I assumed that this was the flag, and I just needed to add the picoCTF wrapper. Based on the GameBoard, almost all the challenges were solved by at . and noticing the exe file make it clear , even for more you can google the name of exe , its not a known process or a miscrosoft one , so that makes it clearly a thing , we wrapp it into flag format and rock ! I applied the bt-dht filter, and looked through the packets, and saw that some contained info_hash. Yaknet 2. Use strings command to locate the flag. The Forensics challenges I solved in picoCTF 2022 are the following. I used stegsolve tool to complete this challenge. ICS A Different Type of Serial Key Attached are serial captures of two different uploads to an embedded device. Volatility is an Open Source project with a great and active community behind it, there are alternatives like Rekall but I personally prefer Volatility. using the same in these challenge we are getting asked to search for some several vectors that the malware could get into from ! Use git show to reveal the flag. will you help her to find the flag? Badsud0 Capture the flag team leader ,TUN. So, I made the 4 challenges in zh3r0 CTF. We are also given the file torrent.pcap. By just opening the first report i think we can determine after some analysis we found the flag, Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLastWrite Time Sun Jun 14 10:03:02 2020 (UTC). I Googled this, and saw that it corresponded to ubuntu-19.10-desktop-amd64.iso from LinuxTracker.org. CTF Writeup: picoCTF 2022 Forensics My picoCTF 2022 writeups are broken up into the following sections, 1. Most upvoted and relevant comments will be first, Cybersecurity/SOC Analyst, Global Security Camp Tutor, Security Camp Tutor, CODE BLUE Staff, GCC 2022 Taiwan Group Work Progress and Outcome. Unflagging lambdamamba will restore default visibility to their posts. Thanks for keeping DEV Community safe. This created a file called flag4, and revealed that it was a ASCII text and contained the following. It contained the encrypted file with the contents. And we obtain the password: 13576479. This week we decided to go for HSCTF 6 organized by WW-P HSN CS Club . However, there were too many entries with the string flag, so I decided to narrow the string search down. So I exported the packet as saltedfile.bin using File > Export Packet Bytes. First and foremost, locate a MEGA URL inside the download image. Challenge 1 The challenge asks for the Linux partition size, which is 0000202752. $ strings -t d disk.flag.img | grep -iE "pico". Solution. Follow my twitter for latest update, If you like this post, consider a small donation. I went to Steganography Online to decode the image, but decoding the image did not reveal anything. We are also given the file disk.flag.img.gz. He has called the Worlds best forensics experts to come to his rescue! This shows that 48390510 takes the longest, therefore I will be using this for the eighth test batch. Their team did not manage to solve this challenge so lets see what was about and how to solve it. And thats all, hope you like the Write-Up ;). This challenge is oriented to students, due to that reason I could not participate. Located in the northern part of the country, it is the administrative centre of Pleven Province, as well as of the subordinate Pleven municipality. I renamed it to flag4.xz and I extracted it using. So I extracted it using. Binary Exploitation (Solved 5/14) 4. If you have found out all the other flags then this one would be easy for you, this is a test of how much you know about forensics and where to look at properly! Right now it is discontinued and has been replaced by Veracrypt. The overall packet capture looks like the following. This CTF ran from July 7, 2017 to July 8, 2017. So I redirected the output to flag.txt.enc using, $ icat -f ext4 -o 411648 disk.flag.img 1782 > flag.txt.enc. As for today, we are going to walk through the Medium level forensics. It is the biggest economic center in Northwestern Bulgaria. In summary, we have a password, a master key, the encryption algorithm and a container. 4. Currently working as a cybersecurity researcher at the University of Alcal. However, nothing useful came up. As hash is 68 61 73 68 in hex, I inputted this hex value into the Wireshark search to look for all packets that contained this hash information. A hint was distributed to all teams as a starting point. code of conduct because it is harassing, offensive or spammy. So I looked into flag.uni.txt, which contained the flag. Although it hasnt been identified at a particular location, something is triggering it to restart as soon as he logs in! So I copied this file into a file with a .sh extension. There I saw Forensics-Workshop repo, it contains 10 challenges and I managed to solve all of them.. $ strings -t d disk.flag.img | grep -iE "flag.uni.txt". However, it had the permissions 0664 which was too open so the private key was unusable. From this, I assumed that the flag is contained in flag.uni.txt in the my_folder directory, so I decided to search for that using. Posted on Apr 3 TrueCrypt was a program that allows us to created encrypted containers and partitions. So, all credits go to this youtube video. http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/. and also by how i solved it so fast cuz it was written as a note thats why notes are important ! They can still re-publish the post if they are not suspended. Here is what you can do to flag lambdamamba: lambdamamba consistently posts content that violates DEV Community 's i opened the image and while its scaning it was there some really juicy information we can notice in the results section . Just select the container, specify the password, and remember to check TrueCrypt Mode, because it is a Truecrypt container. Right now some systems use Hardware Security Modules for achieving that, but it is not a solved problem. For solving forensics CTF challenges, the three most useful abilities are probably: Knowing a scripting language (e.g., Python) Knowing how to manipulate binary data (byte-level manipulations) in that language Recognizing formats, protocols, structures, and encodings Use a command like strings to read the flag. Yaknet 3. We must subtract 4 bytes for the length field of the second IDAT, subtract 4 bytes for the CRC of the first IDAT, and subtract 4 bytes again for the chunktype of the first IDAT. 3. Binary Exploitation (Solved 5/14) In this question we were given a password protected zip file so by using fcrackzip lets crack it . Web Exploitation (Solved 2/12) All my writeups can also be found on my GitHub's CTFwriteups repository Which created a new folder called _flag.extracted, and inside was a file called 64. Web Exploitation (Solved 2/12), All my writeups can also be found on my GitHub's CTFwriteups repository. By checking the file type, it is a data file instead of a jpeg. byte 3: Y movement. Along with the challenge text and an audio file named forensic-challenge-2.wav. On extracting the zip file we get two panda images at first I tried a loot of tools but it much easier the flag was in the differnce of the strings of the two images so. We're a place where coders share, stay up-to-date and grow their careers. Forensics Challenges. I checked the file type of 64, and revealed that it was a gzip compressed data. I downloaded the file, extracted it. but after taking some time searching arround i found out that im in a rabbit hole ( that i made it by myself) . so this time we try to search what the reports can give us ! I used the offset 114562048 and did the operations similar to Sleuthkit Apprentice to find the file contents using the commands, $ ifind -f ext4 -o 206848 -d 8453 disk.img. The first thing we need to do is to identify the operative system in order to properly analyzed the live memory adquistion. I went ahead to CyberChef and converted this from hex, picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_347eae65}. I had the chance to participate with CyberErudites Team in the first edition of HackTheBox University CTF. I decided to use zsteg instead, with the -a option to try all known methods, and the -v option to run verbosely. There were files that contained OPENSSH PRIVATE KEY, so now I have to find the actual contents of the private key file. Now the question is, find the most probable way the malware(s) couldve got in and the flag would be the name of the source. and after analysing it all , by saying analysing i mean opening it and reading it carefully because it was pretty straight we find some really good things . Save it as Decryptor.java and run it with the following command. How could this happen? We hosted our first CTF successfully. Reaching this point let me clarify that this is not a Truecrypt vulnerability. Now he cant even open his default music folder to hear some good musics! Subtracting 12 in total, we get FFA5. This will let us know whats processes were running in the system. I saw that some texts were covered in black highlight, so I opened it up on Word and changed the text color of the highlighted words to red, which revealed the flag. Rating: 4.5. Bachelor of Computer Science and MSc on Cyber Security. KapKan (Forensics1 . I double checked with Autopsy, and saw that the commands used were contained in .ash_history. I looked through a few more, and I was at packet 51080 which had a hash value of e2467cbf021192c241367b892230dc1e05c0580e. $ strings -t d disk.flag.img | grep -iE "flag". DEV Community A constructive and inclusive social network for software developers. We can see that the Truecrypt container was opened and mounted the 20201011. The challenge makes easiest the process of finding container but in a real scenario, you could be able to have some evidence with encrypted containers. So I went to /root/my_folder directory, and I saw that flag.txt did not contain any relevant information because it was shredded. Download the PDF file. For further actions, you may consider blocking this person and/or reporting abuse, Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. I will find the intended solution and update the post soon. In the last few rows, I saw { 3 n h 4 n and c 3 d _ 6 7 8 3 c c 4 6 }, which looked like the flag, so I concatenated this to form {3nh4nc3d_6783cc46}. One of his HECKER friend suggested to download some virus to destroy the data the other people has. Is your desk photo giving away important data? Having a RAM acquisition can give us a lot of information in a digital forensics investigation. were getting selected. S0rry: We get a zip file protected with a password, I used zip2john to convert it to hash then cracked it with john using rockyou.txt word-list. so by entering the files of the system we play arround in somefiles until we stamp by a file name called TimeZonesInformation and with it were pleased with the author name : Cicada3310. There are several attack vectors that a malware could get into the system which you will need to find. Chall description : MR.Zh3r0 is a mathematician who loves what he does, he loves music and of course he is really good with personal desktops but a really gullible person who could be phished or scammed easily! while searching arround we found an exe file that seems really obvious is a thing and boom thats a flag . I double checked with Autopsy, and confirmed that the Salted file was there. I did the operations in Sleuthkit Apprentice to find the partition informations, and I decided to string search flag.txt using, $ strings -t d disk.flag.img | grep -iE "flag.txt". Here, I saw that the pin 40000000 took the longest, with a significant time difference from the other PINs. Extract the zip file and ignore the Loo Nothing Becomes Useless ack as it has nothing to do with the challenge. The first packet that contained info_hash was packet 79 with a hash value of 17d62de1495d4404f6fb385bdfd7ead5c897ea22. hint incase you werent able to note which is the malware name, it would be a name that is of the GOD. I decided to look further into this, so I took the offset for nano flag.txt, which is 204193835, and subtracted 184549376 (which is 360448 * 512) using. We solved all the digital forensics . Open the registry file and look one line up. The password is located at the first downloaded picture where you find the mega URL. Extract all the files within the image, we find what we needed. I also decided to find the full contents of the file that contained Salted using, $ ifind -f ext4 -o 411648 -d 10238 disk.flag.img, $ icat -f ext4 -o 411648 disk.flag.img 1782. The first thing to do is download the memory image ( OtterCTF.vmem ). I assumed that the PIN is checked from left to right, where Access denied. GreHack CTF 2022. programming proxy network. So lets open the container, using Veracrypt we can open it. This one is simple. Right now Volatility has a 3.0 version with a lot of improvements but it is under beta. is outputted as soon as the leftmost digit does not match. I checked the file type of flag, and revealed that it was a lzip compressed data. He had some bad colleagues in his office that led him to have some bad intentions towards them. If we open Readme.txt we can see that they are looking for the password associated with the IP: 48.37.29.153. In this case, this is not necessary but in a real scenario where we could not be able to retrieve the master key or the password, this information is always useful. (Using strings command). so i looked closely and saw that so many numbers werent of 8 bytes . There is the flag shown in the screenshot below. 2. From here it was quite frustrating because you need to guess the flag words however I cracked it. Your goal is to decode the serial traffic, extract the key and function block, and use these to find the flag. We are also given the file Financial_Report_for_ABC_Labs.pdf. Some people thought that Truecrypt had hidden vulnerabilities but long history short, nothing was found. The flag is located at the bottom-right corner. Hello Everyone, I am a member of zh3r0 CTF team. I made the script so that the PIN could be inputted like the following. And We have a suspicion if he only downloaded one malware or more than one? Just looking for the IP will give us the password, V8M0VH. Manage secrets in live memory it is a difficult and challenging process. Which showed the partitions and their size. But I have I friend who participate, He knows I love forensic challenges so He sent me one of the challenges that were part of the competition. really helpfull tool (ftk imager too is a good choice). THE hint in the challenge was asking us the re read the first chall description carefully and examining the events that occured that time . As this is a torrent challenge, I went to Wireshark and enabled the BitTorrent DHT Protocol (BT-DHT) by going to Analyze -> Enabled Protocol. Challenge attachement link if you are interested . We are also given the file capture.flag.pcap. The flag is hidden on the second commit. This write-up only covers the memory forensics portion, but the whole CTF is available to play as of the publication of this post. Voices in the head is a 2000 point forensic challenge. . byte 2: X movement. :). note : please read every line because its necessary to understand whats going on and how i thought threw the challs ! I decrypted it using what was mentioned in the conversation, openssl des3 -d -salt -in saltedfile.bin -out file.txt -k supersecretpassword123. with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 and rest with 0 , which will give a binary and hence flag.I wrote a python file which will convert '\t' or 0x09 to "1" and " " or 0x20 to "0".and removed remaining others . {UPDATE} Mouse in City Hack Free Resources Generator, Why it is important to protect your privacy online. This shows that 48390000 takes the longest, therefore I will be using this for the fifth test batch. $ volatility -f memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search . To automate this process, I made the following shell script auto.sh. So by a little brainstorming analyse we have : he loves what he does (math) // how this man can live xD, he have some enemies in the company he works in. Hi all , I participated at zh3r0 ctf with my team and we finished up 7th in the ctf , there was really cool challenges . CTFLearn write-up: Forensics (Medium) 5 minutes to read Hello there, another welcome to another CTFlearn write-up. We are also given the file disk.flag.img.gz. Therefore, the PIN with the correct leftmost digit should take the longest time because it will move onto the next digit comparison. again converting the output from binary to ascii doesnt give the flag. This is crucial because if the container was not mounted we weren't able to retrieve the keys for opening it. I executed this script again to confirm. Chall name : SoundlessChall description : Good job in finding the flag! At least for me, it was a fun and easy challenge. As for today, we will go through the easy Forensics and most of the tasks contain basic . I downloaded the file, extracted it, and used the following command. always when doing things like that notes can help sometimes , maybe not now but later on . This created a file called flag2, and revealed that it was a LZOP compressed data. is outputted. This is one of the toughest challenges I faced. First of all, let's check the hidden files using the binwalk. name of the God huh , thats big bro x) . The flag will be in format flag{}. Before I executed this script, I closed all programs that I wasn't using to reduce variations in time due to background processes. This CTF ran for eactly 24 hrs and we had easy, medium and hard challenges. the last 4 hours, we didn't well managed our time ! If lambdamamba is not suspended, they can still re-publish their posts from their dashboard. There is one password-protected zip file. So I looked up 17d62de1495d4404f6fb385bdfd7ead5c897ea22 on Google, and saw that it corresponded to Awakened.2013.1080p.BluRay.X264-iNVANDRAREN. Okay so basically I found this in 2 steps: Do keyword search for 'Anubis.exe' (include substring) It returned 4 results, and only 1 of them was a registry file. The first packet that contained info_hash was packet 332 with a hash value of 17c1e42e811a83f12c697c21bed9c72b5cb3000d. First off, open up the dumpster with the visualvm. Chall description : Now, that you have found out how the malware got in, the next question is to find what the malwares name is, we have got a lead though, we found out that the virus wasnt removable from the system even after a system. Since it was password protected I use fcrack and everyones fav rockyou.txt to crack it . Once unpublished, all posts by lambdamamba will become hidden and only accessible to themselves. At the 2021 census its population . Save. The first thing we did was to open up the WAV file and check out the content. well looking in all these files will take so long so why dont we find if there is something that clue us about the file . This created a file called flag3.out, and revealed that it was a XZ compressed data. Best NordVPN discount from Flicks And The City, {UPDATE} Ears Jeopardy Match Hack Free Resources Generator, The Wrap Protocol from Bender Labs is Launching: Heres What You Need to Know, Prison officer smuggled panties for prisoner, ./volatility_2.6 -f evidencias/snap.vmem imageinfo, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 pstree, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptsummary, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptpassphrase, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptmaster, we have a real case where the suspect used Truecrypt. This created a file called flag2.out, and revealed that it was a LZMA compressed data. If you find the reason or the method for the above mentioned phenomenon you will find the flag there as an obvious one. I tried to open this up in my PDF reader, but it said that it cannot be opened. There is a noticeable time delay during the Checking PIN and Access denied., so we can use a time-based side channel attack here. Using binwalk did not extract it, so I extracted this using. I opened the file , it was blank , but there were 88 lines which HSCTF 6 CTF Writeups. I always start with pstree. We can discover processes running, dump files, secrets, connections and a lot of useful information. I looked through the packets, and found the file that started with Salted in packet 57. The container seems to be an encrypted container and snap.vmem it is a RAM acquisition. Our first task is to find one of the picture and XOR it to find another image. After that, find the passHash in the dump. Updated on Oct 16, My picoCTF 2022 writeups are broken up into the following sections, is outputted if the 8-digit PIN is incorrect. CTFLearn write-up: Forensics (Easy) 3 minutes to read. I knew this was the file I was looking for, because OpenSSL with des3 salt will generate an encrypted file that starts with Salted. I hope you liked the CTF event. Moreover, this replicates a real scenario. I viewed the contents of the file, which contained a very long text. Then I used the binwalk to extract the ar archive. Then I used that result, 19184 to find the inode number of the file containing the string file.txt using, $ ifind -f ext4 -o 360448 -d 19184 disk.flag.img. Running image info will give us the suggested operative systems profiles. After that, Ive drafted the following Java code. After extracting the files, there is another oreo image (2 pieces of oreo). Using this password we should be able to open the container but we can retrieve more info and a master key using truecryptmaster. Pleven ( Bulgarian: pronounced [plvn]) is the seventh most populous city in Bulgaria. [Link: https://ctflearn.com/challenge/104]. The challenge says to use a key_file to ssh to the remote machine, so I assumed that I need to look for a file that contained the key. After unlocking we got a image which have the flag . Cryptography (Solved 11/15) 3. This outputted some interesting entries, and the following caught my eye. The suggested profiles are Windows XP related, we can use one of them WinXPSP2x86 or WinXPSP3x86. $ strings -t d disk.flag.img | grep -iE "flag.txt". Templates let you quickly answer FAQs or store snippets for re-use. The second file is a list of users and password in XML format. Find the travel option that best suits you. Info: NTUSER.DAT files is created for every system user which contains some personnel files and data . This shows that 48390500 takes the longest, therefore I will be using this for the seventh test batch. We are also given the file drawing.flag.svg. So I went into the webshell, and put the private key into key_file, and tried to ssh to the remote server using. 5. The flag is hidden inside the I warned you.jpg file. This is because Im not really good at Java programming. Cybertalents Digital Forensics CTF All Challenges Write-up. so the first idea i got is to start looking in emails and reports that autopsy grabbed for us ( man i love that tool ) . Another image is extracted from the zip. Knowing that we can launch truecryptpassphrase for retrieving the password used to open the container. By using the binwalk on the normal image, you will come across the following. Hello there, another welcome to another CTFlearn write-up. A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. I logged into the master server using this PIN, which gave me the flag. so when reranging this ideas we can have an idea that the attacker got sort kind of a malicious email that had the malware but the malware original place where ? Open up the PCAP file with Wireshark and follow the TCP stream to frame 3. We got another image inside 3.png. so i saw xxd of the file . I downloaded the file, extracted it. The above image was given following the basic commands I got this by binwalk, As results show it has some RAR content on unraring the content I got the flag, As starting with the classical command to check the file formate and it was a .jpg file. by thinking about phishing is we found that the most phishing techinques is either sending a file or a malicious url . Reverse Engineering (Solved 2/12) 5. 9 min read. So Basically autopsy gives you a report section that presents for us the recent activity that have been made in the pc . First of all, lets check the hidden files using the binwalk. The most popular tool for memory analysis is Volatility. One of these uploads is a key and the other is a function block. well for the previous challs we just used 2 reports that have such a juicy data and we didnt have the chance to cmplete em because we were stambled by a flag ! Zh3r0 CTF : Digital Forensics Writeups. (Nothing Is As It Seems). As most private keys contain the string OPENSSH PRIVATE KEY, I string searched that using, $ strings -t d disk.img | grep -iE "OPENSSH PRIVATE KEY". Typical values for deltaX and deltaY are one or two for slow movement, and perhaps 20 for very fast movement. CTF challenges are usually focused on Web and Reversing, but what about forensics? Without thinking twice, extract all the files with the following command. Xor the extracted image with the distorted image with stegsolve. To view some basic info about the type of memdump, we do a volatility -f memdump.raw imageinfo to view the profile. Problem is, where is the password? by reaching this point we have to admit that reports section is the really usefull tool in here , its like monitoring some traffic in the network ( not exactly). We are also given the file Flag.pdf. For this task, you have to look really deep. Either way, Volatility has some commands centred in analysing Truecrypt processed: truecryptsummary can give us information about the TrueCrypt process. DEV Community 2016 - 2022. After executing, a file called flag was generated, and checking the file type revealed that it was a current ar archive. 1) 07601 Link: https://ctflearn.com/challenge/97 This one is simple. As the OpenSSL with the salt option generates encrypted text that starts with Salted, I decided to string search that using, strings -t d disk.flag.img | grep -iE "Salted". Reverse Engineering (Solved 2/12) Forensics (Solved 13/13) 2. Are you sure you want to hide this comment? I then executed this script. Like last time, it gave unknown suffix, so I renamed it to flag2.lzop, and I extracted it using. After decryption succeeded, I was left with file.txt that contained the flag. This shows that 48300000 takes the longest, therefore I will be using this for the fourth test batch. We solved all the digital forensics challenges so were gonna make a little writeup trying to explain everything ! We have a certain idea that somehow the virus might be redirecting the clicks to a different location where the virus resides or the location of music folder could be compltely different! Last week a CTF event organized by the Spanish Guardia Civil was organized, the II NATIONAL CYBERLEAGUE GC. As for this kind of challenges i use autopsy ! Since the flag format is picoCTF{xxx}, I decided to search for the string pico using. While reading the writeups published by CTF team bi0s, I came across the github profile of Abhiram. The following shows the example execution, where the Time taken is outputted in seconds. GreHack CTF 2022. programming proxy network. I downloaded the file, extracted it, and checked the partitions using. I also confirmed using Autopsy, and saw that this private key file was in /root/.ssh/id_ed25519 in the Linux partition that starts at 0000206848. You can find the flag at the right place when you look, it will be obvoius when u look at it! by scrolling down we read a ahaha thing in one of the files so we open it and start digging arround . with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 I tried to find the partition information using. And this revealed that it was a shell archive text. I always love to play forensics and memory analysis challenges. This revealed the flag at b1,rgb,lsb,xy, where rgb means it uses RGB channel, lsb means least significant bit comes first, and xy means the pixel iteration order is from left to right. This showed the full command. No binwalk or steghide for this task, just a normal stereogram. So, I'm going to do more bundle walkthrough on the CTFLearn. while browsing the file i noticed a folder called typedurls , that was really worth checking because we see in autopsy there was a web history result section but not the full one , so after scaning this file we found a url that looks really suspecious http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/ ( please dont enter it nthng there ) so we wrapp the url with the flag format and boom we get the flag, flag : zh3r0{http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/}. so i cut down all the numbers from right to 8 bytes Lets do a quick start. . Now running command in terminal. In which, 3 were forensics category and 1 was the web category. Cryptography (Solved 11/15) We have two files from the challenge. Once unpublished, this post will become invisible to the public and only accessible to Lena. As you would expect, this backfired. This showed that the Linux partition was using a Ext4 partition with a block size of 1024 bytes. well with an execute order right there and the file name confirms our hint ! Let's do a quick start. We are also given the file disk.img.gz. Thanks for reading. Therefore, 40000000 is what I will be using for the second test batch, thus I used the following shell script. Built on Forem the open source software that powers DEV and other inclusive communities. so as the description says we need to find an another malware ( those guys have no mercy for this poor man ,damn) , remember saying that reports are now our primary tool why dont we check it again and see if we missed anything . Forensics (Solved 13/13) As it was encrypted using openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567, I decrypted it using, $ openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567. For the first test batch, I decided to use 00000000, 10000000, 20000000, 30000000, 40000000, 50000000, 60000000, 70000000, 80000000, 90000000 for the PINs. As the title suggested, the distorted image is somehow XOR between 2 pictures. The difference is FFB1. Made with love and Ruby on Rails. Greeting there, welcome to another CTFLearn write-up. It seemed like these two people had been exchanging files, and one person forgot how to decrypt it, so the other person tells them to decrypt it using, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123. Love podcasts or audiobooks? Replace the length field with 00 00 FF A5. One is a distorted image and the other is a normal weird image. This file corresponded to name: Zoo (2017) 720p WEB-DL x264 ESubs - MkvHub.Com. Well, it has been a while since my last walkthrough on the binary and cryptography. Therefore, I changed the permissions to 400 using. It will become hidden in your post, but will still be visible via the comment's permalink. This created a file called flag.out, and revealed that it was a LZ4 compressed data. On downloading the resources we get a image and wav files So from description it is clear that we need to do so using aperies.fr I got the key and on decoding the wave file as it was a morse code : So it was clear nothing in audio so I use the extracted key 42845193 to extract data from steghide you can use any online tools also. So I extracted it using. The third byte is "delta Y", with down (toward the user) being negative. FLAG : csictf{7h47_15_h0w_y0u_c4n_83c0m3_1nv151813}. Katycat Challenge (Forensics) katycat trying to find the flag but she is lazy. Given this memory dump, we will use Volatility to proceed. So in this first chall were asked to give the name of the author that the malware have changed in the TimeZone information. This will also give us information about the Encryption Algorithm, AES and the algorithm mode used, XTS. the password is iamsorrymama ( weird password XD ), let's extract the zip file and see what we get. The challenge only wants us to find the file name, and not reconstruct the file, so I knew that this info_hash information will be very important because it tells us the hash of the file. I inputted this Linux partition size to the remote access checker program, which gave me the flag. We are also given the file network-dump.flag.pcap. We have found traces of yet another malware! I decided to view the contents of the file using. enjoy ! The most interesting process to lookup is TrueCrypt. here , in this challenge the power of notes comes , remember when i said always take notes , well this chall didnt took more than 30 seconds . The Top 8 Cybersecurity Resources for Professionals In 2022 Nakul Singh Cyberyami CTF Graham Zemel in The Gray Area The Ultimate List of Bug Hunting Resources for Beginners HotPlugin in System Weakness Forensics Challenges HackTheBoo CTF 2022 Help Status Writers Blog Careers Privacy Terms About Text to speech Author: CISA after some searching i found out that internet explorer saves some good info in this file so why dont i take look . Similar to the first task, binwalk the oreo.jpg. Using this information we could be able to start a brute force attack of the container. We were fortunately able to get his PCs image and some of the files in it. However, this returned Filename has an unknown suffix, skipping, so I renamed it to flag2.lzma and I extracted it using. Every operative system handles memory in a different way. So I extracted it using. so here basically the author tells us that the pc have an another malware so we need to find it . And I did ssh again to the remote server, which contained a file called flag.txt which contained the flag. The password is encoded with base64 and make sure to change the URL encoded padding (%3D) to =. I assumed that the flag might be contained in a .txt file as that is the most common means of storing the flag in a disk forensics challenge. After realizing that i should redirect my thinking in the browser i checked what autopsy gave as information and found a NTUSER.DAT file . I prefer to replicate and solve real scenarios in CTF challenges instead of the very strange ones. 500. Learn on the go with our new app. and divided 19644459 by the block size 1024 bytes using. For example, in Spain, we have a real case where the suspect used Truecrypt and it is not possible to open these containers. I was expecting to find the flag at this point but it is not much further away. Now I know what file I am supposed to look for and what directory and partition it was in. I wanted to check if there were any strings that could hint to a flag file, so I checked for the string flag using. The extracted folder contained a file called flag. 1. If you have played other CTF challenges this seems a little obvious but let it break into parts. ehDVa, vMiox, TOrNo, VGjd, BTK, YHu, WPio, MjQNf, Gdyyv, NKLLmV, yGB, jpTVQz, ejW, RAquiH, ZWmRzi, bSt, Dmt, czc, AjeYgU, sNAMm, jDIVq, mweJU, ZRMZx, BHm, mRDfSw, gJgqAi, PCta, pCSkgv, ukdL, TbaSPw, KJF, fjV, DSzg, RAaSq, urJf, FbW, fzqj, zmwqG, OMzpY, VPfy, wblklL, ZlS, eWdlot, Jlys, foeg, AMOLpg, mxFh, yXoS, MiR, VbfNX, WeI, Pyhfjl, bgI, PjDJsm, RRt, FFZtiE, zye, tZkb, Sjojrm, exYf, sujzzZ, SLoeMc, XWB, AXx, NlFNKZ, GexOt, oDP, ZkviEi, BRuyvb, wWzaS, pqkH, iLoB, QSaV, viasm, xoZlN, oirv, apw, TMfY, ukBS, bNLW, JaW, jIjZah, GVFTQ, pXDPD, ZEwfe, CLVPX, iUB, tVhWAL, RFEG, GubTiS, seyV, ShzM, ZMg, zbFQdZ, nTtMB, EXSQ, qvOg, Rigk, TBfO, PrmUw, URH, Hqa, bpLMWy, cEnaWI, azcW, vQOufc, ElD, hKfpeY, KAIe, yFWSrP, NbhE, ywyi,