Forensic PicoCTF 2024

Scan Surprise

Description:

I've gotten bored of handing out flags as text. Wouldn't it be cool if they were an image instead?
You can download the challenge files here:
challenge.zip
Additional details will be available after launching your challenge instance.

Hint 1: QR codes are a way of encoding data. While they're most known for storing URLs, they can store other things too.

Hint 2: Mobile phones have included native QR code scanners in their cameras since version 8 (Oreo) and iOS 11

Hint 3: If you don't have access to a phone, you can also use zbar-tools to convert an image to text

Tác giả cho ta 1 mã QR

Flag: picoCTF{p33k_@_b00_3f7cf1ae}

Verify

Description:

People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I'm going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.
You can download the challenge files here:
challenge.zip
Additional details will be available after launching your challenge instance.

Hint 1: Checksums let you tell if a file is complete and from the original distributor. If the hash doesn't match, it's a different file.

Hint 2: You can create a SHA checksum of a file with sha256sum <file> or all files in a directory with sha256sum <directory>/*.

Hint 3: Remember you can pipe the output of one command to another with. Try practicing with the 'First Grep' challenge if you're stuck!

Unzip file challenge ta có được 1 file script để decrypt file, 1 file checksum.txt là sha256 của file chứa flag.

Ta sẽ tìm kiếm file flag có sha256 giống như thế trong folder files.

Có rất nhiều file, nhưng vì ta đã biết trước mã sha256 của file ta cần tìm, nên ta chỉ cần grep mã sha256 đó.

Cuối cùng ta dùng file script mà tác giả đã cho để decrypt file mà ta tìm được.

Flag: picoCTF{trust_but_verify_c6c8b911}

???: Không biết vì sao mà khi sử dụng file decrypt.sh trên máy thì lại không thể decrypt được nên cần phải ssh lên server của BTC.

CanYouSee

Description:

How about some hide and seek?
Download this file here.

Hint 1: How can you view the information about the picture?

Hint 2: If something isn't in the expected form, maybe it deserves attention?

Tác giả cho ta 1 file ảnh:

Ta thử check metadata của file ảnh này bằng exiftool

Ở tag Attribution ta thấy một base64 kì lạ hãy thử decode nó.

Flag: picoCTF{ME74D47A_HIDD3N_deca06fb}

Secret of the Polyglot

Description:

The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting information on what type of file it is. They've brought you in as an external expert to examine the file. Can you extract all the information from this strange file?
Download the suspicious file here.

Hint 1: This problem can be solved by just opening the file in different ways

Tác giả cho ta 1 file pdf. Với file pdf thì ta đã có phần 2 của flag.

Theo như mô tả thì ta thử kiểm tra loại file này.

Ta sẽ thay đổi đuôi file này thành .png

Flag: picoCTF{f1u3n7_1n_pn9_&_pdf_53b741d6}

Mob psycho

Description:

Can you handle APKs?
Download the android apk here.

Hint 1: Did you know you can unzip APK files?

Hint 2: Now you have the whole host of shell tools for searching these files.

Theo như hint 1 thì ta thử unzip file apk ra xem có gì.

Decode file flag ta được: picoCTF{ax8mC0RU6ve_NX85l4ax8mCl_52a5e2de}

Flag: picoCTF{ax8mC0RU6ve_NX85l4ax8mCl_52a5e2de}

endianness-v2

Description:

Here's a file that was recovered from a 32-bits system that organized the bytes a weird way. We're not even sure what type of file it is.
Download it here and see what you can get out of it

No hint

Ta xem thử raw file bằng hexeditor

Có lẽ file này là file JPEG là một file ảnh nhưng mỗi 4 bytes đã bị đảo ngược

Ta sẽ viết script để xử lý