 🚩babyrev
      • Memory Errors
        • High-Level Problems
        • Smashing the Stack
        • Causes of Corruption
        • Canary
        • ASLR
        • Causes of Disclosure
        • 🚩babymem
      • Exploitation
        • Introduction
        • Hijacking to Shellcode
        • Side Effects
        • JIT Spray
        • 🚩toddler1
      • Return Oriented Programming
        • Binary Lego
        • Techniques
        • Complications
        • 🚩babyrop
      • Dynamic Allocator Misuse
        • What is the Heap?
        • Dangers of the Heap
        • tcache
        • Chunks and Metadata
        • Metadata Corruption
        • 🚩babyheap
      • Race Conditions
        • Introduction
        • Races in the Filesystem
        • 🚩babyrace
      • Kernel Security
        • Environment Setup
        • Kernel Modules
        • Privilege Escalation
        • 🚩babykernel
      • Advanced Exploitation
        • toddler2
    • pwnable.kr
      • fd
      • collision
      • bof
      • flag
      • passcode
      • random
      • input
      • leg
      • mistake
      • shellshock
      • coin1
      • blackjack
      • lotto
      • cmd1
      • cmd2
      • uaf
      • memcpy
      • asm
      • unlink
      • blukat
      • horcruxes
    • ROP Emporium
      • ret2win
      • split
      • callme
      • write4
      • pivot
    • ✅Jarvis OJ Pwn Xman Series
    • ✅Jarvis OJ Crypto RSA Series
    • ✅picoMini by redpwn
      • Binary Exploitation
      • Reverse Engineering
      • Cryptography
      • Web Exploitation
      • Forensics
    • ✅picoCTF 2021
      • Reverse Engineering
      • Web Exploitation
      • Forensics
    • ✅picoCTF 2020 Mini-Competition
  • Red Teaming
    • vulnlab
      • Active Directory Chains
        • ✅Trusted (Easy)
        • Hybrid (Easy)
        • Lustrous (Medium)
        • Reflection (Medium)
        • Intercept (Hard)
      • Red Team Labs
        • Wutai (Medium)
        • Shinra (Hard)
    • Hack The Box
      • AD
        • Intelligence
        • Pivotapi
        • Sharp
        • Monteverde
        • Resolute
        • Endgame: P.O.O.
        • Forest
        • Sauna
        • Active
        • Blackfield
      • ✅Linux
        • ✅Safe (Easy)
        • ✅Delivery (Easy)
        • ✅TheNotebook (Medium)
        • ✅Brainfuck (Insane)
    • TCM Windows Privilege Escalation Course
      • ✅Hack The Box - Chatterbox (Medium)
      • Hack The Box - SecNotes (Medium)
    • ✅TCM Linux Privilege Escalation Course
      • ✅TryHackMe - Simple CTF (Easy)
      • ✅TryHackMe - Vulnversity (Easy)
      • ✅TryHackMe - CMesS (Medium)
      • ✅TryHackMe - UltraTech (Medium)
      • ✅TryHackMe - LazyAdmin (Easy)
      • ✅TryHackMe - Anonymous (Medium)
      • ✅TryHackMe - tomghost (Easy)
      • ✅TryHackMe - ConvertMyVideo (Medium)
      • ✅TryHackMe - Brainpan 1 (Hard)
Powered by GitBook
On this page
  • information (Exiftool)
  • Challenge
  • Solution
  • Weird File (Microsoft Word => View Macros)
  • Challenge
  • Solution
  • Matryoshka doll (Binwalk)
  • Challenge
  • Solution
  • tunn3l v1s10n (GIMP)
  • Challenge
  • Solution
  • Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)
  • Challenge
  • Solution
  • MacroHard WeakEdge (PowerPoint <=> Zip)
  • Challenge
  • Solution
  • Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)
  • Challenge
  • Solution
  • Wireshark twoo twooo two twoo... ()
  • Challenge
  • Solution
  • Disk, disk, sleuth! (strings)
  • Challenge
  • Solution
  • Disk, disk, sleuth! II (Autopsy)
  • Challenge
  • Solution
  • Surfing the Waves
  • Challenge
  • Solution
  • Milkslap (Zsteg)
  • Challenge
  • Solution
  • Very very very Hidden
  • Challenge
  • Solution
  1. Web2 CTF
  2. picoCTF 2021

Forensics

PreviousWeb ExploitationNextpicoCTF 2020 Mini-Competition

Last updated 3 months ago

information (Exiftool)

Challenge

Files can always be changed in a secret way. Can you find the flag?

Solution

Run exiftool:

The selected string is in Base64 encoding.

Weird File (Microsoft Word => View Macros)

Challenge

Solution

Open the Word document and go to "View -> Macros -> runpython -> Edit":

The selected string is in Base64 encoding.

Matryoshka doll (Binwalk)

Challenge

Solution

Use binwalk -e <filename> four times.

tunn3l v1s10n (GIMP)

Challenge

Solution

This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.

After downloading this file, and do a file command on it, I found it's just data.

If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:

Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)

Challenge

Solution

Follow TCP stream:

The highlighted string is ROT13 encoded.

MacroHard WeakEdge (PowerPoint <=> Zip)

Challenge

Solution

Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and Base64 decode it.

Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)

Challenge

Solution

Go to "Wireshark => Export Objects => TFTP...":

Then click Save All:

Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives us the following messages:

  1. Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.

  2. Plan: I used the program and hide it with - DUEDILIGENCE. Check out the photos.

Extract program.deb:

mkdir tmp ; dpkg-deb -R program.deb tmp

Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:

Wireshark twoo twooo two twoo... ()

Challenge

Solution

Disk, disk, sleuth! (strings)

Challenge

Solution

Decompress:

gunzip dds1-alpine.flag.img.gz

Search for human-readable strings:

strings dds1-alpine.flag.img | grep pico

Disk, disk, sleuth! II (Autopsy)

Challenge

Solution

Open the image in Autopsy and search for down-at-the-bottom.txt:

Surfing the Waves

Someone, pls solve it!

Challenge

Solution

Todo!

Milkslap (Zsteg)

Challenge

Solution

Download the image:

wget http://mercury.picoctf.net:7585/concat_v.png

Run zsteg:

zsteg concat_v.png

Very very very Hidden

Someone, pls solve it!

Challenge

Solution

Todo!

What could go wrong if we let Word documents run programs? (aka "in-the-clear"). .

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image:

We found this . Recover the flag.

But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.

GIMP

Can you find the flag? .

I've hidden a flag in this file. Can you find it?

Figure out how they moved the .

Can you find the flag? .

Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image:

All we know is the file with the flag is named down-at-the-bottom.txt... Disk image:

While you're going through the FBI's servers, you stumble across their incredible taste in music. One you found is particularly interesting, see if you can find the flag!

Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure.

✅
Download file
this
file
Hacktricks
shark1.pcapng
Forensics is fun.pptm
flag
shark2.pcapng
dds1-alpine.flag.img.gz
dds2-alpine.flag.img.gz
main.wav
🥛
try_me.pcap
cat.jpg
ExifTool
Macro
file
TCP Stream
Export Object
Save All
steghide extract
down-at-the-bottom.txt