Here is my write up for the questions I was able to answer for Virginia Cyber Range’s Career Awareness CTF.
Even though the challenge is over, I won’t be listing the answer to every question as a lot of them were simply google searches, but I will be listing out all the ones that I enjoyed and the ones that gave me some troubles.
In total there were 6 sections, with a total of 47 questions, of which I was able to solve 45.
Let’s start with the Investigate challenges
Where in the world?
This challenge wants us to find where in the world this picture was taken.
Dropping this in an online metadata viewer should give us the answer, though Exiftool could be used as well.
Flag is {Basseterre}
Seems Simple
looks like this file has alternate data streams. We can use PowerShell to see the stream.
Now lets look inside the txt files to see if we can find the flag hidden in here somewhere.
Flag is {filestreamsareoldnews}
Behind the Rocks
Similar to where in the world, this challenge needs us to find whats “Behind the rocks”
Dropping it back into Jeffrey’s Image Metadata Viewer we see there are some comments made in the image
This looks like base64, so when we decode we see the flag was hidden in the comments.
Flag is {HidingInHiddenData}
Binwalk it off
This challenge is called Binwalk it off, so immediately we know that means we’re going to use “binwalk” in order to extract something embedded within this image.
Flag is {ZGInaXRhbF9mb3JIbnNpY19hbmFseXN0}
Nothing to see here
I wasn’t really sure where to start here as none of the metadata really showed anything, and I couldn’t find anything embedded in the image. The first hint states there’s a lot of white space around the image, making me think there’s something hidden in the white parts.
Putting the picture in an image editor and messing with the color values reveals a set of numbers at the bottom.
This is ASCII so converting this into text we get “WYSIWYG” (What you see is what you get)
Flag is {WYSIWYG}
Analyze
HTTP(in)security
For this challenge we are provided with a pcap file. Using Wireshark we can analyze its contents.
Looks like we found the flag.
Simple enough but it didn’t work. I racked my brain around trying any combination or even looking for a different flag but it clearly had to be this. I ended up submitting a request to the support email for this CTF. Turns out this challenge was broken and needed to be updated.
After the challenge was updated the previously found flag worked
Flag is {dontUseHTTPeverSRSLY}
Eye End Ère
Plugging this into a one time pad Vigenere with the key labeled in the first image gets us the flag.
Flag is {FLAGNOTALWAYSINTHEIMAGE}
File extraction!
This challenge needs us to find a file in filepackets.pcap. We can just open WireShark and look for it.
Looks like there was a GET request at http://www.dnomyard.com/stuff/file. If we go to this URL we get the flag.
Flag is {H3rs_Y0ur_Fl@g}
Needle in a Needlestack
Just a quick challenge following the TCP stream until the flag shows up.
Flag is {dontsendpasswordsincleartext}
Hearing is Believing
This one was probably my favorite challenge. As soon as I saw the mp3 file name I knew I was about to get Rick Rolled.
Once it gets to the chorus it started to sound a bit distorted so
I tried slowing it down or even playing it backwards. I skipped it until I did a bit of research and came across this article for embedding secret text in mp3 files.
https://www.instructables.com/Secret-Message-in-Audio/
Dropping it into Audacity and following the instructions reveled this little message.
Flag is {soundsliketeenspirit}
Collect and operate
‘dem bones
Flag is {TIBIA OR NOT TIBIA}
Diffie-Hellman
This challenges name is Diffie-Hellman, so we can look up a key exchange calculator.
Flag is {625}
Elfish
Despite the challenge being called Elfish, the file type states it’s data. Opening this we can see there is a ‘LOL’ where the ELF header should be.
Let’s replace that with ELF and see what we get.
I ran hexdump but didn’t get anything useful. I tried a couple more tricks and eventually using ltrace to intercept the library calls led me to the flag.
Flag is {y_U_g0tta_b_s0_elf1$h}
Protect and defend
Here we have a Vigenere Cipher we can decode with a key.
Flag is {simpleciphersarephun}
Banner Grab
Flag is {hiding_server_data_foils_script-kiddies}
Securely Provision
CyberDym: Missing Link
Here we only have limited tries to input the flag. In this case the flag is a index value that doesn’t exist and is thus breaking the chain.
In total there are 10001 indexes. A quick way of finding the broken chain would be using python to iterate through the testchain.txt file matching up the current index value with the expected index value.
Since the program breaks at index 3808 we can open up the txt file at this index and see that there is a missing index between 3808 and 3810.
Flag is {3809}
The robots are coming!
To see what this website is hiding from web crawlers we can take a look at its robots.txt file.
Flag is {butwhereartherobots?}
Corruption
Looking at this unshadowed file it looks like the algorithm id is either missing or in the wrong place for shemp, curley, and joe. It looks like the salt for each hash has hints on how to fix them.
For shemps hash the id is a ?, but the salt says “shatwofivesix”. Replacing the ? with the id for SHA256 ($5$) should fix the hash.
For curley the id and salt seem to be at the end of the hash and the salt itself says “outoforder” moving it to the front should make things work.
Finally for joe, the id and salt are at the end but it looks like the salt says “backwards” but backwards. reversing the order of characters in this hash will solve this. Now that we’ve solved them the non corrupted version of this file should look like this.
Using johntheripper, we can find the passwords and concatenate them into a flag.
Flag is {thesepasswordsaredownrightatrocious}
Overall this was really fun! Even though I missed two challenges I still ended up in the top 10 out of ~500 or so participants. I learned a couple new tricks and found some cool ways to hide flags in files.
