CTF write up: FRS302

In this challenge, we have a WAV file.

You can get the idea in this link.

Python code is:

Use wave package (native to Python) for reading the received audio file
import wave
song = wave.open("challenge.wav", mode='rb')
Convert audio to byte array
frame_bytes = bytearray(list(song.readframes(song.getnframes())))
Extract the LSB of each byte
extracted = [frame_bytes[i] & 1 for i in range(len(frame_bytes))]
Convert byte array back to string
string = "".join(chr(int("".join(map(str,extracted[i:i+8])),2)) for i in range(0,len(extracted),8))
Cut off at the filler characters
decoded = string.split("###")[0]
Print the extracted text
print("Sucessfully decoded: "+decoded)
song.close()

Flag: FUSEC{LSB_in_Music________How_could_that_be?}

CTF write up: FRS301

In this challenge, we have a PDF file which is corrupted.

Firstly, open this file and we found a flag which was set to white color at the end of the file. But this is a fake one.

Next, I tried to view metadata of this file and we have another fake flag.

When zooming in, we saw a lot of yellow dots on the pages.

These dots lead us to Machine Identification Code and we can decode with deda.

Now, we have the idea. We need to change the PDF file into images and then decode them.

I use pdftoppm command.

pdftoppm corrupted.pdf pdf -png

Then, we have 9 images named from “pdf-1.png” to “pdf-9.png“. Next, use deda.

deda_parse_print pdf-1.png

The ‘serial‘ numbers seem to be the characters of the flag encoded in decimal. Combine all the serial numbers, we have:

77 52 67 72 49 78 51 95 49 68 51 78 84 49 70 49 67 52 84 49 48 78 95 67 48 68 51

which is:

M4CH1N3_1D3NT1F1C4T10N_C0D3

Flag: FUSEC{M4CH1N3_1D3NT1F1C4T10N_C0D3}
This challenge has the same idea as a challenge in ALLES! CTF 2020.

CTFlearn solution: PDF by fdpumyp

We just need to use strings command.

Decode base64 string “Q1RGbGVhcm57KV8xbDB3M3kwVW0wMG15MTIzfQ==” and we have the flag.

Flag: CTFlearn{)_1l0w3y0Um00my123}

CTFlearn solution: Minions

First, we use strings command and we found a link.

Access the link, we download an image.

Next, we use binwalk to extract the image.

binwalk --extract --dd=".*." Only_Few_Steps.jpg

Again, we found another image.

And again, we use strings command.

Repetitively decoding that base64 string and we will find the flag.

Flag: CTF{M1NI0NS_ARE_C00L}

CTFlearn solution: Simple Steganography

The hint is: “Steghide Might be Helpfull”. Then, we will use Steghide in this challenge.

But, we need a passphrase to extract data from the image.

We have to find the passphrase by using strings command.

The string “myadmin” is a readable string, so I think it might be the passphrase we are looking for.

We use steghide and “myadmin” to extract the data:

steghide extract -sf Minions1.jpeg

Open file “raw.txt“, we found a string: AEMAVABGAGwAZQBhAHIAbgB7AHQAaABpAHMAXwBpAHMAXwBmAHUAbgB9

Next, we decode that base64 string, we have: �C�T�F�l�e�a�r�n�{�t�h�i�s��i�s��f�u�n�}

Flag: CTFlearn{this_is_fun}

CTFlearn solution: I’m a dump

We just need to use strings command.

Then, we “remove an useless H.E.H.U.H.E. from the flag”.

Flag: CTFlearn{fl4ggyfl4g}

CTFlearn solution: Exclusive Santa

Extract the file and we can see 2 images.

Use binwalk to find what is inside the images and extract it.

And inside the 3.png image, we find another image.

According to the name of the challenge and the 3.png image, we think about XOR 2 images, using this tool.

We use Image Combiner.

And we have:

Flag: CTFlearn{Santa_1s_C0ming}

CTFlearn solution: The adventures of Boris Ivanov. Part 1.

In this challenge, we use a stereogram solver, open the file and choose:

Click the arrow button, we will see the flag at offset 102.

Flag: flag{d0nt_m3s5_w1th_th3_KGB}

CTFlearn solution: Dumpster

In this challenge, we need to use VisualVM to open heapdump.hprof file.

Next, open the Threads tab.

We can find the passHash in the file.

Then, we change the code a little bit:

import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class Decryptor
{
	public static final String FLAG = "S+kUZtaHEYpFpv2ixuTnqBdORNzsdVJrAxWznyOljEo=";
	public static final byte[] passHash = {7, 95, -34, 16, -89, -86, 73, 108, -128, 71, 43, 41, 100, 40, 53, -24};
	public static byte[] decrypt(byte[] msg) throws Exception
	{
		SecretKeySpec spec = new SecretKeySpec(passHash, "AES");
		Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
		cipher.init(Cipher.DECRYPT_MODE, spec);
		return cipher.doFinal(msg);
	}
	
	public static void main(String[] args) throws Exception
	{
		System.out.println(new String(decrypt(Base64.getDecoder().decode(FLAG.getBytes()))));
	}
}

And we found the flag.

Flag: stCTF{h34p_6ump5_r_c00l!11!!}

CTFlearn solution: Tux!

First, we use strings command.

We see a base64 string: ‘ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK‘

Decode it, we have: Password: Linux12345

Then, we use binwalk and there is a file inside the image, extract it.

We have a zip file.

It has a flag file, we open the file with the password we just found.

And we find the flag.

Flag: CTFlearn{Linux_Is_Awesome}