Forensics

information (Exiftool)

Challenge

Files can always be changed in a secret way. Can you find the flag? cat.jpg

Solution

Run exiftool:

The selected string is in Base64 encoding.

Weird File (Microsoft Word => View Macros)

Challenge

What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.

Solution

Open the Word document and go to "View -> Macros -> runpython -> Edit":

The selected string is in Base64 encoding.

Matryoshka doll (Binwalk)

Challenge

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this

Solution

Use binwalk -e <filename> four times.

tunn3l v1s10n (GIMP)

Challenge

We found this file. Recover the flag.

Solution

This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.

After downloading this file, and do a file command on it, I found it's just data.

But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. Hacktricks does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.

If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:

Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)

Challenge

Can you find the flag? shark1.pcapng.

Solution

Follow TCP stream:

The highlighted string is ROT13 encoded.

MacroHard WeakEdge (PowerPoint <=> Zip)

Challenge

I've hidden a flag in this file. Can you find it? Forensics is fun.pptm

Solution

Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and Base64 decode it.

Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)

Challenge

Figure out how they moved the flag.

Solution

Go to "Wireshark => Export Objects => TFTP...":

Then click Save All:

Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives us the following messages:

Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.
Plan: I used the program and hide it with - DUEDILIGENCE. Check out the photos.

Extract program.deb:

mkdir tmp ; dpkg-deb -R program.deb tmp

Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:

Wireshark twoo twooo two twoo... ()

Challenge

Can you find the flag? shark2.pcapng.

Solution

Disk, disk, sleuth! (strings)

Challenge

Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image: dds1-alpine.flag.img.gz

Solution

Decompress:

gunzip dds1-alpine.flag.img.gz

Search for human-readable strings:

strings dds1-alpine.flag.img | grep pico

Disk, disk, sleuth! II (Autopsy)

Challenge

All we know is the file with the flag is named down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz

Solution

Open the image in Autopsy and search for down-at-the-bottom.txt:

Surfing the Waves

Someone, pls solve it!

Challenge

While you're going through the FBI's servers, you stumble across their incredible taste in music. One main.wav you found is particularly interesting, see if you can find the flag!

Solution

Todo!

Milkslap (Zsteg)

Challenge

🥛

Solution

Download the image:

wget http://mercury.picoctf.net:7585/concat_v.png

Run zsteg:

zsteg concat_v.png

Very very very Hidden

Someone, pls solve it!

Challenge

Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. try_me.pcap

Solution

Todo!

PreviousWeb Exploitation NextpicoCTF 2020 Mini-Competition

Last updated 12 months ago

hashtaginformation (Exiftool)

hashtagChallenge

hashtagSolution

hashtagWeird File (Microsoft Word => View Macros)

hashtagChallenge

hashtagSolution

hashtagMatryoshka doll (Binwalk)

hashtagChallenge

hashtagSolution

hashtagtunn3l v1s10n (GIMP)

hashtagChallenge

hashtagSolution

hashtagWireshark doo dooo do doo... (Wireshark => Follow TCP Stream)

hashtagChallenge

hashtagSolution

hashtagMacroHard WeakEdge (PowerPoint <=> Zip)

hashtagChallenge

hashtagSolution

hashtagTrivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)

hashtagChallenge

hashtagSolution

hashtagWireshark twoo twooo two twoo... ()

hashtagChallenge

hashtagSolution

hashtag

hashtagDisk, disk, sleuth! (strings)

hashtagChallenge

hashtagSolution

hashtagDisk, disk, sleuth! II (Autopsy)

hashtagChallenge

hashtagSolution

hashtagSurfing the Waves

hashtagChallenge

hashtagSolution

hashtagMilkslap (Zsteg)

hashtagChallenge

hashtagSolution

hashtagVery very very Hidden

hashtagChallenge

hashtagSolution

information (Exiftool)

Challenge

Solution

Weird File (Microsoft Word => View Macros)

Challenge

Solution

Matryoshka doll (Binwalk)

Challenge

Solution

tunn3l v1s10n (GIMP)

Challenge

Solution

Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)

Challenge

Solution

MacroHard WeakEdge (PowerPoint <=> Zip)

Challenge

Solution

Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)

Challenge

Solution

Wireshark twoo twooo two twoo... ()

Challenge

Solution

Disk, disk, sleuth! (strings)

Challenge

Solution

Disk, disk, sleuth! II (Autopsy)

Challenge

Solution

Surfing the Waves

Challenge

Solution

Milkslap (Zsteg)

Challenge

Solution

Very very very Hidden

Challenge

Solution