Our team (hackstreetboys) decided to participate @ encryptCTF 2019 hosted by Abs0lut3Pwn4g3. Luckily, we finished 52nd place out of 696 participants.
This is my writeup for all the Forensics challenges, which were fairly easy, but still fun! Let’s begin:
It’s a WrEP
Based on the challenge name and the keywords sniffed, spoofed and Wifi Network, we can infer that this was a sniffed WEP traffic. We can easily solve this using aircrack-ng
:
flag is: encryptCTF{W45_17_R34L?!}
Wi Will H4CK YOU!!
Just like the previous challenge, the challenge name hints that this is another sniffed WiFi traffic. Let’s try to open it using aircrack-ng
:
But this time, it’s WPA so we need a wordlist. Based on the challenge name, Wi Will (Wi Will) H4CK YOU!!, I decided to use the rockyou list and cracked it using hashcat
.
With this as the result:
3375a889fae19f9e9578414e4b88f320:14cc20f532fe:a85c2c380c59:encryptCTF:ThanckYou
flag is: encryptCTF{ThanckYou}
Get Schwifty
This was easy to solve. After downloading the .7z file, we will get GetSchwifty.img
. In fact, opening the .img file using FTK will give us the flag:
flag is: encryptCTF{alw4ys_d3lete_y0ur_f1les_c0mpletely}
Journey to the Center of the File 1
For this challenge we are given recursively nested folders.
So for this, I will give you two methods:
- legit method (scripting)
- joke method (cheesing)
Scripting Method
Please see the initial observations below:
- Extracting the .gz file using
gzip -d
will give usziptunnel1
, which is a .zip file.
2. Extracting the .zip file using unzip
will give us flag.gz
, a .gz file.
3. Extracting flag.gz
using gzip -d
will give us flag, a .zip file.
4. …
Can you see the pattern here? Good! Let’s unpack this ziptunnel using this script:
#!/bin/bash
# made with <3 by mon from hackstreetboysmkdir staging
cp ziptunnel1.gz staging/
cd staging
for i in {1..1000}
do
if [ $((i%2)) -eq 0 ]
then
gzip -df *
else
unzip *
rm ziptunnel1 > /dev/null 2>&1
fi
done
What we did is we made a staging ground for our zipmole (yeah mole, cause he needs to go into a tunnel. keep up. 😂) so he can find the flag at the end.
After running the script we will get the flag.
Cheese Method
So you wanna learn how to cheese challenges like these, eh? You’ve come to the right blog. Open the file in FTK:
And press ->
on your keyboard. The Right key until you get bored:
Now before you ask, I did the Scripting Method for this challenge. 😂
I just remembered doing something like this on one of my previous forensics engagements hahaha
flag is: encryptCTF{w422up_b14tch3s}
Journey to the Center of the File 2
Now don’t expect any cheese method on this one. Although I’d give you a noobish method and a legit method.
Please see the observations below:
- Extracting
ziptunnel2
will give usflag
, a gz file. - Extracting
flag
(after renaming it toflag.gz
) will give usflag
, a zip file. - Extracting
flag
(the zip file) will give usflag
, another gz file - Extracting
flag
(after renaming it toflag.gz
) will give usflag
, a zip file. - Extracting
flag
(the zip file) will give usflag
, a bzip2 file - Extracting
flag
(the bzip2 file) will give usflag.out
, a zip file - Extracting
flag.out
will take us back to step 2.
Now for the solutions.
Legit Method
With the above steps in mind, let’s upgrade zipmole.sh to zipmole2.py. Yep, I used python for this:
import gzip
import bz2
import zipfilewhile 1:
try:
#if zip, unzip it
with zipfile.ZipFile("flag") as zip_file:
zip_file.extractall()
except:
with open("flag", "rb") as f:
result = f.read()
try:
#if bzip2
result = bz2.decompress(result)
with open("flag", "wb") as f:
f.write(result)
except:
try:
#if gzip
result = gzip.decompress(result)
with open("flag", "wb") as f:
f.write(result)
except:
print(result)
break
What this script does is it essentially unzip
s a file if it is a zip file, bz2 decompresses a file if it is a bzip2 file, and gzip decompresses a file if it is a gz file.
After which it will give you the flag:
Noob Method
Alright, for this noob method. We’ll just blindly follow the steps above.
#!/bin/bashwhile :
do
mv flag flag.gz
gzip -df flag.gz
unzip -o flag
mv flag flag.gz
gzip -df flag.gz
unzip -o flag
bzip2 -d flag
unzip flag.out
rm -rf flag.out
done
Not the most elegant solution, but hey this was my first solution hahaha
We can’t terminate this, so when it bugs out just press Ctrl+C.
After which it will give you the flag:
flag is: encryptCTF{f33ls_g00d_d0nt_it?}
Conclusion
All in all these challenges were fun! Although I was expecting more forensics challenges for this CTF, solving these were good refreshers to some basics in the digital forensics field.
I hope you guys learned something new from this write-up!
— mon
PS
Hi I’m Mon, and I’m one of the founders of hackstreetboys, a CTF team from the Philippines!
While you’re at it, please like our Facebook page (hackstreetboys)
Follow our Twitter account (https://twitter.com/_hackstreetboys)
Read our writeups on Medium (https://medium.com/hackstreetboys)
Look at our new GitHub page (https://github.com/hackstreetboysph)