Forensics
information (Exiftool)
Challenge
Files can always be changed in a secret way. Can you find the flag? cat.jpg
Solution
Run exiftool:
The selected string is in Base64 encoding.
Weird File (Microsoft Word => View Macros)
Challenge
What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.
Solution
Open the Word document and go to "View -> Macros -> runpython -> Edit":
The selected string is in Base64 encoding.
Matryoshka doll (Binwalk)
Challenge
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this
Solution
Use binwalk -e <filename> four times.
tunn3l v1s10n (GIMP)
Challenge
We found this file. Recover the flag.
Solution
This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.
After downloading this file, and do a file command on it, I found it's just data.
But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. Hacktricks does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.
If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:
Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)
Challenge
Can you find the flag? shark1.pcapng.
Solution
Follow TCP stream:
The highlighted string is ROT13 encoded.
MacroHard WeakEdge (PowerPoint <=> Zip)
Challenge
I've hidden a flag in this file. Can you find it? Forensics is fun.pptm
Solution
Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and Base64 decode it.
Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)
Challenge
Figure out how they moved the flag.
Solution
Go to "Wireshark => Export Objects => TFTP...":
Then click Save All:
Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives us the following messages:
Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.
Plan: I used the program and hide it with - DUEDILIGENCE. Check out the photos.
Extract program.deb:
Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:
Wireshark twoo twooo two twoo... ()
Challenge
Can you find the flag? shark2.pcapng.
Solution
Disk, disk, sleuth! (strings)
Challenge
Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image: dds1-alpine.flag.img.gz
Solution
Decompress:
Search for human-readable strings:
Disk, disk, sleuth! II (Autopsy)
Challenge
All we know is the file with the flag is named down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz
Solution
Open the image in Autopsy and search for down-at-the-bottom.txt:
Surfing the Waves
Someone, pls solve it!
Challenge
While you're going through the FBI's servers, you stumble across their incredible taste in music. One main.wav you found is particularly interesting, see if you can find the flag!
Solution
Todo!
Milkslap (Zsteg)
Challenge
Solution
Download the image:
Run zsteg:
Very very very Hidden
Someone, pls solve it!
Challenge
Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. try_me.pcap
Solution
Todo!
Last updated