Author | susie |
---|---|
Points | 10 |
Description Files can always be changed in a secret way. Can you find the flag?
➜ file cat.jpg
cat.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2560x1598, components 3
➜ exiftool cat.jpg
ExifTool Version Number : 12.21
File Name : cat.jpg
Directory : .
File Size : 858 KiB
File Modification Date/Time : 2022:01:10 16:59:27-05:00
File Access Date/Time : 2022:01:10 16:59:27-05:00
File Inode Change Date/Time : 2022:01:10 16:59:27-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.02
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Current IPTC Digest : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice : PicoCTF
Application Record Version : 4
XMP Toolkit : Image::ExifTool 10.80
License : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Rights : PicoCTF
Image Width : 2560
Image Height : 1598
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 2560x1598
Megapixels : 4.1
Alternatively, You can decode it from the terminal as shown
➜ echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d
picoCTF{the_m3tadata_1s_modified}#
picoCTF{the_m3tadata_1s_modified}
Author | Dylan |
---|---|
Points | 100 |
Can you find the flag? shark2.pcapng.
- Did you really find the flag?
- Look for traffic that seems suspicious.
Looking at the endpoints, we can be able to deduce that the victims computer had an ip address of 192.168.38.104
since it has more packets.
If we go ahead and look at the protocal hierarchy, we find that DNS protocal had alot of bytes, so this would probably be some dns data exfiltration. So i applied dns
as my filter and scrolling down , i only find three ip addresses from the source and destination:
- 192.168.38.104 (Victim)
- 8.8.8.8 (Google's DNS)
- 18.217.1.57 (unknown)
I then applied ip.addr == 18.217.1.57
as my filter to filter out traffic related to this ip and we get a bunch of GET requests with /flag
, so looking at the export HTTP objects, we are able to find all the flags.
Following this HTTP streams, gives us a common flag which upon trying to decode the string didn't yield much. So we keep hunting.
When i applied this filter, I noticed a pattern ip.dst == 18.217.1.57 && dns
For instance, the first packet is a subdomain ( cGljb0NU.reddshrimpandherring.com
) , the second and third sub-domains are pre-fixed with .us-west-1.ec2-utilities.amazonaws.com
& .windomain.local
Since all sub-domains have a frame length of 93bytes or less, we can add len(frame) <=93
to our filter to only display the sub-domains.
With this in mind...I was stuck for a moment and did not know what to do next...After consulting a friend (Can't recall their name since they deleted their account on discord) , he told me i should use Cyberchef to decode the flag asshown in the screenshot below.
picoCTF{dns_3xf1l_ftw_deadbeef}
Author | Susie/Pandu |
---|---|
Points | 30 |
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one?
Whenever i come across forensic challenges on Matryoshyka, the first tool that comes in mind is binwalk
.
Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images.
So i run iton the command line as follows with -e
& -M
flags.
-e
- Automatically extract known file types-M
- Recursively scan extracted files
➜ binwalk -e -M dolls.jpg
Scan Time: 2022-01-12 03:57:27
Target File: /home/kali/Desktop/pico-ctf/dolls.jpg
MD5 Checksum: 4e20dca670f35285995d96533d0e0a69
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
272492 0x4286C Zip archive data, at least v2.0 to extract, compressed size: 378954, uncompressed size: 383940, name: base_images/2_c.jpg
651612 0x9F15C End of Zip archive, footer length: 22
Scan Time: 2022-01-12 03:57:31
Target File: /home/kali/Desktop/pico-ctf/_dolls.jpg.extracted/base_images/2_c.jpg
MD5 Checksum: 4d6e68a72702eba3f2b1f95670f12ac7
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
187707 0x2DD3B Zip archive data, at least v2.0 to extract, compressed size: 196045, uncompressed size: 201447, name: base_images/3_c.jpg
383807 0x5DB3F End of Zip archive, footer length: 22
383918 0x5DBAE End of Zip archive, footer length: 22
Scan Time: 2022-01-12 03:57:31
Target File: /home/kali/Desktop/pico-ctf/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/3_c.jpg
MD5 Checksum: 03116a4e0101b30bedcf0905531c0e1f
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
123606 0x1E2D6 Zip archive data, at least v2.0 to extract, compressed size: 77653, uncompressed size: 79808, name: base_images/4_c.jpg
201425 0x312D1 End of Zip archive, footer length: 22
Scan Time: 2022-01-12 03:57:32
Target File: /home/kali/Desktop/pico-ctf/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images/4_c.jpg
MD5 Checksum: 4e139c3a53b17b18c5fe1994dd3e7d46
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
79578 0x136DA Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt
79786 0x137AA End of Zip archive, footer length: 22
If we list out the files in our current directory, we can see we have a directory called _dolls.jpg.extracted
. We can use a tool called tree
to visualize the directory structure. From here we can easily see where the flag is located.
➜ pico-ctf ls -la
total 4960
drwxr-xr-x 3 root root 4096 Jan 12 03:57 .
drwxr-xr-x 125 kali kali 4096 Jan 10 16:55 ..
-rw-r--r-- 1 root root 651634 Jan 12 03:56 dolls.jpg
drwxr-xr-x 3 root root 4096 Jan 12 03:57 _dolls.jpg.extracted
➜
➜ tree _dolls.jpg.extracted
_dolls.jpg.extracted
├── 4286C.zip
└── base_images
├── 2_c.jpg
└── _2_c.jpg.extracted
├── 2DD3B.zip
└── base_images
├── 3_c.jpg
└── _3_c.jpg.extracted
├── 1E2D6.zip
└── base_images
├── 4_c.jpg
└── _4_c.jpg.extracted
├── 136DA.zip
└── flag.txt
6 directories, 8 files
➜ cd _dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images/_4_c.jpg.extracted
➜ ls -la
total 16
drwxr-xr-x 2 root root 4096 Jan 12 03:57 .
drwxr-xr-x 3 root root 4096 Jan 12 03:57 ..
-rw-r--r-- 1 root root 230 Jan 12 03:57 136DA.zip
-rw-r--r-- 1 root root 81 Mar 15 2021 flag.txt
➜ cat flag.txt
picoCTF{e3f378fe6c1ea7f6bc5ac2c3d6801c1f}
picoCTF{e3f378fe6c1ea7f6bc5ac2c3d6801c1f}