Drew Wade

Forensics 101 (Forensics)

Think the flag is somewhere in there. Would you help me find it?
https://mega.nz/#!OHohCbTa!wbg60PARf4u6E6juuvK9-aDRe_bgEL937VO01EImM7c

The link is to a file sharing service where there is a JPG image. As had become my habit, I opened it in Hex Fiend and found it began and ended as expected (FF D8 and FF D9). Skimming through the body of the hex, however, I was rewarded with the flag in plain text near the end of the file: flag{wow!_data_is_cool}

Taking LS (Forensics)

Just take the Ls. Check out this zip file and I be the flag will remain hidden.
https://mega.nz/#!mCgBjZgB!_FtmAm8s_mpsHr7KWv8GYUzhbThNn0I8cHMBi4fJQp8

This link contains a zipped folder with an encrypted PDF in it. Taking my cue from the clue, I showed hidden files in the folder and revealed a hidden text file containing the password to the PDF (Im The Flag). The PDF contained the flag: ABCTF{T3Rm1n4l_is_C00l}

Basic Injection (Web)

See if you can leak the whole database. The flag is in there somwhere… https://web.ctflearn.com/web4/

The website displays “You know what to do“, a text field called “Input:”, a submit button, and a results counter. Looking at the page in the web inspector, there were some comments:

“Try some names like Hiroki, Noah, and Luke”
“stopthatjs”

Trying the names in the input field was not particularly helpful. Only the Luke entry returned a result “Data! I made this problem”. So, it was time for a little SQL injection, and my first attempt (‘or’1’=’1) dropped all of the records, including the user fl4g_giv3r and the flag: flag{th4t_is_why_you_n33d_to_sanitiz3_inputs}

Where can my robots go? (Misc)

Hint: Where do robots find what pages are on a website?
Hint 2: What does disallow tell a robot?
Hint 3: The flag is not 70r3hnanldfspufdsoifnlds

This challenge included only the three hints. Looking at the robots.txt (ctflearn.com/robots.txt), there was a disallow rule for /70r3hnanldfspufdsoifnlds.html. Checking that page, specifically including the www subdomain (www.ctflearn.com/70r3hnanldfspufdsoifnlds.html), revealed the flag: abctf{r0b0ts_4r3_th3_futur3}

Paste those binaries (Misc)

I found this scratched on the side of an old mac pro, r44LxiXq
I wonder what it means...
Hint: Some Kind of Website is at play here...

The clue did give this one away. I immediately looked for an entry in Pastebin named r44LxiXq (pastebin.com/r44LxiXq), and was rewarded with the flag: ABCTF{past3_that_b1n}

Reversal of Fortune (Misc)

Our team of agents have been tracking a hacker that sends cryptic messages to other hackers about what he's doing. We intercepted the below message he sent recently, can you figure out what it says? He mentions his hacker name in it, that's the code you need.
.nac uoy fi tIe$reveRpilF eldnah ym gnisu em egassem ,avaj yllacificeps ,gnidoc emos htiw pleh deen I ,deifitnedi tegrat txeN

This was quite obviously plain English text, just reversed. Just for fun, I popped it into Python and reversed the string for the hacker’s name: FlipRever$eIt

Wikipedia (Misc)

Not much to go off here, but it’s all you need: Wikipedia and 128.125.52.138.

I started by checking out the IP with whois, and found it was a VPN (vpn-052-138.usc.edu). I tried connecting to it, using Wikipedia as the shared secret without success. With that direction issuing no results, I tried searching for the IP on Wikipedia, and found a single user entry entitled Flag. Checking the differences between the current and historical version of that Wikipedia entry, I found the flag in the old revision: cNi76bV2IVERlh97hP

QR Code (Miscellaneous)

Do you remember something known as QR Code? Simple. Here for you :
https://mega.nz/#!eGYlFa5Z!8mbiqg3kosk93qJCP-DBxIilHH2rf7iIVY-kpwyrx-0

This one is very straight-forward. The link contains a QR code. Scanning the QR code with my phone, I get a Base64 encoded string:

c3ludCB2ZiA6IGEwX29icWxfczBldHJnX2RlX3BicXI=

Decoding that, we get:

synt vf : a0_obql_s0etrg_de_pbqr

Which is a simple Caesarian cypher of:

flag is : n0_body_f0rget_qr_code

QR Code V2 (Miscellaneous)

How well are you in the ways of the QR Code? https://mega.nz/#!JItR3aqI!QKGxexShAPt-HUU_2DAdJKUljXc69sx1fXuaGUeoKaY

The link contains another QR code, which links to another mega.nz file (flag.txt) containind the flag:

CTF{2_QR_4_U}

Binwalk (Forensics)

Here is a file with another file hidden inside it. Can you extract it? https://mega.nz/#!qbpUTYiK!-deNdQJxsQS8bTSMxeUOtpEclCI-zpK7tbJiKV0tXYY

The link contains a picture of this little guy:

And looking at it in Hex Fiend, we can see a second PNG header part way down. If we isolate that second file and rename thing2.png, then we get an image containing the flag:

Binwalking the file might have been faster, but there’s more than one way to skin a purple thing.

Capture of a Flag (Forensics)

This isn't what I had in mind, when I asked someone to capture a flag... can you help? You should check out WireShark.
https://mega.nz/#!3WhAWKwR!1T9cw2srN2CeOQWeuCm0ZVXgwk-E2v-TrPsZ4HUQ_f4a

The link contains the file flag(4), and we can open that in Wireshark as the clue suggests. From there we can export the HTTP objects, and we get a list that includes packet 255 from www.hazzy.co.uk, which contains the text/html content:

?msg=ZmxhZ3tBRmxhZ0luUENBUH0=

And that little base64 coded message is:

flag{AFlagInPCAP}

IP Tracer (Miscellaneous)

Bob is an amateur hacker and has collected the following IP Address: 159.167.16.5, but Bob needs help finding where the IP Address is located. Can you help Bob find where the IP Address is located. (Type the City name)

We can run 159.167.16.5 through https://www.iplocation.net and we get locations in Warwick and London. Warwick does not work, but London does.

Base 2 2 the 6 (Cryptography)

There are so many different ways of encoding and decoding information nowadays... One of them will work!
Q1RGe0ZsYWdneVdhZ2d5UmFnZ3l9

Starting from the title, 2 raised to the power of 6 is 64, so we’re probably looking at a base64 encoded string. Decoding we get:

CTF{FlaggyWaggyRaggy}

Simple Programming (Programming)

Can you help me? I need to know how many lines there are where the number of 0's is a multiple of 3 or the numbers of 1s is a multiple of 2. Please! Here is the file:
https://mega.nz/#!7aoVEKhK!BAohJ0tfnP7bISIkbADK3qe1yNEkzjHXLKoJoKmqLys

This is simple enough…I just wrote a basic python script to count the lines with multiples of 3 zeroes or multiples of 2 ones.

# Start the count of lines with a multiple of 3 zeroes OR a multiple of 2 ones at zero
count = 0

# Set the filepath of the data file as data.dat - this script must be run in the same directory as data.dat
filepath = 'data.dat'

# opent the file and read each line as a separate entry into the array called lines
with open(filepath) as fp:
lines = [line.rstrip() for line in fp]

# look at each line in the array lines
for line in lines:
 # Reset the count of zeroes and ones in the line to zero
 zeroes = 0
 ones = 0
 # look at each character in the line
 for char in line:
  # if the character is a zero, increment the zeroes total by one
  if char == "0":
   zeroes += 1
  # if the character is a one, increment the ones total by one
  if char == "1":
   ones += 1
 # if the number of zeroes is evenly divisible by 3 OR the number of ones by 2, increment the overall count
 if (zeroes%3 == 0) | (ones%2 == 0):
  count += 1

# print the total count of lines with a multiple of 3 zeroes OR a multiple of 2 ones at zero
print(count)

And the result is 6662.

Wow...So Meta (Forensics)

This photo was taken by our target. See what you can find out about him from it.
https://mega.nz/#!ifA2QAwQ!WF-S-MtWHugj8lx1QanGG7V91R-S1ng7dDRSV25iFbk

The link contains a JPG file with a pretty sunset:

Loading the file into Jeff's image metadata viewer, we can see that the Camera Serial Number looks a bit odd:

flag{EEe_x_I_FFf}

Morse (Cryptography)

..-. .-.. .- --. ... .- -- ..- . .-.. -- --- .-. ... . .. ... -.-. --- --- .-.. -... -.-- - .... . .-- .- -.-- .. .-.. .. -.- . -.-. .... . . ...

Just pop the Morse code into a Morse decoder like https://morsecode.scphillips.com/translator.html, and out comes:

FLAGSAMUELMORSEISCOOLBYTHEWAYILIKECHEES

Vignere Cipher (Cryptography)

The vignere cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers based on the letters of a keyword. I’m not sure what this means, but it was left lying around:
blorpy gwox{RgqssihYspOntqpxs}

OK, the gwox{…} part looks like our flag, so perhaps the blorpy is our keyword. Dropping those into the Rumkin Vignere Cipher tool we get:

flag{CiphersAreAwesome}

Hyperstream Test #2

I love the smell of bacon in the morning!
ABAAAABABAABBABBAABBAABAAAAAABAAAAAAAABAABBABABBAAAAABBABBABABBAABAABABABBAABBABBAABB

Clearly a Baconian cipher, so dropping it into the Rumkin Baconian cipher tool, and selecting the I=J, V=U version, we get:

ILOUEBACONDONTYOU

BRUXOR (Cryptography)

There is a technique called bruteforce. Message: q{vpln'bH_varHuebcrqxetrHOXEj No key! Just brute .. brute .. brute ... :D

Cyberchef to the rescue! Thanks GCHQ! Drop the cyphertext into the input, and the Bruteforce XOR into the recipe, and voila:

flag{y0u_Have_bruteforce_XOR}

07601 (Forensics)

https://mega.nz/#!CXYXBQAK!6eLJSXvAfGnemqWpNbLQtOHBvtkCzA7-zycVjhHPYQQ
I think I lost my flag in there. Hopefully, it won't get attacked...

At this site there is a large PNG file of a screenshot from America’s Got Talent. There is some corruption towards the bottom of the image. I started with a look in Hex Fiend, and noticed multiple PKs near the end and the flag ABCTF{fooled_ya_dustin} in plain text the middle. This flag, as the content suggests, was just a red herring.

Running it through binwalk, I also located a PK in the middle of the file (at around line 9584), shortly after the fake flag (likely the source of the image corruption). Isolating this middle section and renaming it with a .ZIP extension, produced a working ZIP file that contained a folder containing IWarnedYou.jpg.

The file won’t open as an image and doesn’t have the appropriate header and footer for a JPG. Running it through file shows it to be a data file. Looking through the file in Hex Fiend, I can see most of the flag, but parts are unreadable: abctf{d…$t1n…D0j…}. Given the original image, and a quick Google, this is something to do with Dustin’s dojo (I’m not sure I want to know; I’m certain I don’t care).

Pulling the hex directly and running it through a hex-to-text converter online (e.g. http://www.unit-conversion.info/texttools/hexadecimal/) we get:
abctf{dû$t1nš_D0jö}

The site doesn’t accept it as is, but changing the û to u, the š to s, and the ö to o, we do get a correct solution.

Up for a Little Challenge? (Forensics)

https://mega.nz/#!LoABFK5K!0sEKbsU3sBUG8zWxpBfD1bQx_JY_MuYEWQvLrFIqWZ0
You Know What To Do ..

The link contains this lovely Begin Hack.jpg image:

Opening that in Hex Fiend, we can see a few interesting things…

First, it’s got EXIF information.

Second, it has 789:FGHIJUVWXYZdefghijstuvwxyz in the header – I find these alphabet strings usually indicate a good candidate for stego encryption

Third, a URL about half-way through: https://mega.nz/#!z8hACJbb!vQB569ptyQjNEoxIwHrUhwWu5WCj1JWmU-OFjf90Prg
And the following text shortly after that: real_unlock_key: Nothing Is As It Seems
Further down: password: Really? Again
And: flag{Not_So_Simple...} – and that’s true. This is not the flag.
Finally, the file starts and ends with the appropriate header/footer.

Looking at the EXIF metadata first, we just get some image size information.

Running it through binwalk, we can see that the file contains a TIFF image 30 bytes into the file. Isolating that, however, we don’t get a working file. Must be a false positive. The URL, however, does link to a file: Up For A Little Challenge.zip, which archives the folder Did I Forget Again? containing another image called Loo Nothing Becomes Useless ack.jpg

and a hidden file called .Processing.cerb4

The JPG starts and ends normally. It has some EXIF metadata. It has a bunch of 8BIM(?) information near the beginning that looks like Adobe Photoshop formatting information. Nothing too interesting just yet.

The hidden file, on the other hand, appears to be a PKZIP containing the image skycoder.jpg. Renaming it as Processing.zip, it prompts us for a password, and giving it “Nothing Is As It Seems”, we get this:

And there, in reddish text so small my tired eyes didn’t see it the first time (sending me down a rabbit hole of re-examining the hex in all of the files, running binwalk and strings, running stegoVeritas on all of the images, and trying to stego decode skycoder with all of the available strings), is the flag:
flag{hack_complete}

Note to self: Examine the images themselves very carefully and first every time!

Substitution Cipher (Cryptography)

Someone gave me this, but I haven't the slightest idea as to what it says! https://mega.nz/#!LoABFK5K!0sEKbsU3sBUG8zWxpBfD1bQx_JY_MuYEWQvLrFIqWZ0
Figure it out for me, will ya?

The link provides Substitution.txt MIT YSAU OL OYGFSBDGRTKFEKBHMGCALSOQTMIOL. UTFTKAMTR ZB DAKQGX EIAOF GY MIT COQOHTROA HAUT GF EASXOF AFR IGZZTL. ZT CTKT SGFU, MIT YSACL GF A 2005 HKTLTFM MODTL MIAF LMADOFA GK A CTTQSB LWFRAB, RTETDZTK 21, 1989 1990, MIT RKTC TROMGKL CAL WHKGGMTR TXTKB CGKSR EAF ZT ...(it goes on for a while)

CyberChef provides a nice substitution tool, so we get: the flag is ifonlymoderncryptowaslikethis. generated by markov chain of the wikipedia page on calvin and hobbes. be were long, the flaws on a 2005 present times than stamina or a weekly sunday, december 21, 1989 1990, the drew editors was uprooted every world can be found the continued to work ...

Giving us the flag: ifonlymoderncryptowaslikethis

An Informative Text Blurb

This text isn't informative, yet, but it will be one day. Probably. I think. - DW - Jan 2019