RaziCTF took place online on October 26th to October 28th. It was a classic jeopardy style CTF with multiple categories, including: Web Security, Network Security, Digital Forensics, Cryptography, Steganography, and so on.
I participated solo in this CTF and I was more interested in learning and solving new challenges instead of trying to win anything. I mainly focused on Forensics and Steganography challenges. In this post, I will show the two forensics challenges I solved during the competition.
Can You See Through The Crowd ?
look precisely :) this challenges flag starts with RAZICTF
The challenges descriptions were very simple and short. But also, contained good hints which I liked it.
So, starting with this forensics challenge, you suppose to nc an ip and get a response.
At first I realized, its A LOT OF NOISE, and a constant stream of data coming through really fast. I did notice that the data is just a bunch of repeating base64 strings. Once I decoded the string, it was not the real flag. Just noise, a rabbit hole.
So what now? I needed to filter that somehow. I decided to output the data to a file and just search for something that wouldn’t match that .
In the middle of this whole mess, I was able to find a comma with a new block of base64 data in it. This is what the description was talking about. It is a pretty long base64 string, so I assumed it would probable be some kinda of file , or executable converted into base64.
Sure enough, I turned the base64 into a binary file, and checks the first bytes to see if there is any header information:
Quickly I learned that this is an PNG file. Nice! Now I just need to change the extension and get the flag! Right?
When I tried to open the file, something was wrong with it. So I used the tool pngcheck to see if it can detect what’s wrong:
It returned bad IHDR. A quick research, I learned that PNG files need to have specific IHDR headers as part of the structure of a PNG file:
Checking the header of our binary, we see that is not IHDR, and that we have to fix it:
Run the check once againg to ensure nothing is missing:
Everything seems to be fine, so now we can proceed to get the flag:
RAZICTF{C0RRUPT3D_IM4G3S_ARE_L0V3LY}
Fore
Music relaxes your mind
Hint: find the link
For this challenge, we are given a pcap file and we have to find a link for a song that was supposedly downloaded?
My first step was to check the files that were downloaded via HTTP… but there was few thousands files, and I wasn’t feeling like trying to filter through that.
An easier way to search for audio files, is to use wireshark’s search function. Just search for the term audio as a string in the packet list. HTTP requests to download audio files, usually comes in (audio/mpeg) format, so we can search for those key terms:
We found a package that contains a audio file, which it seems to the the request to download it . If we follow that stream, we can find the link :
Here we found the url for the music.
RaziCTF{http://…/…-banan-music/}
