Categories
Capture The Flag

VishwaCTF’22 Writeups: Forensics

Below are the Forensics writeups of all the challenges that were being asked in the VishwaCTF’22, organised by Cyber cell VIIT, Pune.

Epistemus

Epistemus: This image goes hard, feel free to run diagnostics.

Here, we are given a photo of Patrick that seems to have a github link hiding in plain sight We use stegsolve to accurately identify the link

image

The GitHub Repository contains one file to lead challengers astray and two important files to complete the challenge:

README.md contained the following line of text: Arire tbaan tvir lbh hc Arire tbaan yrg lbh qbja Arire tbaan eha nebhaq naq qrfreg lbh Arire tbaan znxr lbh pel Arire tbaan fnl tbbqolr Arire tbaan gryy n yvr naq uheg lbh

Since it looks like the output of a well-known substitution cipher (ROT13), I decided to use the tool CyberChef by the GCHQ and immediately found out that this … is indeed a Rickroll

The something_in_the_way.rar file needs some password to extract the files within, but we do not seem to have that There is another file named rightplace?.txt that contains: I don’t think thⅰs is the right place to be searchіng for anything. Nothing but emptiness and ⅴoіd. Literally, a waste οf time

At first look, it looks like some gibberish, but this is a classic case of Homoglyph Steganography. Using the link: http://holloway.co.nz/steg/

This is indeed the password for the .rar file After extracting, we find multiple copies of a file One specific text file has the info we need, i.e, Bomb – copy(69) , we just have to ctrl F the file for ‘flag’ and voila VishwaCTF{th1ng$a43_n0t_wh4t_th3y_4lw4y$$33m}

Foggy

  1. Here you are given with a bunch of bar codes and QR codes, all of them have a label except a “Maxi Code”. Crop that maxi code
  2. Use an online maxi code reader and after scanning you’ll get “zippy share” link download the zip file there.
  3. That file is password encrypted ,use a normal alphabet wordlist to brute force the pass.
  4. There you’ll see 50,000 text files, now u have to find the file which has the flag
  5. You open any random file, you’ll see some random text. Only one file looks blank.
  6. So how do you find it? Just sort the files with size, the file with lowest size looks blank but isn’t.
  7. If you select the blank space, it come out to be “whitespace” code
  8. Use a whitespace decoder and there is the flag. vishwactf{justbecauseucantseeitdoesntmeanitsnotthere}

GarFeld?

We are given a .wav file, with the challenge description “Garfeld can hide secrets pretty well”.

It is a 1 minute audio (Garfield’s theme song) with distorted audio in between. On checking the spectrogram, we get a pastebin link.

On checking the pastebin link, we have a large dump of hex data. Saving the file, it does not open directly. Checking the data on sites such as Cyberchef or using binwalk reveals that the file is a .jpeg.

Changing the header bits to the correct format aka the magic bytes (you can check this out here), we get an image, a Garfield comic strip.

image

We see that the flag is visible in the comic strip, however it is encoded.

Now there are a couple of ways to move forward from this point. The challenge name is a reference to the cipher used, Gronsfeld cipher. However this is not the only intended approach as this might be a bit far fetched.

From this point, an approach which can be used is to find the date of the comic strip (hinted towards by the crossed out words except the word “date”), which is 21st April, 1989, which is the key (21041989) for the Gronsfeld cipher used.

The ideal approach would be to make use of the standard flag format being known (vishwaCTF{}), which is seen in the image, albeit encoded. Analyzing this, we can decrypt it as a Vigenere cipher with the key “cbaebjij”, from which we get the flag.

Keep the flag High

  1. The image given has errors and cannot be opened. It is a png image but given the extension bmp to confuse players
  2. First we have to rename the image as a png file
  3. Then also image is not openable because the header hex bits are wrong
  4. Use any hex editor to correct the header bits of the file(Use any png image to compare)
  5. Now the image is openable and is a QR code. Scan this QR code which has a link to a google drive folder.
  6. In that folder we have an image of a pirate.
  7. Download that image and use strings command on it.
  8. We see there is a weird string in the bottom (Second last line)
  9. It is a rot47 encrypted text
  10. Use any tool to decrypt the text. We get the flag flipped. }su0id3t_si_5cisn3r0f{FTCawhsiV
  11. Reverse the flag and enter to solve.

So Forgetfull!

Here we are given a .pcap file, which is a Wireshark file. Opening it we see a lot of traffic, now ignoring the UDP and TCP, focus on the http… There’s an application form, right-click and follow its TCP stream. There you’ll see a password, which has some %3d at the end, aah looks like a URL. Now use an URL decoder and you’ll see a text with “==” at the end, aha looks like base64. Decode the base64 and here you are with the flag. vishwactf{KN1Z6PXVy9}

image

The Last Jedi

The Last Jedi: What it takes do you have?

Running binwalk on this file we can see there is a RAR file inside

Extracting it we find two images Running the strings command on Is_This_Really_It.jpg gives us the flag

Flag: VishwaCTF{H1DD3N_M34N1NG}

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *