Forensics
{"authors": ["ret2basic", "y4y"]}
Last updated
{"authors": ["ret2basic", "y4y"]}
Last updated
Solved by ret2basic
Files can always be changed in a secret way. Can you find the flag? cat.jpg
Run exiftool:
The selected string is in Base64 encoding.
Solved by ret2basic
What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.
Open the Word document and go to "View -> Macros -> runpython -> Edit":
The selected string is in Base64 encoding.
Solved by ret2basic
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this
Use binwalk -e <filename> four times.
Solved by y4y
We found this file. Recover the flag.
This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.
After downloading this file, and do a file command on it, I found it's just data.
But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. Hacktricks does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.
If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:
Solved by ret2basic
Can you find the flag? shark1.pcapng.
Follow TCP stream:
The highlighted string is ROT13 encoded.
Solved by ret2basic
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and Base64 decode it.
Solved by ret2basic
Figure out how they moved the flag.
Go to "Wireshark => Export Objects => TFTP...":
Then click Save All:
Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives us the following messages:
Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.
Plan: I used the program and hide it with - DUEDILIGENCE. Check out the photos.
Extract program.deb:
Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:
Solved by ret2basic
Can you find the flag? shark2.pcapng.
Solved by ret2basic
Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image: dds1-alpine.flag.img.gz
Decompress:
Search for human-readable strings:
Solved by ret2basic
All we know is the file with the flag is named down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz
Open the image in Autopsy and search for down-at-the-bottom.txt:
Someone, solve it!
While you're going through the FBI's servers, you stumble across their incredible taste in music. One main.wav you found is particularly interesting, see if you can find the flag!
Todo!
Solved by ret2basic
Download the image:
Run zsteg:
Someone, solve it!
Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. try_me.pcap
Todo!
