[Writeup] Pragyan CTF - Forensics ~ Blue's Blog

Monday, March 11, 2019

[Writeup] Pragyan CTF - Forensics

By Blue at March 11, 2019 2019, CTF, Foresics, PragyanCTF, Writeup No comments

Welcome

We have a jpg file, I used HXD and see a zip file in it, then I used binwalk to get the zip file.

$ binwalk welcome.jpeg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
10600         0x2968          Zip archive data, at least v2.0 to extract, uncompressed size: 9886, name: d.zip
20483         0x5003          End of Zip archive

And what I got? One secret.bmp file and one zip file contain the flag but protected by password. Dig the bitmap file I saw a base64 strings is: dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE==
Decode and I got the password is: h3110_th3r3!
After have a.png I used stegsolve to check lsb and got the flag

Flag: pctf{st3gs0lv3_1s_u53ful}

Magic PNGs

The picture you_can't_see_me.png have wrong 2 point, first is the header, I changed the header

89 50 4E 47 2E 0A 2E 0A to 89 50 4E 47 0D 0A 1A 0A

then I look for chunk: 6, the iidat should be IDAT,

fix it and I got the image:

And the password for zip file is md5(h4CK3RM4n)

Flag: pctf{y0u_s33_m33_n0w!}

Save Earth

In the left over data of pcap file I believe I recognize something interesting

But at that time I didn't know what it is and I wasted a lot of hour to read a lot of post and document but I receive nothing. Then one idea in my head, how about crypto? Something like binary 0 and 1 make a word. I ask crypto-man in my team and in a jiff he asked me: "Did you try morse code?". And I knew reason why I see these number so familiar.

Export file as CSV and delete the excess, I used notepad ++ to change 02 to - , 04 to . and 01 is whitepsace. Decode morse at here I got flag.

Flag: ctfs4v3

Slow Realization

After do some stuff and got the password in mp3 file, and surprise it not a password, I tried to you pdfcrack and rockyou dictionary because it a last way to decrypt the password.

$ pdfcrack -f flag.pdf --wordlist=rockyou.txt

PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -1028
Length: 128
Encrypted Metadata: True
FileID: 936f22840118a542401db0b9716930c8
U: c6417694dd485620f1629c6ae47a795700000000000000000000000000000000
O: ed2fd42c99e91c38c42eff249cacb3f968f3605be0ee9dc8586d5d38ab06c7f5
found user-password: 'congratulations'

And hell yeah !!

Flag: pctf{y0u_h34rd_m3_r1ght}

Late PR
You just need to use strings and grep command on linux and you will get the flag, I deleted the file so I can't put flag here

Blue's Blog

Monday, March 11, 2019