CTF Collection Vol.1
In this post, we will look into the room “CTF Collection Vol.1” from TryHackMe, which can be found on https://tryhackme.com
Task 2 What does the base said?
$ echo -n "VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==" | base64 -d THM{#################}
Task 3 Meta meta
$ /data/src/exiftool-11.93/exiftool Findme.jpg ExifTool Version Number : 11.93 File Name : Findme.jpg Directory : . File Size : 34 kB File Modification Date/Time : 2020:05:08 12:20:13+02:00 File Access Date/Time : 2020:05:08 12:20:13+02:00 File Inode Change Date/Time : 2020:05:08 12:20:42+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 X Resolution : 96 Y Resolution : 96 Exif Byte Order : Big-endian (Motorola, MM) Resolution Unit : inches Y Cb Cr Positioning : Centered Exif Version : 0231 Components Configuration : Y, Cb, Cr, - Flashpix Version : 0100 Owner Name : THM{3x1f_0r_3x17} Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 60. Image Width : 800 Image Height : 480 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 800x480 Megapixels : 0.384
Owner name is THM{################}
Task 4 Mon, are we going to be okay?
Submit the picture to https://futureboy.us/stegano/decode.pl.
It going to be over soon. Sleep my child. THM{#############}
Task 5 Erm……Magick
Highligthing the text will reveal:
Huh, where is the flag? THM{#######} Did you find the flag?
Task 6 QRrrrr
Upload the picture to https://zxing.org/w/decode.jspx.
THM{###############}
Task 7 Reverse it or read it?
Disassemble the binary in IDA Pro. Analyze the functions. There is a function called skip
that will never be called but it contains the flag:
.text:0000000000001145 public skip .text:0000000000001145 skip proc near .text:0000000000001145 push rbp .text:0000000000001146 mov rbp, rsp .text:0000000000001149 lea rdi, format ; "THM{#################}" .text:0000000000001150 mov eax, 0 .text:0000000000001155 call _printf .text:000000000000115A nop .text:000000000000115B pop rbp .text:000000000000115C retn .text:000000000000115C skip endp
Answer: THM{####################}
Task 8 Another decoding stuff
Can you decode it?
3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L
Use Cyberchef to find the right base: https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',true)&input=M2FnclN5MUNld0Y5djh1a2NTa1BTWW0zb0tVb0J5VXBLRzRM
Answer: THM{##################}
Task 9 Left or right
https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,7)&input=TUFGe2F0YmVfbWF4X3Z0eGx0a30
THM{################}
Task 10 Make a comment
Right click > Inspect element.
THM{################################}
Task 11 Can you fix it?
Image is corrupted because it is missing the PNG header (89 50 4E 47):
$ xxd spoil.png |head 00000000: 2333 445f 0d0a 1a0a 0000 000d 4948 4452 #3D_........IHDR 00000010: 0000 0320 0000 0320 0806 0000 00db 7006 ... ... ......p. 00000020: 6800 0000 0173 5247 4200 aece 1ce9 0000 h....sRGB....... 00000030: 0009 7048 5973 0000 0ec4 0000 0ec4 0195 ..pHYs.......... 00000040: 2b0e 1b00 0020 0049 4441 5478 9cec dd79 +.... .IDATx...y 00000050: 9c9c 559d eff1 cf79 9e5a bb7a 5f92 7477 ..U....y.Z.z_.tw 00000060: f640 4802 0920 1150 c420 bba2 88a8 805c .@H.. .P. .....\ 00000070: 1906 7c5d 64c0 79e9 752e 03ce 38e3 0e8e ..|]d.y.u...8... 00000080: 2f75 e63a 23ea 8c0c e830 8e03 6470 c191 /u.:#....0..dp.. 00000090: cd80 880c 4b20 0909 184c 42b6 4ed2 e9f4 ....K ...LB.N...
You can fix it as follows:
$ printf '\x89\x50\x4E\x47' | dd of=spoil.png bs=4 conv=notrunc 1+0 records in 1+0 records out 4 bytes copied, 0.000128356 s, 31.2 kB/s $ xxd spoil.png |head 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR 00000010: 0000 0320 0000 0320 0806 0000 00db 7006 ... ... ......p. 00000020: 6800 0000 0173 5247 4200 aece 1ce9 0000 h....sRGB....... 00000030: 0009 7048 5973 0000 0ec4 0000 0ec4 0195 ..pHYs.......... 00000040: 2b0e 1b00 0020 0049 4441 5478 9cec dd79 +.... .IDATx...y 00000050: 9c9c 559d eff1 cf79 9e5a bb7a 5f92 7477 ..U....y.Z.z_.tw 00000060: f640 4802 0920 1150 c420 bba2 88a8 805c .@H.. .P. .....\ 00000070: 1906 7c5d 64c0 79e9 752e 03ce 38e3 0e8e ..|]d.y.u...8... 00000080: 2f75 e63a 23ea 8c0c e830 8e03 6470 c191 /u.:#....0..dp.. 00000090: cd80 880c 4b20 0909 184c 42b6 4ed2 e9f4 ....K ...LB.N...
The image is now valid and the flag is:
THM{########}
Task 12 Read it
https://www.reddit.com/r/tryhackme/comments/eizxaq/new_room_coming_soon/
THM{##############################}
Task 13 Spin my head
https://www.splitbrain.org/_static/ook/
THM{#########}
Task 14 An exclusive!
$ python >>> s1 = "44585d6b2368737c65252166234f20626d" >>> s2 = "1010101010101010101010101010101010" >>> h = hex(int(s1, 16) ^ int(s2, 16))[2:] >>> bytes.fromhex(h).decode('utf-8') THM{############}
Task 15 Binary walk
$ binwalk -e hell.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.02 30 0x1E TIFF image data, big-endian, offset of first image directory: 8 265845 0x40E75 Zip archive data, at least v2.0 to extract, uncompressed size: 69, name: hello_there.txt 266099 0x40F73 End of Zip archive, footer length: 22 cat _hell.jpg.extracted/hello_there.txt Thank you for extracting me, you are the best! THM{##################}
Task 16 Darkness
Open file in Stegsolve.jar and browse the plugins. With “Blue plane 1”, the flag is decoded:
THM{#################################}
Task 17 A sounding QR
Upload the QR code to https://zxing.org/w/decode. It decodes as:
https://soundcloud.com/user-86667759/thm-ctf-vol1
Use text2speech service (https://speech-to-text-demo.ng.bluemix.net/).
Speaker 0: The flag is S. O. U. N. D.. Speaker 1: I.. Speaker 0: N. G. Q.. Speaker 2: R..
Answer: THM{SOUNDINGQR}
Task 18 Dig up the past
Use wayback (https://web.archive.org/web/20200102131252/https://www.embeddedhacker.com/) to load the snapshot on Jan 2, 2020. Then search for string THM{
on the page:
What did you just say? flag? THM{##################
Task 19 Uncrackable!
Load MYKAHODTQ{RVG_YVGGK_FAL_WXF}
in CyberChef (https://gchq.github.io/CyberChef/#recipe=Vigen%C3%A8re_Decode(‘TRYHACKME’)&input=TVlLQUhPRFRRe1JWR19ZVkdHS19GQUxfV1hGfQ) with Vigenere (key=TRYHACKME). Output is THMTHMTHM{YEI_RVEWY_BHU_YQF}
Now change the key to THMTHMTHM
. Output: TRYHACKME{################}
Task 20] Small bases
$ python >>> n = 581695969015253365094191591547859387620042736036246486373595515576333693 >>> h = hex(n)[2:] >>> bytearray.fromhex(h).decode() 'THM{#######################}'
Task 21 Read the packet
GET /flag.txt HTTP/1.1 Host: 192.168.247.140 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Fri, 03 Jan 2020 04:36:45 GMT If-None-Match: "e1bb7-15-59b34db67925a" Cache-Control: max-age=0 HTTP/1.1 200 OK Date: Fri, 03 Jan 2020 04:43:14 GMT Server: Apache/2.2.22 (Ubuntu) Last-Modified: Fri, 03 Jan 2020 04:42:12 GMT ETag: "e1bb7-20-59b34eee33e0c" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 52 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain THM{#################} Found me!