Skip to main content

c4ptur3-th3-fl4g writeup [thm]



pic

A beginner level CTF challenge

Different style to previous beginner level CTF's I've done so far.

Task 1 Translation & Shifting

Translate, shift and decode the following;

Answers are all case sensitive.

c4n y0u c4p7u23 7h3 f149?

Surely you are elite enough to decode this?

01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001

There are plenty of online tools for this more fun to write your own tool. I made a tiny Python script

#!/usr/bin/env python3

cipher = "01101100 01100101 01110100 01110011 00100000 01110100\
 01110010 01111001 00100000 01110011 01101111 01101101 01100101\
 00100000 01100010 01101001 01101110 01100001 01110010 01111001\
 00100000 01101111 01110101 01110100 00100001"

# create list of binary numbers
bin_list = cipher.split(" ")

# binary to base 10
numbers = [int(binary,2) for binary in bin_list]

# assume ascii encoding
ascii_list = [chr(numb) for numb in numbers]

output = "".join(ascii_list)
print(output)

Works like charm. Bonus points if you can decode this in your head. 😉

RWFjaCBCYXNlNjQgZGlnaXQgcmVwcmVzZW50cyBleGFjdGx5IDYgYml0cyBvZiBkYXRhLg==

The two equal signs at the end of the string indicates Base64 and each Base64 digit represents exactly 6 bits of data.

This very easy to decode using Python:

>>> import base64
>>> cipher = "RWFjaCBCYXNlNjQgZGlnaXQgcmVwcmVzZW50cyBleGFjdGx5IDYgYml0cyBvZiBkYXRhLg=="
>>> data = base64.b64decode(cipher)
>>> print(data.decode('utf-8'))

I love Python.

MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM======

Base32! Similarly to the Base64 case, we use Python:

>>> cipher = "MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM======"
>>> data = base64.b32decode(cipher)
>>> print(data.decode('utf-8'))

Base32 is super common in CTF's so good to be comfortable with.

68 65 78 61 64 65 63 69 6d 61 6c 20 6f 72 20 62 61 73 65 31 36 3f

This looks like hex i.e. base 16. Let's re-use the previous binary decoding Python script:

#!/usr/bin/env python3

cipher = "68 65 78 61 64 65 63 69 6d 61 6c 20 6f 72 20 62 61 73 65 31 36 3f"

# create list of hexadecimal numbers
hex_list = cipher.split(" ")

# base 16 to base 10
numbers = [int(hexa,16) for hexa in hex_list]

#assume ascii encoding
ascii_list = [chr(numb) for numb in numbers]

output = "".join(ascii_list)
print(output)

Not much to it.

Ebgngr zr 13 cynprf!

Easily recognizable as ROT13, a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. ROT13 is a special case of the Caesar cipher which was developed in ancient Rome.

In Vim normal mode type:

ggg?G

We just rotate the string 13 times.

*@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX

Not immediately clear what this is but I would assume some rotation but which one?

One way would be to look at a histogram of occurrence of characters

#!/usr/bin/env python3

cipher = "*@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX"

all_freq = {}

for i in cipher:
    if i in all_freq:
        all_freq[i] += 1
    else:
        all_freq[i] = 1

d = {k: v for k, v in sorted(all_freq.items(), key=lambda item: item[1])}

s = ["'"+key+"'"+":"+str(d[key]) for key in d]
s.reverse()
s = " ".join(s)
print(s)

Which gives the following histogram:

' ':9 'C':4 ':':4 'E':3 '?':3 'F':3 '@':3 '3':2 '5':2 '9':2 '8':2 '6':2 '>':2 'D':2 'X':1 'f':1 'c':1 'W':1 'J':1 '2':1 'A':1 'wildcard':1

We could then compare this to the Letter Frequencies in the English Language and try to map the most common letters in our string to E,A,R,I, ... but our string is a bit on the short side for this so let's go with brute force instead.

#!/usr/bin/env python3

def rot(cipher,n):
    output = ""
    for char in cipher:
        if char == ' ':
            output+= char
        else:
            int_rep = ord(char) + n
            output+= chr(int_rep)
    return output

cipher = "*@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX"

for n in range (1,256):
    print(str(n)+":"+rot(cipher,n))

The bound upper bound 256 was found here.

python ceasar_brute.py > output

Looking through the output file

11:5KQ OLEJ IA NECDP NKQJ@ >=>U NECDP NKQJ@ bnq PEIAOc
12:6LR PMFK JB OFDEQ OLRKA ?>?V OFDEQ OLRKA cor QFJBPd
13:7MS QNGL KC PGEFR PMSLB @?@W PGEFR PMSLB dps RGKCQe
14:8NT ROHM LD QHFGS QNTMC A@AX QHFGS QNTMC eqt SHLDRf
15:9OU SPIN ME RIGHT ROUND BABY RIGHT ROUND fru TIMESg
16::PV TQJO NF SJHIU SPVOE CBCZ SJHIU SPVOE gsv UJNFTh
17:;QW URKP OG TKIJV TQWPF DCD[ TKIJV TQWPF htw VKOGUi

It looks wrong but at least it's intelligible English.

>>> ord('a')-ord('A')
32

What if we add 32 to in the function and set n = 15?

#!/usr/bin/env python3

def rot(cipher,n):
    output = ""
    for char in cipher:
        if char == ' ':
            output+= char
        else:
            int_rep = (ord(char) + n)+32
            output+= chr(int_rep)
    return output

cipher = "*@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX"
print(rot(cipher,15))

That does the trick. Not a very elegant solution but it worked.

. .-.. . -.-. --- -- -- ..- -. .. -.-. .- - .. --- -. . -. -.-. --- -.. .. -. --.

Dots and lines, aye?

I didn't feel like implementing my own Morse code decoder so I used WolframAlpha.

85 110 112 97 99 107 32 116 104 105 115 32 66 67 68

This looks harder but in fact it's just ASCII values.

#!/usr/bin/env python3

msg = "85 110 112 97 99 107 32 116 104 105 115 32 66 67 68"

l = [int(numb) for numb in msg.split(' ')]
decode = [chr(numb) for numb in l]
result = "".join(decode)

print(result)

LS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0g...

LS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0=

This on the other, looks way harder. Save this horrendous string to a file. No obvious patterns and I missed the '=' at the end of the string.

This string is encoded with Base64. Decoding it gives something like

----- .---- .---- ----- ----- .---- .---- -----
----- .---- .---- ----- ----- .---- ----- .----
----- ----- .---- ----- ----- ----- ----- -----
----- .---- .---- ----- ----- ----- ----- -----
----- .---- ----- .---- .---- .---- .---- .----
----- .---- .---- ----- ----- ----- ----- -----
----- ----- .---- ----- ----- ----- ----- -----
----- .---- .---- ----- ----- ----- ----- -----
----- .---- .---- ----- ----- ----- ----- -----
----- .---- .---- ----- ----- .---- ----- .----
----- ----- .---- ----- ----- ----- ----- -----
----- .---- .---- ----- ----- ----- .---- -----
----- .---- .---- ----- .---- ----- ----- -----
.
.
.

This looks like (binary) Morse code. To decode this I used morse to get:

01100110
01100101
00100000
01100000
01011111
01100000
00100000
01100000
01100000
01100101
00100000
01100010
01101000
00100000
01100000
01100000
01100100
00100000
01100010
01100001
.
.
.

Converting this to ASCII characters we get the following string

 fe `_` ``e bh ``d ba `_h hf `_f `_` ba ``e `_c `_d ``d ba hf..

It looks rotated.

By running the following script on the string

#!/usr/bin/env python3

def rot(cipher,n):
    output = ""
    for char in cipher:
        if char == ' ':
            output+= char
        else:
            int_rep = (ord(char) - n) % 256
            output+= chr(int_rep)
    return output

cipher = "[REDACTED]"

for n in range (1,256):
    print(str(n)+":"+rot(cipher,n))

and piping the result to a file:

45:98 323 338 5; 337 54 32; ;9 329 323 54 338 326 327 337 54... 
46:87 212 227 4: 226 43 21: :8 218 212 43 227 215 216 226 43...  
47:76 101 116 39 115 32 109 97 107 101 32 116 104 105 115 32...
48:65 0/0 005 28 004 21 0/8 86 0/6 0/0 21 005 0/3 0/4 004 21... 
49:54 /./ //4 17 //3 10 /.7 75 /.5 /./ 10 //4 /.2 /.3 //3 10...


output = ""
for numb in number_list:
    output += chr(numb)
print(output)

There is exactly one line containing only numbers. If we take these numbers and convert them to ASCII we get the final answer. Phew, finally!

Task 2 Spectrograms

A spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time. When applied to an audio signal, spectrograms are sometimes called sonographs, voiceprints, or voicegrams. When the data is represented in a 3D plot they may be called waterfalls.

Download the file, take a listen to it and open it in Audacity. Very pleasing to the ear.

In the Audio Track Dropdown Menu choose Spectrogram.

Task 3 Steganography

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.

Decode the image to reveal the answer.

pic

Download the task file. We'll be using steghide to "decode" the image.

steghide extract -sf image.jpg 
Enter passphrase: [none]
wrote extracted data to "steganopayload2248.txt".
cat steganopayload2248.txt 
[REDACTED]

Task 4 Security through obscurity

Security through obscurity is the reliance in security engineering on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.

Download and get 'inside' the file. What is the first filename & extension?

pic

As in the previous task we first try to use steghide:

> steghide extract -sf steg2.jpg 
Enter passphrase: [NONE]
steghide: could not extract any data with that passphrase!

One alternative would be to run a brute force attack on the file using StegCracker but let's save some time and try something different instead. Remember strings used in Pickle Rick Writeup [thm]?

Running strings on the image,

strings steg2.jpg

we get:

.
.
.
@9Xs
{@84
2$Es
i2Mc
IEND
[REDACTED]
[REDACTED]

The two last lines are our flags. This is the lazy way of solving this task but whatever works.

Get inside the archive and inspect the file carefully. Find the hidden text.

Second to last line in strings output.

Conclusion

The last question in the first task 'LS0tLS0gLi0tLS0g...' initially induced some headaches, mostly because I missed the '=' at the end of the line but after, at last(!), finding the equal sign it was straight forward from there. I think it was a nice touch to chain together previously used techniques to make sure you got it all under control.

The other tasks in this challenge was maybe slightly too easy but all very enjoyable to solve.

Tools used:

  • Old crusty brain
  • Python
  • Vim
  • WolframAlpha
  • morse
  • Audacity
  • Steghide
  • Strings