Previous: Android (Part 1) | Android (Part 2)
The Magnet User Summit has come and gone, with another fantastic CTF in the books from Jessica Hyde and the students from Champlain. This year we got a bunch more cipher questions and an Android image. Here we will break down the cipher questions and how I got the flags.
salad are for THE chumps (5 points)
Pa'z H-Tl, Thypv
As I've done before, take a look at the title of the question and look for hints. "salad" may refer to Caesar, aka Caesar shift cipher so we can plug it into DCode.fr and see what we get.
Figure 1: Caesar cipher in Dcode.fr
Looks like if you shift the letters to the right 7 or to the left 19, we get the answer of "It's A-Me, Mario".
typing out all these questions is starting to hurt my Fingers, maybe I should Shift my thinking. (10 points)
yjododyjrg;sh
Another hint in the title, "Shift" most likely refers to Keyboard Shift cipher. Back to Dcode:
Figure 2: Keyboard Shift cipher in Dcode.fr
We can see qwerty shift to the right results in "thisistheflag" as the answer.
The earth's rotation really makes my day.
(9E0:D0E960A2DDH@C5
I was thinking off the bat it was some sort of ROT cipher so I just plugged it into the Dcode.fr cipher identifier and low and behold it found it as ROT-47.
Figure 3: ROT-47 cipher in Dcode.fr
We see the results showed the answer as "Wht_is_the_password".
I like the trailer for this movie. Can't wait to see it in theaters! (25 points)
We are provided a .jpg image as shown:
Figure 4: movie.jpg
Looks like a pretty straight forward movie poster for Puss in Boots. Knowing similar CTF questions, I opened the image in a hex viewer. If we go to the end of the file (the "trailer") we can see there was some extra data after the FF D9 footer found in a .jpg.
Figure 5: "trailer" footer of the movie.jpg
Based off of experience the "==" at the end indicate Base64 encoding. We can copy the ASCII to CyberChef and see the flag was "This_is_not_an_endorsement_of the_movie_Puss_In_Boots_The_Last_Wish".
Figure 6: Base64 decode in CyberChef
people Online keep telling me my Style Suxx (25 points)
Another image that needs analyzed, this time of a sly little cat:
Figure 7: cat@2.png
I looked in the hex but didn't see anything relevant so I had to dig deeper into the title for clues. I ended up Googling "Style Suxx" and was pleasantly surprised to find a simple github.io page with a steganography encode/decode tool. Uploading the image as input we can see the decoded message was "You have made it mate!!!!!!!!!!!!!!!!!!! GOOD LUCK :)".
Figure 8: StyleSuxx steganography online tool
Rapidly making my way through the Machete Order (25 points)
IklmIHlvdSBvbmx5IGtuZXcgdGhlIHBvd2VyIG9mIHRoZSBkYXJrIHNpZGUuIiDigJQoVGhlIEVtcGlyZSBTdHJpa2VzIEJhY2spCgo=
This looked like Base64 again to me so I dumped it into CyberChef.
Figure 9: Base64 decode in CyberChef
I tried the results but it didn't take. My assumption was that it didn't like the non-ASCII characters. I copied out the characters that it couldn't interpret and converted them to hex.
Figure 10: non-ASCII to hex in CyberChef
You can see that CyberChef wants to magically convert it to a long dash. I just had to Google what it looked like and it's apparently named an Em Dash. Replacing the answer with the proper em dash it was correct, ""If you only knew the power of the dark side." —(The Empire Strikes Back)"
As long as more than Zer0 people enjoy these challanges I'd be happy Width that! (25 points)
I really enjoyed the BlueMonkey 4n6 video on the last cipher questions. If you enjoy these challenges let us know!
I originally thought it had to do with BlueMonkey's Cipher video, because it was meta and I had commented and got a shout out in it. I had no idea where to look other than diagnostic details or things with the video but that made no sense. Because of the title of the question I did some Googling to try and find a tool. I ended up coming across a "Zero-Width steganography" tool which seemed to match the hints so I went with it.
You just supply some text, the question, and out comes the answer, "This_!$theFullFLAG". Tricky!
Figure 11: Zero-Width steganography tool
SomeTimes its nicE to just stop workinG and searcH the Internet for gooD mEmes. (25 points)
Another cat image for analysis.
Figure 12: challenge.jpg
Based off the title, they were hinting at STEGHIDE, a steganography tool I've actually seen and used before. I downloaded the tool and tried running it via the command line but it asked for a password to extract the embedded info. I tried a bunch of combinations of passwords that I thought would relate but nothing worked, back to square one, Google.
I looked for online decoders for Steghide and found one here. I uploaded the file with a blank password and it was able to pull out what I needed.
Figure 13: Steghide online decoder
I'm not sure why Steghide offline needed a password but we ended up getting the answer anyhow via the online decoder, "eleven_is_more_than_ten".
Sometimes I wish we could visualize music (50 points)
From participating in another CTF years ago, I knew exactly where this one was. Using the free audio tool Audacity, we can open the file in question. There is a cool feature where you can view the spectrogram of an audio file.
Figure 14: Options in Audacity
All we need to do is zoom in a bit to see the embedded answer was "Popcorn".
Figure 15: Spectrogram in Audacity
whiterose.wav (75 points)
One of my favorite TV shows is Mr. Robot so I knew the title had to be related to it somehow. I didn't get this one during the live CTF but when thinking it over, I was able to get it quickly the next day. White Rose was a sort of antagonist in the show and there was an episode in season 1 named after the character.
Looking up "eps1.7_wh1ter0se.m4v" there was a great Fandom article that gives a breakdown but also shows what technology was used in the episode. A reoccurring theme is the title character Elliot using CD's to encrypt data from his hard drive. The tool is called DeepSound which was used in the episode.
Figure 16: Technology used in eps1.7_wh1ter0se.m4v episode
Uploading the provided audio file to DeepSound we see it had a TopSecretFile.txt file embedded.
Figure 17: DeepSound
Extracting the file and opening in a text editor we get the answer, "WOW! You found another flag! Keep up the great work!".
Figure 18: TopSecretFile.txt extracting with DeepSound
Cobalt Strike: A Necessary Evil? (75 points)
U2V0LVN0cmljdE1vZGUgLVZlcnNpb24gMgoKZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCklmIChbSW50UHRyXTo6c2l6ZSAtZXEgOCkgewoJW0J5dGVbXV0kdmFyX2NvZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCczMnVneDlQTDZ3QUFBR0p5WW5OeGNuVnJFdkZHYTZoeFEydW9jVHRycUhFRGE2aFJjMnNzbEdscGJoTHFheExqang5Q1h5RVBBMkxpNmk1aUl1TEJ6bkZpY211b2NRT29ZUjlySXZORm9sczdLQ0ZXVWFpanF3QUFBR3VtNDFkRWF5THpjNmhyTzJlb1l3TnFJdlBBZFd2YzZtS29GNnRySXZWdUV1cHJFdU9QWXVMcUxtSWk0aHZEVnRKdklHOEhLMllhOGxiN2UyZW9Zd2RxSXZORllxZ3ZhMmVvWXo5cUl2TmlxQ2VyYXlMelludGllMzE2ZVdKN1lucGllV3VnendOaWNkekRlMko2ZVd1b01jcHMzTnpjZmtrQWFwMVVTazFLVFVaWEFHSjFhcXJGYjZyU1lwbHZWQVVrM1BackV1cHJFdkZ1RXVOdUV1cGljMkp6WXBrWmRWcUUzUGJJVUhscnF1SmltN004QUFCdUV1cGljbUp5U1NCaWNtS1pkS3E4NWR6MnlIcDRhNnJpYXhMeGFxcjdiaExxY1VzQUlXT25jWEZpbWNoMkRSamM5bXVxNVd1ZzRITkpLWHhycXRKcnF2bHE1T1BjM056Y2JoTHFjWEZpbVE0bE8xamM5cWJqTEthK0lnQUFhOXpzTEtldklnQUF5UERLeHlJQUFNdUIzTnpjREJGRlVuY0FpamIvSmRPQmNjb05DZlJ0L2dZRTFDNUtCZnBoNDdJY0NSYmhrRFQvTS9ISDlUYVB3YnVneU4wSGs1QzdaZFZhb2dWb1VvTXpBLzdWaGdXQ3FsUm16S2tIcm9LbmVQYmZXUUIyVUVaUkRtSkVSazFYR1FOdVRGbEtUMDlDREJjTkV3TUxRRXhPVTBKWFNrRlBSaGdEYm5CcVpnTVVEUk1ZQTNSS1RVZE1WRkFEYlhjREZRMFRDaTRwQUVENEVUYnluMzBzeEM1V2ZlQWsvTzZ6ekp4QktEMmhtZGowVGx4N0VXSXZlU01wZDVtU3p3Y0lhUHBvQXF2RUZPM25DcHB5VmN1N0RZdkNZNHhwQUNZbkFSM1pIdXN0Sy9mVTVwRFZzdXpUK0dadDFQZjlsL3l5Yndodm1pZjFFUWFBK3dHUGx3aW8vQU1iTmhnbEhYS1dCN0RnbDdHZmk1eVh0Z1hRaWxzZXpFRnBLUXhhQjlMdHI1TlhMSW9sdmozSks5czhiZXVMVXc4V2h4MUwzZ2JBcUdPRjMyMEZjMlQ4OG9SREpyZHo4QTNXQVN2VHdBM3hJa2dON0I5UXRCMFJuYjE2WCt3TVhXb0l1eXhHeVpOY2RVZXVGd3dyU2NidWxLeDhxYVJoQ2FYeldTQ2hGclBub0h0Z2RRY0FZcDNUbG9GMTNQWnJFdXFaQUFCakFHS2JBRE1BQUdLYVl3QUFBR0taZTRkd3h0ejJhN0J3Y0d1cXhHdXEwbXVxK1dLYkFBTUFBR3FxMm1LWk1iV3F3ZHoyYTZEbkE2YmpWNVZGcUNSckl1Q200MWIwZTN0N2F5WUFBQUFBYytETHZON2MzSHBNVm54bFRGWk5SM3gzUzBaOFlCRUFNUmQxV3c9PScpCgoJZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCQkkdmFyX2NvZGVbJHhdID0gJHZhcl9jb2RlWyR4XSAtYnhvciAzNQoJfQoKCSR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKCSR2YXJfYnVmZmVyID0gJHZhcl92YS5JbnZva2UoW0ludFB0cl06Olplcm8sICR2YXJfY29kZS5MZW5ndGgsIDB4MzAwMCwgMHg0MCkKCVtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJHZhcl9jb2RlLCAwLCAkdmFyX2J1ZmZlciwgJHZhcl9jb2RlLmxlbmd0aCkKCgkkdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKfQ==
Judging by the title we have some code from Cobalt Strike. As seen by the "==" at the end we are at first dealing with Base64. Plugging into CyberChef and decoding we get the start of some code:
Figure 19: Cobalt Strike code via CyberChef
We can see that the meat of the script has another encoded piece towards the bottom. It looks like more Base64 code but when using the decoder again it spits out gibberish. With some quick Google research I came across an article from Michael Koczwara which discusses decoding the payload. The Base64 block is also encrypted with XOR with a key of decimal 35.
Figure 20: XOR code in CyberChef
After adding XOR to the recipe we can see a sliver where an IP address usually is with the words "You_Found_The_C2", the answer.
Figure 21: CyberChef recipe including XOR
And that wraps up the Cipher section. I really enjoyed the challenge of the steganography questions specifically. Finding new tools I've never used before is beneficial for future use cases. Until next time heros!