Inctf21 Junior Finals-Forensics Writeup

6 minute read

Hello Pros , This is PJ :)

Difficulty Level : Easy - Medium

CTF Name : INCTF21 Junior Finals

Category : Forensics

1.ILovePDF

Description: Kevin forgot his protected pdf password. Can you help him to retrieve the password?

Given: :

 >> pj@ctf-inctf-jr ~: file chall.pdf 
 
chall.pdf: PDF document, version 1.7

I downloaded the pdf and confirmed that it was password protected!!! , but where can I go for some password ?:)

pdfcrack

pj@ctf-inctf-jr ~: pdfcrack -w /usr/share/wordlists/rockyou.txt chall.pdf -q   
 pwd= kittykat

view the pdf using the password kittykat

FLAG
inctfj{PdFcR4ck_15_4maZ1ng}

2. Litter

Description: My friend has a serial habit of hiding things within him. He believes that “If someone or something is corrupt, they’re broken morally or in some other way.”

Given:

pj@ctf-inctf-jr ~: file chall.jpeg 
chall.jpeg: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 180x279, components 3

protip: try to unzip the file based on the challenge

  1. unzip
 pj@ctf-inctf-jr ~: unzip chall.jpeg                                                                       1 ⨯
Archive:  chall.jpeg
warning [chall.jpeg]:  10481 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: flag.png     

if we are able to hide the data using zip then we are also able to extract the file using unzip

flag.png: data

flag.png seems corrupted

  • add 50 4e 47 in the PNG Header using Ghex
  pj@ctf-inctf-jr ~: xxd flag.png|head
00000000: 8900 0000 0d0a 1a0a 0000 000d 4948 4452  ............IHDR
00000010: 0000 0780 0000 0438 0806 0000 00e8 d3c1  .......8........

                   (After)
                   
  pj@ctf-inctf-jr ~: xxd flag.png|head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 0780 0000 0438 0806 0000 00e8 d3c1  .......8........

Here we Go image

FLAG
inctfj{m4g1c4l_numb3r5_4r3_v3ry_1mpOrt4nt}

3. Bit Steganography

Description: Just by (Z)ooming it is difficult to find (STEG) in an image!!

Description :) is enough lol Z + STEG = ZSTEG

Given:

pj@ctf-inctf-jr ~: file chall.png          
chall.png: PNG image data, 1920 x 1080, 8-bit/color RGB, non-interlaced

gem install zsteg

pj@ctf-inctf-jr ~: zsteg chall.png 
imagedata           .. file: Microsoft Works 1-3 (DOS) or 2 (Windows) document
b1,rgb,lsb,xy       .. text: "32:inctfj{zst3g_1s_4n_4w3s0m3_t00l}?"   

Yeah Awesome Tool

FLAG
inctfj{zst3g_1s_4n_4w3s0m3_t00l}

4.XOXO

The same XOXO From INCTF Pro Finals

Description: Did you know: if a^b=c then a^c=b

Given: xorred png file

 pj@kali~ file encrypted.png
 
encrypted.png: data 
  1. We actually Don’t know the key, but we know the actual extension(png) which is come after the xor process. then xor the file with magic bytes of png, it will give the Key to retrieve the PNG

Magic Bytes of PNG

xxd -l 10 chall.png                                                                  
00000000: 8950 4e47 0d0a 1a0a 0000                 .PNG......

image

2.Xor the encrypted.png with the key eAsy-x0r

>>> from pwn import  *
>>> encrypted=open("encrypted.png","rb").read()
>>> answer=open("flag.png","wb")
>>> answer.write(xor("eAsy-x0r",encrypted))
396068
>>> answer.close()

image

FLAG
inctf{x0riNg_iS_fUn!!}

5.221

Description: Can you help me to crack this file?

Given:

 pj@ctf-inctf-jr ~: file flag_5191093e-3b96-4269-8903-32b76b695485.zip 
flag_5191093e-3b96-4269-8903-32b76b695485.zip: Zip archive data, at least v2.0 to extract

Password Protected Zip!

  • fcrackzip
┌──(kali㉿kali)-[~/ctf/inctf-junior-finals/foren/221]
└─$ fcrackzip  -D -p  /usr/share/wordlists/rockyou.txt -u ./flag_5191093e-3b96-4269-8903-32b76b695485.zip

PASSWORD FOUND!!!!: pw == 221bbs

Here We GO!

image

FLAG
inctf{okAy!H3r3's_yOuR_flaG!}

6. Hide & Crack

Description: If you can’t see what is hidden, then just crack it…

Given:

crack.jpeg: JPEG image data
hide.jpeg:  JPEG image data

Two jpeg images nice, crack and hide nothing but steghide and stegseek

  • Bruteforce the password for crack.jpeg using stegseek
pj@kali ~: stegseek crack.jpeg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "summer1"
[i] Original filename: "password.txt".
[i] Extracting to "crack.jpeg.out".

H15i5Wh4Ty0Un33D Can be Used to hide.jpeg

 >> pj@kali ~: steghide --extract -sf hide.jpeg -p tH15i5Wh4Ty0Un33D
wrote extracted data to "flag.txt".
                                                                                                                
 >> pj@kali ~: cat flag.txt 
inctfj{4Nd_f1N4llY_y0U_g0T_1T!}
 
FLAG
inctfj{4Nd_f1N4llY_y0U_g0T_1T!}

7. Implanted Sound

image

Given:

chall.jpeg: JPEG image

Again jpeg, Do unzip, foremost or binwalk

 pj@kali ~: unzip chall.jpeg 
Archive:  chall.jpeg
warning [chall.jpeg]:  96824 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: Horror.wav     

from Description you can assume it as morse (dash-dot) lol kinda dead-end

From Description, we know, that we have to reverse the audio

  • Audacity -> CTRL + A -> filter -> reverse- save -> Then morse decoder

image

Nice Twist

FLAG
inctf{15n't_m0r53_c00l??}

8. Panopto

Description: Alice threw the treasure Map in the Bin and now she is searching for the hidden treasure by traveling from region to region. Can you help her in finding the treasure?

Given:

pj@ctf-inctf-jr ~: file chall.png                                                                   
chall.png: PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced

Given Challenge is a QR C0de Image

 pj@ctf-inctf-jr ~: zbarimg chall.png 

# Run the following script along with the Base32 Encoded Gold to get the flag :)
# You can get the base32 gold from https://mega.nz/folder/dVJx3SKR#U_Dsjp10uLMspiJOXqyQjA
import base64
Base_32_Gold = "" # Enter the Base32 Gold within the double Quotes ("")
print(base64.b32decode(Base_32_Gold).decode("utf-8"))
  1. Download Those Three images from the mega_link
 pj@ctf-inctf-jr ~: ls -lah G*
-rw-r--r-- 1 kali kali  13K Jan  9 17:11 'Gold 1.png'
-rw-r--r-- 1 kali kali 132K Jan  9 17:11 'Gold 2.png'
-rw-r--r-- 1 kali kali  71K Jan  9 17:11 'Gold 3.png'

Gold 2.png - Size was Greater than the rest images

unzip foremost binwalk
  pj@ctf-inctf-jr ~: unzip Gold 2.png 
Archive:  Gold 2.png
 inflating: Gold.txt 
pj@ctf-inctf-jr ~: cat Gold.txt|grep  N|base32 -d
  
inctfj{zb4r1ng_4nd_b453_32_d3c0d1ng_g1v3s_th3_fl4g}
FLAG
inctfj{zb4r1ng_4nd_b453_32_d3c0d1ng_g1v3s_th3_fl4g}

9. I LOST MY MONKEY

Description : My monkey has been missing since last night. You can find the image of my monkey in the pcap. Can you help me find the monkey?

Given:

pj@ctf-inctf-jr ~: file helpme_ecc6d701-b3b4-4d25-824b-be4a9d4fb5ae.pcapng 
helpme_ecc6d701-b3b4-4d25-824b-be4a9d4fb5ae.pcapng: pcapng capture file - version 1.0

:) Easy

tcpflow -r

TCPflow is a free, open-source, powerful command-line based tool for analyzing network traffic on Unix-like systems such as Linux. It captures data received or transferred over TCP connections, and stores it in a file for later analysis, in a useful format that allows for protocol analysis and debugging

Also you can do this in Wireshark->export object -> http-> save-flag.png

image

Nice Monkey :)
FLAG
inctfj{y0u_found_mY_mOnk3y}

10. Chunking UP

Description : We have got a file which might provide us with important evidence but looks like it’s messed up. Can you help us?

Given:

pj@ctf-inctf-jr ~: file chall.png          
chall.png: data

:( How many Chunk Editing Challs!

shoot ghex

  • Replace A9 into 89
00000000: a950 4e47 0d                             .PNG.
(after)
00000000: 8950 4e47 0d                             .PNG
  • Replace IdhR into IHDR

  • Replace iadt into IDAT

  • Replace The TRAILER From ieNd into IEND

  pj@ctf-inctf-jr ~: xxd  chall.png |tail
  
00008490: 0000 0000 6965 4e64 ae42 6082            ....ieNd.B`.
                      (after)                                                                                          
  pj@ctf-inctf-jr ~: xxd  chall.png |tail
  
00008490: 0000 0000 4945 4e44 ae42 6082            ....IEND.B`.

Thats all , FLAG Is READY

image

FLAG
inctfj{n0W_YoU_kN0w_4b0Ut_pNgCHUnkS?}



MEMES