Cyber Champions CTF All Forensics Challenges Writeups from R£v!l Team
— — — — — — — — + — — — — — — — -+ — — — — +
| Challenge | Category | difficulty
+ — — — — — — — — + — — — — — — — -+ — — — — +
| Suspect-I | Network | easy
| Battlefield Secrets | Steganography| easy
| YouKnowMe| Steganography| Medium
| Mosaic Reconnaissance| Steganography& Misc | Medium
| FreeM3| Steganography& Misc | Hard
+ — — — — — — — — + — — — — — — — -+ — — — — +
First We would like to extend our heartfelt gratitude to Zinad and the Information Technology Institute (ITI) for organizing the Capture The Flag (CTF) event. Our team R£v!l, has prepared a detailed write-up to help others learn from the challenges and solutions encountered during the competition.
We encourage all participants to continue their learning journey in cybersecurity and CTFs. Keep exploring, keep learning, and never give up. We wish everyone the best of luck in their future endeavors and look forward to seeing you all again at the next CTF event.
Good Luck❤️❤️❤️
+ — — — — — — — — + — — — — — — — -+ — — — — + — — — — — — — — + — — — — — —
Challenge: Suspect-I
Category: Network
difficulty: Easy
You can find the file Here
After we opened the pcap file with Wireshark, we found the pcap consists of 5419 packets and there a many packets sent using telnet protocol which caught our eyes :
Telnet Protocol is Not secure as there is no encryption used to ensure the confidentiality
so we start to look at the statistics, There are 566 packets sent using telnet that may contain sensitive data
so we start to look at the TCP stream
after we searched in the streams we found the flag as Non encrypted password at stream number 12
flag: ZiChamp{T3ln3t_Re@llY_Br0}Recommendation: using protocols that use encryption like SSH is more secure and prevents attacks like man in the middle+ — — — — — — — — + — — — — — — — -+ — — — — +— — — — — — — — + — — — — — —
Challenge: Battlefield Secrets
Category: Forensics
difficulty: Easy
we got a Battlefield-Secrets.7z compressed file, After we extracted it using 7z we found a jpg image with the name Army.jpg
I always start with Exiftool to check the Meta Data of the image
I found a Base64 encoded in the field of the Camera Model name, After decoding it we found something like a password
Z!C@mp10nWe Tried to use Binwalk and Foremost tools but we found nothing, so We Thought that we should use the password we found to extract the data in the image so we used the steghide tool with the following command
steghide extract -sf Army.jpgAfter that, we were asked for the password so we gave it the password we found above Z!C@mp10n Yes we found a file called flag.txt
After that, we tried to extract the content of the flag.txt but we found a
unreadable data is extracted
from the first line, we found a hint that told us that this was a Wave file
we tried to find the file type with the file command but we found nothing
so we thought that this was a corrupted wave file that we should repair, so we started to look at the magic bytes of the file with the hexeditor tool and also we searched for the magic bytes for the Not corrupted wave file
You can find the magic bytes of the most famous files here
Searching for wav you can find the following magic bytes
after that, we start to compare and correct the magic bytes
As we can see the second part of the magic bytes marked with red is correct and this indicates that the file is a wave file. so let’s correct it and see the results
This was the final result we corrected the corrupted bytes and renamed the file to a .wav file and Yes the file works well and gives us sounds which is a Morse code you can read about
Now we need to decode the Morse code, so I started to search for an online Morse decoder and finally, I found the following great decode Here
After Uploading the file and Play it, we got the Flag
flag : ZiChamp{5AVU3L-M0R53-@ND-@LFR3D-V@!1-1NV3NT3D-M3}+ — — — — — — — — + — — — — — — — -+ — — — — + — — — — — — — — + — — — — — —
Challenge: YouKnowMe
Category: Steganography
difficulty: Medium
You can find the file of the challenge Here
We got a file called You-Know-Me.zip, After we extracted it we found a Directory called Challange is extracted, Challange directory has 7 files with unreadable names
I started to check the file type of all the files above
I found a file with the name “_u8ae2e9e-dee0–45f9-b722–43753a8561bb.jpg” This file is a PDF file, not jpg so I renamed this file to file1.pdf
I tried to open the PDF and I was asked for the password, I tried to crack the password with John
At first, we need the password hash to crack so we start with the following john tool (pdf2john) and save output to a file called hash
pdf2john file1.pdf > hashAfter we Extracted the hash we started to crack it using the famous wordlist rockyou.txt with the following command
john hash --wordlist=/usr/share/wordlists/rockyou.txt
The Password was cracked successfully
password: 187rideordieNow we Opened the PDF file with the Password Above and got the following Base64 encoded text
U1ZOR1FWRkRUV3BLUTFKdFdWZEthbEZWUlQwPQ==Decoding this 3 times we will get a strange word.
At that moment I thought this was a password for something we should get from the rest of the files
password: !!@@##$$fabcAAAt first, I renamed all of the files from image1.jpg to image6.jpg to be able to distinguish between them
- I started with ExifTool for * images nothing found
- Then I tried binwalk and foremost still nothing found
- Then I tried Steghide with the password we found (!!@@##$$fabcAA) on
the images one by one but also nothing found - Then I tried to play with the layers of the images using the Stegsolve tool but also nothing found
- Then I started to check the Lsb and Msb of the images one by one nothing worked
- After that I started to open images on the online Stego platform Here
I started to open images one by one on this Stego platform and I looked for the strings in each image
My luck was here the image I started with I named (image1.jpg) had the above things
I took this string to cyberchef From Base64 and then from hex
and I found a string with the name flag.txt but something was wrong here.
At this point, it took me about 30 minutes so I thought that there was something wrong with the base64.
Yes I was right
I returned to this image and tried to see strings from it and I didn’t find this base64.
I found it from the online tool so I remembered that the strings tool has option -a which extracts all data from the file
strings -a image1.jpg
We found the correct base64 string
NTI2MTcyMjExYTA3MDEwMDMzOTJiNWU1MGEwMTA1MDYwMDA1MDEwMTgwODAwMGI5ZTJiMzllNTcw
MjAzCjNjYjAwMDA0OWMwMGE0ODMwMmMxOGViN2Q0ODAwMzAxMDg0NjZjNjE2NzJlNzQ3ODc0MzAw
MTAwMDMwZgo3OWIwM2QyZGM5NTk2MzY5YWRmYTE5OWNiOWMxODdiNjc4MWQ2YzIwNTEzYzhiMmFh
MDM3OGQ4NTRkMzYKMGJlYjFmMDAzYTZmYmQ1YzM4Y2M5NzM0OTBjZjBhMDMxMzQ4YzNkYzY1OTE2
NGEwMzQ2OWU3MWM0ZGE1CjU3MmJmNGE4YjhiNWEzOWRkYWFjNzFjZGQ0YzM1MWY1NGYxNDNiZTUy
OTFkMDI0YjA0ZDViOTJlNTAwYQpjMjliOWJlNWQ3NjQ3Mzc3YWM4NmFlNmE5YzFkNzc1NjUxMDMw
NTA0MDAKDecoding it with the base64 online decoder we found a .rar file
exporting it as file.rar
we found a flag.txt file and There is a password needed.
We gave it the password we found above (!!@@##$$fabcAA)
flag: ZiChmp{3@5Y_@5_!T_!5_CH@mP}+ — — — — — — — — + — — — — — — — -+ — — — — + — — — — — — — — + — — — — — —
Challenge: Mosaic Reconnaissance
Category: Forensics
difficulty: Medium
You can find the challenge file Here
At this challenge, we got a file with the name Mosaic+Reconnaissance.zip.
After extraction, we got a file with the name Junk containing 961 files with strange names
we found the images, so we started to look at them images one by one but we found parts of something that looked like a flag in some images
After we collected these images we couldn’t collect the flag from them so we started to think differently.
At first, we tried to check the differences between the names of these images and we tried to take some of these images to a cyberchef and we got that the names of the images were base64 encoded
From here we concluded that these are small parts of a big image and each image name is base64 encoded and the name after decode represents the part placed in the big image
Looks like it is a Puzzle !!!!!!!!
At first, we need to decode the name of images and rename them with the decoded string
We can do this with bash one line
for file in $(ls); do mv "$file" "$(echo $file | base64 -d)"; done 
There are the images after we renamed them.
Now we need to collect these small images together to make a big one
At this point, I knew the concept so I started to ask Chatgpt for help to save some time in the CTF
Chatgpt gave me the base code after many trials with it, i made my modifications, and the final code I used is
from PIL import Image
# Load small images
images = []
for i in range(961):
img_path = f"part_{i}.png"
img = Image.open(img_path)
images.append(img)
# Calculate the size of the combined image
widths, heights = zip(*(img.size for img in images))
max_width = max(widths)
max_height = max(heights)
total_width = max_width * 31
total_height = max_height * 31
# Create a new image with a white background
combined_img = Image.new('RGB', (total_width, total_height), (255, 255, 255))
# Paste small images into the combined image
x_offset = 0
y_offset = 0
for img in images:
combined_img.paste(img, (x_offset, y_offset))
x_offset += max_width
if x_offset >= total_width:
x_offset = 0
y_offset += max_height
# Save the combined image
combined_img.save('combined_image.png')Finally, I got the combined_image.png
The flag is not here 🥵🥵🥵
I tried with the Stegsolve tool to play with the layers of the image and
Finally, we got the flag
flag: ZiChmp{1_Th0g5t_15!5_W!lL_K33P_1T_H!dd3n}+ — — — — — — — — + — — — — — — — -+ — — — — + — — — — — — — — + — — — — — —
Challenge: FreeM3
Category: steganography
difficulty: Hard
You can find the challenge file Here
In this challenge, we got a file with the name FreeM3.zip
After We extract the files in it, We will find two tar files File1.tar & File2.tar
let’s extract files in these two tar files with the following command
tar xf $FileNameAfter we extracted File1.tar we got two jpg images with names 300.jpg and 301.jpg
After we extracted File2.tar we got a new tar with the name 999.tar and after we tried to extract it again we got 998 and so on ….
so we need to extract tar files from 999 to 0 we can do this using a simple bash one line
for i in $(seq 999 -1 0); do tar -xvf "$i.tar"; doneWhen the bash line finished, we got the following
File with name No0o.tar
After we extracted what was in it we got a file with the name Noo.txt
We found that Noo.txt is a zip file
After we renamed the file to Noo.zip we tried to open it and we found that the zip file needed a password
We tried to crack it with John but we could not crack it
so the two images 300.jpg & 301.jpg may have the password
we start with traditional steps like ExifTool, binwalk, strings…etc
but we found nothing and unfortunately, the time of the CTF finished
After the CTF finished I asked the author for a hint and he told me to compare strings of the images
After I returned home I asked Google for a tool to compare the strings of two images and I got a tool on Linux called diff.
I saved the content of 300.jpg to file1.txt and 301.jpg to file2.jpg
then I compared them with diff & it looks like a base64 encoded string
I concatenated them and then decoded them as base64
Now we have the password.
Z!Ch@mp!0Ns3cUr3P@55
we can extract a file with the name NotaFlag.txt
I tried to extract the content and I found the NotaFlag.txt file contains many spaces
I know this type of encoding is called (whitespace encoding) this type of encoding uses the tab “\t” to represent 1 in binary and uses the space to represent ‘0’ so I wrote a simple Python script to do this process for us.
import sys
input_file = sys.argv[1]
output_file = "output.txt"
with open(input_file, 'r') as infile:
with open(output_file, 'w') as outfile:
for line in file:
replaced_line = line.replace('\t', '1').replace(' ', '0')
outfile.write(replaced_line)
print(f"{output_file}")After we ran this code we got a file with the name output.txt.
010110100110100101000011011010000110110101110000011110110101100100110000011101010101111101010100011010000011000101101110011010110101111101011001001100000111010101011111010000110100000000110100010111110100001000110011001100100101010001011111010011010011001101011111001100000110100001001000010111110101100100110000011101010101111101000100001000010100010001111101
From binary, we got the flag .
flag: ZiChmp{Y0u_Th1nk_Y0u_C@4_B32T_M3_0hH_Y0u_D!D}Finally, I want to Thank my Teammate Mahmoud Hashad we solved all These forensics challenges together step by step ❤️
And I want to thank all my team friends for their hard work ❤️❤️
Thanks for your time and effort. I hope you liked and enjoyed reading it. ❤️❤️
If you have any comments, edits, or another way to solve them, don’t hesitate to contact me:
