Magnet User Summit 2022 CTF - Egg Hunt

Previous: iPhone | Linux

Jessica Hyde and members of the Champlain DFA team ran this capture the flag contest down in Nashville for the Magnet Forensics user summit in April of 2022. And now just recently they re-released the CTF for the wider public in another 3 hour competition virtually. So now I finally have a chance to release my write-ups for the competition I played in-person (and won for that matter!).

Let's get started with the Egg Hunt!

The FULL block of text below IS the puzzle. This is a 3 question 3 part puzzle. Please copy the NEW block of text located below the now decoded portion.

Why was 6 afraid of 7? (40 Points)

Puzzle starts here (Copy ALL text below):

131157165040146157165156144040164150145040145147147041040124150145040146154141147040151163040163157156061143153012124150145040156145170164040160151145143145040157146040164150145040160165172172154145040151163072040112172146040161172146171157040145163160040160162162040055040145163160040161167154162040164144040161063143171162146167167152012105163160040171160151145040141164160156160040172161040145163160040141146153153167160040164144040050166160152040154171157040124107040075040062064063161066154070070062064063161066154070070051072040065160063071061154156157155155062157066065154060156160067155161161065065066156064062065161063070155061061156064064064154062062160071062071070067161061161070065160157157160157070067154155156064067155066071156066160064062065071070156065067062063062062063060071156155160155064066154155071061161160161064157071062157062157160070063061064062154157066062160155065156065060060071061067071061060065060063061157157063067063070065071154063064

Dcode.fr makes quick work of this and shows it is ASCII Code. Converting shows:

Figure 1: ASCII Code converter in Dcode.fr

You can see the flag was son1ck, off to the next part!

The Eggs of March (40 Points)

Jzf qzfyo esp prr - esp qwlr td q3cyrfwwj

Esp ypie atpnp zq esp afkkwp td (vpj lyo TG = 243q6l88243q6l88): 5p391lnomm2o65l0np7mqq556n425q38m11n444l22p92987q1q85poopo87lmn47m69n6p42598n572322309nmpm46lm91qpq4o92o2op83142lo62pm5n5009179105031oo373859l34

Working off the title hint, we can see Ides of March cipher clues point towards a Caesar Shift cipher. Off to Dcode.fr again:

Figure 2: Shift Cipher in Dcode.fr

We see the flag was f3rngully.

Puffer Password (40 Points)

The next piece of the puzzle is (key and IV = 243f6a88243f6a88):

5e391acdbb2d65a0ce7bff556c425f38b11c444a22e92987f1f85edded87abc47b69c6e42598c572322309cbeb46ab91fef4d92d2de83142ad62eb5c5009179105031dd373859a34

Another hint in the title leads us to the blowfish (get it puffer?!) cipher. I couldn't find a decoder for this on Dcode.fr so went over to CyberChef instead. Make sure to use the key and IV supplied.

Figure 3: Blowfish Cipher in CyberChef

The flag was carb0nara.

Is spam a ham mimic? (50 Points)

What is the flag found in the attached message?
We are provided a text file to download and look at. Opening in NotePad++ we see this:

Figure 4: Spam cipher that needs decoded

Looks like a bunch of junk doesn't it? That's be cause it is, more precisely spam! Because the spam mimic cipher was used on last year's CTF I knew exactly what I was looking and and how to decipher it. Using https://www.spammimic.com/ we can copy the text and see that the flag was sitruS.

Figure 5: Spam Mimic decode

Zergling (50 Points)

What is the flag found in the attached message?
We are provided another text file to download that's contents look like this:

Figure 6: Pikalang cipher

This is unlike any cipher I've seen before but perusing through Dcode.fr I found a Pikalang interpreter which fit the bill. Plugging the text we get the flag output as colosseumm.

Figure 7: dcode.fr interpreter for Pikalang