cybertalents.com/challenges/forensics
Tools Used
Wireshark, Java Decompilers, CyberChef
Contents
G&P List
Problem:
Just Open the File and Capture the flag. Submission in MD5
Solution:
Let's download the file, and run a file command in it. We can see that it's a legitimate Microsoft DOCX file. Let's run cat command and look for strings using the strings command.
cat G\&P+lists.docx | strings
We can see few strings here and there but a line is interested to us. It says:
Flag.txt877c1fa0445adaedc5365d9c139c5219PK
Let's remove "Flag.txt" and the rest looks like an MD5 hash. Let's submit it and yes, this is our flag.
Hidden Message
Problem:
A cyber Criminal is hiding information in the below file. Capture the flag ? submit Flag in MD5 Format
Solution:
Let's download the JPEG file and run a cat command in it. It prints out a lot of garbage value. Since, we are looking for an MD5 value, the flag must be 32 character long. Let's append strings command to it.
cat hidden.jpeg | strings -n 32
> b1a1f2855d2428930e0c9c4ce10500d5
> %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
> &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
Now, the value b1a1f2855d2428930e0c9c4ce10500d5 is our intended flag.
Search in Trash
Problem:
My HDD was destroyed in an accident. However, I was able to recover my recycle bin file . Can you know the flag ?
Solution:
Let's download the file and run a file command on it. It gives out the following output:
search-trash: Windows Recycle Bin INFO2 file (Win2k - WinXP)
Now, let's try a cat along with strings command on it and look for possible file names. We get :\FLag{Fat_32_DF_2}.txt as the flag file. This is the answer.
File Found
Problem:
We found the following file on a machine, we know it contains a secret but we do not know what this file is can you help us obtain the code?
Solution:
Let's download the file and run a file command. We see that it's a JAVA Class file. Let's rename it to filefound.class and open it using a Java Decompiler, such as- IntelliJ, Netbeans, etc.
Let's use javadecompilers.com, this is an online decompiler. After uploading the class file and hitting decompile, we get the source code as below:
public class HelloWorld
{
public static void main(final String[] array) {
final String s = "SYNT{SBERAFVPF_101}";
for (int i = 0; i < s.length(); ++i) {
char char1 = s.charAt(i);
if (char1 >= 'a' && char1 <= 'm') {
char1 += '\r';
}
else if (char1 >= 'A' && char1 <= 'M') {
char1 += '\r';
}
else if (char1 >= 'n' && char1 <= 'z') {
char1 -= '\r';
}
else if (char1 >= 'N' && char1 <= 'Z') {
char1 -= '\r';
}
System.out.print(char1);
}
}
}
Well, let's rename the file as HelloWorld.java and run it. We get the output FLAG{FORENSICS_101}. This is our answer.
I Love Images
Problem:
A hacker left us something that allows us to track him in this image, can you find it?
Solution:
Let's go ahead and download the image. We'll run a simple cat command along with a strings command. And that'll give us some strings. Here's the last line looks quite interesting, it looks like a BASE64 encoded string.
Let's go to gchq.github.io/CyberChef and try to decode it. It says that it's not a valid base64 encoding, well then let's try base32!
And, we get our answer: FLAG{Not_Only_Base64}
bflag
Problem:
All of us started from the bottom. Now it's your turn.
Solution:
We are given a pcap file. Which means we need to analysis network packets. Let's fire up Wireshark and analysis the file.
Whoa, there are too many lines! Let's filter the protocols by HTTP and HTTP2 only. Now, the lines are somewhat less. Scanning through the row will eventually get us to a line.
GET /f14g/analyze_packet_for_fun HTTP/1.1\r\n
Well, looks like we got our answer: f14g/analyze_packet_for_fun