--- layout: post title: H7CTF tags: [Forensics, MISC] date: 2024-09-28 00:00:00 excerpt: "H7CTF" feature: https://raw.githubusercontent.com/raviyelna/raviyelna.github.io/master/assets/img/background.jpg categories: CTFs --- # H7CTF ## Forensics ### Khalib  The challenge gave us a white image but look closely it not just only white, just zoom it and you will find the flag lying there  --- ### Evolve   The challenge gave us a weird image, after checking it for awhile and read the description I still have no clue but my teammate got it  So here how it need to be done, the chall desp mentioned about Fourier, if you reasearch about his name there are something called [**Fourier Transform in Cryptography**](https://medium.com/privacy-preserving-natural-language-processing/homomorphic-encryption-for-beginners-a-practical-guide-part-2-the-fourier-transform-77bcaf9a1756) and here the script to do that ```py import cv2 import numpy as np import matplotlib.pyplot as plt # load in greyscale img = cv2.imread('flag.png', 0) # fourier transform f = np.fft.fft2(img) fshift = np.fft.fftshift(f) magnitude_spectrum = 20*np.log(np.abs(fshift)) plt.imshow(magnitude_spectrum, cmap='gray') plt.title('Magnitude Spectrum') plt.show() ``` Running that code will give you this  --- ### GhostIP  the Challenge gave us a pcap file and told us to look for the attacker's IP. open it in wireshark and check for conversation and then filter out the RST flag cause that one of the quickest way to know if someone trying to scan the host.  its pretty obvious by checking the conversartion and the their behaviour we can easily confirm it **192.168.1.9**, so I wont be talking much about this challenge. --- ### Captain Cool   At first when looking at the challenge I immediately try stegsnow but it return nothing after checking it plain colour I saw that there a b64 string at the bottom  this can be decoded to ```youspottingthismeansyougotsomesharpeyeswellkeeplooking```, anyway it just a distraction so put it away. You can wandering around the internet and you will eventually find something call "openstego" running the image inside that as extract mode and you got a binary  Decode that string will give us a hex string then from thet hex string you can get the flag --- ### Empty  The challenge gave us a zip file but it has a password, let crack it first  okay so we got the password, unzip there a github repo inside the first thing I would be checking is commit section but unfortunately I wasnt be able to solve this because I was solving like 15 mins before the ending (I was studying lmao, Idek why this CTF opened right in the middle of the week instead of the weekend) anyway lets get back solving it, if you open the Head in the log you will see alot of weird string like this  Combine it with title of the challenge and some research (actually its chatGPT) I know that its [zero-width stego](https://330k.github.io/misc_tools/unicode_steganography.html) pasting the whole commit msg and we got the flag  --- ## Reversing ### Eich  The challenge gave us 2 files, shuthtefrontdoor and trap, if you open shutthefrontdoor there will be a JSfuck script, we can use this [website](https://enkhee-osiris.github.io/Decoder-JSFuck/) to decode it  source code: ```java function A(D, length) { let key = ''; for (let i = 0; i < length; i++) {key += D.charAt(i % D.length);} return key; } function B(F, D) { let key = A(D, F.length); let G = ''; for (let i = 0; i < F.length; i++) { let charCode = F.charCodeAt(i); let keyCode = key.charCodeAt(i); let GChar = String.fromCharCode(charCode ^ keyCode); G += GChar; } return G; } const fs = require('fs'); let C = "fs.readFileSync('C.txt', 'utf8')"; let D = "6aef677b2c8b645384e713aece4322b045a79f48"; let E = B(C, D); console.log("Reward: ", E); "b3BlbnlvdXJleWVzYW5kbG9va2F0dGhlbWtleXNwcm9wZXJseQ==" ``` It's just simple xor function, actually my teammate got it wrong right here and we were bruteforcing the key because the D was wrong but after reading the hint we got from the base64 ```openyoureyesandlookatthemkeysproperly``` so I look at the string again and notice that its an hash so I put it on [crackstation](https://crackstation.net/) and got the real key **```whatthehelldoyouthinkyouaredoing```** Decode Script: ```py import base64 def generate_key(keystring, length): key = "" for i in range(length): key += keystring[i % len(keystring)] return key def encrypt_decrypt(string, key): result = "" for i in range(len(string)): char = string[i] key_char = key[i] result += chr(ord(char) ^ ord(key_char)) return result with open('trap') as f: encrypted = f.read() key = "whatthehelldoyouthinkyouaredoing" key = generate_key(key, len(encrypted)) plaintext = encrypt_decrypt(encrypted, key) print(plaintext) ``` **(I swear we haven't tried bruteforcing the key (')> )**  --- ## MISC ### Qrco   The challenge gave us a Qrcode, scan it lead to a [gooogle drive](https://drive.google.com/file/d/12dOs1mkY5RjP8iGWwXlXOVefSj1qr6zx/view) and from there you can get a PDF file ``` (you can check my folder I place it in /raviyelna.github.io/Writeup_images/H7CTF/challs/MIsc/Qrco/whatCouldThisBe.pdf) ``` You can see there a lot of random string but, I immediately filter out the Flag in base64 and found that the flag got encoded in base64 and divided in to parts  so I will take out all the string that only contain base64 char, then wrote a python script to decode all of them. ``` Base64: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= ``` ``` QRx En1 H7C c0_ TF{ 4rU gm4 } ``` Then just keep swapping the position, you will get the flag **H7CTF{Qrxc04rU_En1gm4}** --- thanks for reading, eventhough the CTF occur right in the middle of the week but our team managed to achive a wonderful place, it 11th placed, GGWP guys