Here is my write up for the challenges I was able to answer for the NSA Codebreaker Challenge CTF this year.
In total there were 32 challenges released in 3 waves over the course of the competition. The main categories were Reverse Engineering, Crypto, Web, Forensics, Miscellaneous, OSINT, and Steganography. I personally loved the OSINT and Steganography challenges and I cannot wait to see other participants write ups in order to get the ones I missed.
Reverse Engineering
Don’t Forget to FLOSS
For this challenge we are given an executable called strings. This itself is a hint to finding the flag.
Using strings we can find the flag inside the file.
Flag is CBCCOP{3asy_p3azy_l3m0n_sq3azy}
That’s it for RE unfortunately but hopefully other write ups will pop up shedding some light on the last two.
Crypto
Substitute Teacher
In Substitute Teacher we are given the following file.
Looks like we need to solve this via substitution cipher. We could use frequency analysis and test the substitution letter by letter based off number of occurrence or we could just use an online tool instead. https://www.dcode.fr/monoalphabetic-substitution
Using the Key generated above we solved the substitution cipher leaving us with the flag.
Flag is CBCCOP{SUBSTITUTE_TH1S_TO_W1N_5A4B141140F}
Certified Ethical Hashing
For this challenge we are given a file filled with MD% hashes and an encrypted file. Cracking each hash leaves us with the following message.
Looks like the password is the hashed version of the word ‘hunter2'.
Using it to decrypt the file leaves us with the following message.
Flag is CBCCOP{md5_1s_br0k3n}
Ghostbusters
For this task we are provided with an encrypted file that contains the flag, and a hash called “this might be useful”;
Looks like we have a couple matches for what kind of hash this might be but since the challenge is called “Ghostbusters” lets try GOST.
Using John the Ripper we were able to crack the password using a word list. Looks like the password is ‘gost12345’. Using this password we should be able to open the encrypted file and get the flag.
Flag is CBCCOP{w4s_th4t_4_g0st_1_s4w}
Web
Hidden Secrets
For this challenge we are provided with a site. Looks like dirbuster is off the table.
Looking at the source code, we see the path for the images on the site.
If we go to this directory we get the following page.
Looking at the source code again we find the following directory
Upon further investigation we find a comment that should get us closer.
Finally we find the flag at http://chal.cbc-cop.org:5507/hidden/secret_files/super_secret/flag/
Flag is CBCCOP{h1dd3n_1n_html_site}
Haxxor
This was probably one of my favorite challenge of the CTF. We are provided with a URL to find the flag.
The programmer from Huddinge is Daniel Stenberg, who developed Curl, and has an article about a ghost CVE linked here: https://daniel.haxx.se/blog/2022/03/23/anatomy-of-a-ghost-cve/
Using curl we get the following output
Looks like the curl line has turned green. After further research into referral’s, using the following request, we get the third line to turn green as well.
Finally adding FROM in the header, with Daniel Stenberg’s email gets us all three parts return as green revealing the flag. The email was listed in the contacts page of the ghost CVE article.
This one took me so long that I dropped my laptop on the walk home at the moment of triumph but it was worth it.
Flag is CBCCOP{n0w_y0u_kn0w_wh0_wr073_curl}
Miscellaneous
Ascii ART
After completing this challenge it seems like there was an update to the file given, but this write-up will cover the original challenge before the hints were provided. Opening the ASCII art file in a text editor revealed the following base64 string.
After painfully typing each one out and trying different combinations of either a 0 or O or a 1 and I, we finally get the right string and decrypt it.
Flag is CBCCOP{fun_w1th_4sc11_4rt_4nd_b@S364}
No ReMorse
This challenge was nice but proved that my Morse code is quite rusty. Instead, dropping this .wav file to an online Morse code Audio Decoder was faster, and a lot more accurate.
Flag is CBCCOP{H0PE_Y0U_R3M3EMB3R_Y0UR_M0RS3_C0D3}
Weird Arithmetic
For this challenge we have a strange file filled with the following content.
After some digging around we realized this is a method of writing java script with 6 characters. It looks awful and I don’t know why anyone would write JS like this but oh well. Finding the website and executing the code was all it took to get the flag.
Flag is CBCCOP{turn5_0ut_js_c4n_b3_r3ally_funny_occ4s1onally}
What’s that noise?
At first I thought this challenge had to do with a corrupted wav file but after looking at it in Audacity it became clear what to do. Opening the file and switching it to Spectrogram mode revealed the flag.
Flag is CBCCOP{H1Dden_In_TH3_WAv3s}
Forensics
Exfil
For this challenge we are given a zip file. Extracting it with binwalk gets us a file filled with folders named after the alphabet, numbers, and special characters.
Some folders contain text files that are numbered. Others are empty. This led me to believe we have to reconstruct the flag using the number of the text file as the position, and the name of the folder as the value. For example the C folder has the following numbers.
This means the flag contains a C in position 1, 3, and 4. Writing a script to recompile the flag for us could’ve worked but I was really burnt out at this point so doing it by hand was unfortunately the route I took. Reconstructing the flag gets us the following value.
Flag is CBCCOP{F0LD3R_3XF1L_FTW}
Welcome Presentation
For this challenge we are given a power point presentation. Somewhere in it, the flag must be hidden.
Unzipping the power point presentation gives us a couple folders to investigate.
After digging through these files we find the following “hidden” file.
Looks like a base64 string. Decrypting the file should get us the flag.
Flag is CBCCOP{P0w3rp01nt_d4ta_3xf1ltrt4ti0n}
Golly what a weird file
For this challenge we have a file with weird content.
After searching for the first line, we found it refers to an equation for run length encoding called “HighLife” The following text describes this pattern and what the characters symbolize.
Using downloaded software from the following webpage, http://www.mirekw.com/ca/mjcell/mjcell.html, We were able to input the file. At first we got the following output
After researching how HighLife works, we were able to format it to the proper order and remove the end of life pattern symbols and separate each end of line symbol as well to get the following output at the bottom.
Flag is CBCCOP{GOL_1S_N3AT_HUH?}
This challenge was really cool and led to me reading into a lot of cool stuff.
Folder Finder
For this task, we are provided with a zip file containing a variety of files. Unzipping the folder reveals the following.
With a helpful hint from the following article, https://0day.work/parsing-the-ds_store-file-format/, we used an Online .DS_Store Parser to investigate the .DS._Store and get the output below
Removing duplicates and running the output through an ASCII converter seems to get us the flag a bit out of order.
Flag is CBCCOP{1nt3reSt1nG_f0ld3R_f1Nd3r}
OSINT
We are now at the first of my two favorite sections.
OSINT 1
Ahh kind of specific. That’s perfect. Going to twitter and searching for the keywords Abel ,Trip and sorting by latest reveals the tweet.
From here the flag is in their profile.
Flag is CBCCOP{0p3n_s0urc3_1nt3ll1g3nc3_FTW}
OSINT 2
For this on, we see they refer to his network, which probably means LinkedIn. Searching his name on LinkedIn came up with the flag right away as his first and only post.
Flag is CBCCOP{h3333ll0000_1s_1t_m3_y0ur3_l00king_f0r?}
OSINT 3
Alright this one was a nightmare. The previous profiles both linked to a github page where he has a personal website. Inside the revision changes for the site, we see he links a picture of a place he likes to “Relax and train”.
The link leads us to the following image.
We see an open field and the image is titled as a “Relaxing Park”. We see from his linkedin Page and his github site that he lives in Lincoln, NE so the logical thing to do is to go on google earth and check every single park in Lincoln Nebraska for a review from Ryder Abel. After doing this for two days straight coming up with nothing, the answer was in my face the whole time. Ryder Abel did not leave a review of the park, but did take this picture! Finding the picture was the key and it did not show up on any reverse image search, so searching one at a time was our best bet.
Finally the park was “Hayward Park” and in the top left corner we see who took this picture. Clicking their profile reveals another image that finally, AT LAST, contains the flag.
Flag is CBCCOP{R3lax1ng_0n_th3_w33kend5}
OSINT 4
The last challenge states they have another profile somewhere with the flag publicly available. Since they have a google account, maybe they have a YouTube account as well.
Searching for a Ryder Abel Channel revealed nothing, but searching for a playlist thankfully gave up his account.
Flag is CBCCOP{T0uchdown_f0r_0S1nT!}
Steganography
Finally the last section and my 2nd favorite one at that.
Doggo
For this challenge we have a fantastic picture of a dog
Using an online Steganography tool we can find the flag.
Flag is CBCCOP{Steg0_dogg0_s4ys_g00d_j0b}
Beautiful Scenery
For this challenge we get the following image.
Uploading the image to the following tool lets us view the images Bit Planes and find the flag
Flag is CBCCOP{h1dd1ng_1m4g3s_1n_1m4ges_1s_4_g0od_w4y_t0_h1d3_dat4_r1ght?}
For this challenge we get this cool picture.
At first I thought the white 1s and 0s corresponded to the flag somehow but literally the flag is just in the metadata. Even opening the image with notepad reveals the flag.
Flag is CBCCOP{m3tadata_can_b3_us3ful_for_h1d1ng_d4ta}
Hide and Seek
For this challenge, we have a picture of nature.
After checking it’s metadata and testing it out on some online Steg tools, I tried decrypting it with steghide and a password.
It says we couldn’t extract any data with that password so let’s try using a wordlist to test multiple passwords.
Looks like the password is ‘midnight1’ and the decrypted image is saved to the out file.
Opening the out file shows us the flag at last.
Flag is CBCCOP{n0t_4lways_wh4t_1t_s33ms}
This CTF was super fun and I feel like I learned a lot, and was able to apply skills from other CTF’s as well. I ended up tying for a spot in the top 10 so I’m super happy with my performance. Hopefully some other write ups will start popping up so I can learn how to solves the challenges I just couldn’t get in time.
