encryptCTF2019 — Forensics Writeup

5 min readApr 4, 2019


This is my writeup for all of the challenges in the Forensics category of encryptCTF2019.

Our team (hackstreetboys) decided to participate @ encryptCTF 2019 hosted by Abs0lut3Pwn4g3. Luckily, we finished 52nd place out of 696 participants.

2nd board wipe of the year ❤

This is my writeup for all the Forensics challenges, which were fairly easy, but still fun! Let’s begin:

It’s a WrEP

Based on the challenge name and the keywords sniffed, spoofed and Wifi Network, we can infer that this was a sniffed WEP traffic. We can easily solve this using aircrack-ng :

be sure to specify the correct index number

flag is: encryptCTF{W45_17_R34L?!}

Wi Will H4CK YOU!!

Just like the previous challenge, the challenge name hints that this is another sniffed WiFi traffic. Let’s try to open it using aircrack-ng :


But this time, it’s WPA so we need a wordlist. Based on the challenge name, Wi Will (Wi Will) H4CK YOU!!, I decided to use the rockyou list and cracked it using hashcat.

With this as the result:


flag is: encryptCTF{ThanckYou}

Get Schwifty

This was easy to solve. After downloading the .7z file, we will get GetSchwifty.img . In fact, opening the .img file using FTK will give us the flag:

flag is: encryptCTF{alw4ys_d3lete_y0ur_f1les_c0mpletely}

Journey to the Center of the File 1

For this challenge we are given recursively nested folders.

So for this, I will give you two methods:

  1. legit method (scripting)
  2. joke method (cheesing)

Scripting Method

Please see the initial observations below:

  1. Extracting the .gz file using gzip -d will give us ziptunnel1 , which is a .zip file.

2. Extracting the .zip file using unzip will give us flag.gz , a .gz file.

3. Extracting flag.gz using gzip -d will give us flag, a .zip file.

4. …

Can you see the pattern here? Good! Let’s unpack this ziptunnel using this script:

# made with <3 by mon from hackstreetboys
mkdir staging
cp ziptunnel1.gz staging/
cd staging
for i in {1..1000}
if [ $((i%2)) -eq 0 ]
gzip -df *
unzip *
rm ziptunnel1 > /dev/null 2>&1

What we did is we made a staging ground for our zipmole (yeah mole, cause he needs to go into a tunnel. keep up. 😂) so he can find the flag at the end.

After running the script we will get the flag.

Cheese Method

So you wanna learn how to cheese challenges like these, eh? You’ve come to the right blog. Open the file in FTK:

And press -> on your keyboard. The Right key until you get bored:

wait for it

Now before you ask, I did the Scripting Method for this challenge. 😂

I just remembered doing something like this on one of my previous forensics engagements hahaha

flag is: encryptCTF{w422up_b14tch3s}

Journey to the Center of the File 2

Now don’t expect any cheese method on this one. Although I’d give you a noobish method and a legit method.

Please see the observations below:

  1. Extracting ziptunnel2 will give us flag , a gz file.
  2. Extracting flag (after renaming it to flag.gz) will give us flag, a zip file.
  3. Extracting flag (the zip file) will give us flag, another gz file
  4. Extracting flag (after renaming it to flag.gz) will give us flag, a zip file.
  5. Extracting flag (the zip file) will give us flag, a bzip2 file
  6. Extracting flag (the bzip2 file) will give us flag.out , a zip file
  7. Extracting flag.out will take us back to step 2.

Now for the solutions.

Legit Method

With the above steps in mind, let’s upgrade zipmole.sh to zipmole2.py. Yep, I used python for this:

import gzip
import bz2
import zipfile
while 1:
#if zip, unzip it
with zipfile.ZipFile("flag") as zip_file:
with open("flag", "rb") as f:
result = f.read()
#if bzip2
result = bz2.decompress(result)
with open("flag", "wb") as f:
#if gzip
result = gzip.decompress(result)
with open("flag", "wb") as f:

What this script does is it essentially unzips a file if it is a zip file, bz2 decompresses a file if it is a bzip2 file, and gzip decompresses a file if it is a gz file.

After which it will give you the flag:

Noob Method

Alright, for this noob method. We’ll just blindly follow the steps above.

#!/bin/bashwhile :
mv flag flag.gz
gzip -df flag.gz
unzip -o flag
mv flag flag.gz
gzip -df flag.gz
unzip -o flag
bzip2 -d flag
unzip flag.out
rm -rf flag.out

Not the most elegant solution, but hey this was my first solution hahaha

We can’t terminate this, so when it bugs out just press Ctrl+C.

After which it will give you the flag:

flag is: encryptCTF{f33ls_g00d_d0nt_it?}


All in all these challenges were fun! Although I was expecting more forensics challenges for this CTF, solving these were good refreshers to some basics in the digital forensics field.

I hope you guys learned something new from this write-up!

— mon


Hi I’m Mon, and I’m one of the founders of hackstreetboys, a CTF team from the Philippines!

While you’re at it, please like our Facebook page (hackstreetboys)
Follow our Twitter account (https://twitter.com/_hackstreetboys)
Read our writeups on Medium (https://medium.com/hackstreetboys)
Look at our new GitHub page (https://github.com/hackstreetboysph)