# Writeup for Cyber Material Hack Havoc CTF Challenges > Author: f4n_n3r0 Hello, I'm f4n_n3r0, and this is my writeup for all Cyber Material Hack Havoc CTF challenges.   ## Welcome ### 1. Welcome to CyberMaterial  As the description mentioned, the flag is in the discord. Navigate to `#ctf-support`, we got our very first flag:  Flag: `CM{Subscribe_TO_CyberMaterial}` ### 2. FeedBack challenge  Do the feedback and get the flag:  Flag: `CM{HApPy_EnDiNg}` ## Web exploitation ### 1. We're rolling  Moving to the challenge's website, we got back to our CTF homepage, seems like nothing special here, let's move to `/robots.txt` file to check if there's anything.  There're a lot of endpoints there, if you tried navigate to every single endpoint, you won't get nothing, `ctrl + F ` and search for `CM{`  And we've got our flag. Flag: `CM{RoOL_&_ROoL}` ### 2. Drunken website  Clicking into the challenge's website, I saw a colorful page with japanese, english and many more languages.  By viewing their source, I noticed there is a file named `0.html` with invisible-button class:  Looking at its source, I've got my flag:  Flag: `CM{W3bs1t3_15_5hi7}`` ### 3. A Shakespearian Tragedy  What hit me between the eyes is a website with nothing but a Caesar's assasination picture  Let's analyze its source code:  Hmm, nothing special there, I'm going to try a dirsearch here to see if we could find anything.  At first glance, an `admin` endpoint and a file named `index.html` appeared, moving to it, this is what I got:  Hmm, wrong door, seems like I had used the correct way but wrong endpoint, let's keep trying.  At `/users` endpoint, I saw a suspicious strings  Decode it using base58, I got my flag:  Flag: `CM{i_c4me_i_s4w_i_c0nqu3r3d}` ### 4. Bidden Funhouse   Up to my eyes is a website with a Welcome text and a submit box where I can input my `hacker alias`, let's try input something.  Hmmm, 403 forbidden, if you look closely, you could see that when we hit submit, the website redirected us to the server without `/b/` endpoint, adding the endpoint, we could see our alias  We input something, the server returns it back, so this could be a SSTI vulnerability, let's try some inputs like `{{7*7}}`  Bingo, the server returns with `49`, this means the servers is vulnerable with SSTI, let's try another payload.  The server returns with `7777777`, so the server is using Jinja2 template, let's RCE and get the flag.  Final payload: ```{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat *').read() }}``` Flag: `CM{Y0u_4r3_a_r3A1Ly_go0D_nINj4}` ### 5. The Shell Shocker   Hmm, a Linux Command Executor, seems like a Command Injection here, I've tried inputting some payloads like `ls`, `whoami`,`pwd`,... but nothing worked. At first, I thought this was a `Blind Command Injection` challenge, but by reading the source code, I realized I was wrong.  You can see the source for the server's backend is lying down here, navigate to `/static/script.js`, I got the backend's source code.  ```javascript= const commandForm = document.querySelector('#command-form'); const commandInput = document.querySelector('#command-input'); const outputDiv = document.querySelector('#output'); commandForm.addEventListener('submit', async (event) => { event.preventDefault(); const command = commandInput.value; const validCommand = /^((uname|echo|pwd|whoami)\s*([-\w\s]*))?$/i.test(command); if (!validCommand) { outputDiv.textContent = 'Error: Invalid command. Please enter a valid command (uname, echo, pwd, or whoami) with optional arguments and options separated by spaces and hyphens.'; return; } try { const response = await fetch('/exec', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ command }) }); const result = await response.text(); outputDiv.textContent = result; } catch (error) { console.error(error); outputDiv.textContent = `Error: ${error.message}`; } }); ``` So, the command will be executed at `/exec` by sending commands through POST requests Let's try sending some requests.  Ahh there we go, our `flag.txt`, let's cat it out !  Flag: `CM{c0mMAnd_INjEc7iON_f7w}` ## Reverse Engineering ### 1. Rev is easy!  I checked this file and realized that it was an ELF 64 file written in the GO language. I looked at this file in IDA and I saw the flag in the `main_main` function.  FLag: `CM{ReV_i5_Easy}` ### 2. Go Crazy!!  I downloaded this file and checked what it was.  It's an ELF 64 file written in C/C++. Proceed to test its code at the `main` function.  This program has a function to check the password from the player, if it is correct, it will print out the correct flag. Looking at the code from the main function above, we see that our password is a string: `Killswxtch` I ran this file and tried to enter the password on.  Flag: `CM{5O_MuCh_7un}` ### 3. Who’s Really Dunked?  Download PARTY.txt file and take a look. ``` 4D$j(!T_9|V6>X!BH$$yo?.A[fH5n*[!<,0=!M1SZT)2'\zz:>$yo7+BmHNKQqD,9[iI*h-mE_^^k;U67R;;oI1SZT)(9GxI-G;Ko7.1DLE@iAlo:@iLp\+2DLRc$o+%3][_twZNE;8]lI!a-A\io..B9bQ09FZ{88R&ODYh$D8ak;U67R;;oLX44(EB=<g5:@iLp\+2E_WN9F!B-=$T{{[C@J8a>H!V5)R#K1.1?GNTg^>N-=#H!E.2)1Rm;A%T8VQF(!2F:$GK(205%ZjF]/PilCeCQqg56N\mi^T_JeE?$o%T5't@.ePlm@RZ&pu.5f04o9Y9UAo&)0V!<o1v4A$<\@e4,>3V4D\n!ATa?S8]'$aL7/%*'w-l#;NN>a0m-?;;me.Q.XJx<w0^-A\io.+cm8IH9FdM86R&tx-+#/J7SXre@}%A4A']!c8akuu>:aiQ)B-<y>^l'U0^9Y$Hty[#>oT(TF3MF{%kH01AJNM*Skx*5,#HaNTafl)-$n!B-=#GODYkmXSDU#0c8WuYAW--??Q5'}aL8Wt+OFWomaH:;Aat-Ctti^[BDVTm)g#3HD%A4A']!c8X$n!B-=#GODYkmXSDU#0c8WuYAW--??Q5()i{9[[a,-,iDylx)Wo>@as{y3+Q?EQ:SjfrH-[a2yPk!c8X$n!B-=#GO3']!c8akuu07S$}oI^TZT)(9F!B-=#GO3']!c8X$n!B-Dj]O_-,[jJwTEl{5%$Hy)+r#WJ|=R!h6,gx#iXSJ^UD9F!B-=#GO3']!c8X$n!B-@\])5+cm8IM+P!Y7Q:{PjXSJ^U[P0>;%U#GO3']!c8X$n!B-=#GOR2T$LOt=:zk-A/L&XZ}#QO+()iw-?tKi\'^3|Q{Sa!c84$T{{[C>oT(TF3M9wZcO3']!c8X$n!B-=#GO3'^[M8fliU>:al'{v'bhto&)0u2;GRWCx/ClC8X$n!B-=#GO3']!c8X$n!B-=$Hy)+r#|o&)0u2;GQ.:O$<Z{8X$n!B-=#GO3']!c8X(qFa&W9vO3']!c8X$n!B-=#GO3,7J*_DjwuB5%]J!25'ht8eBCu29]]::F'_fl)-$n!B-=#GO3']!c8X$n!B-=#GpbWoOdbX$oS'7QiM)G*O)z+1Qo!B-=#GO3']!c8X$n!B=JZc4A']!c8X$n!B-=#GO3']!cJxiBdN3^]Ao0Y)4(H(+RDy-C2R{u,7??NO?]fr<fZcO3']!c8X$n!B-=#GO3']!c8X&pu.5f%{a(0?PFFeSaaW:D1v4A']!c8X$n!B-=#GO3']!cXt9EFa-=#GO3']!c8X$n!B-=#GpbWoOdbX$oRa>[9)0.Pk!c8X$n!B-=#GO3']!c8hW<#96,hlwV,7J*Ra=:!V8WiE*mXS>oJ6U!ia7r;SlKXT95Ra=:!X;h/[lQXS>oJ6U!iM%U#GO3']!c8X$n!B-=#GO=-<xtRZ&i<%5'R&o8d{.gJ2+P!tFAv1n+a^:gf**]9[E]:opt_g?7j1SR3LE>&KVY3k4!h(<x+O3cv5mn+UE|k#+!#.5M\UPbb#:cEIAV]{&W9vO3']!c8X$n!B-=#GO3,7J*_A<w-s@^tKi\1O$Do9$nab8whm)@+FJNQ|@9!o&W9vO3']!c8X$n!B-=#GO3']!c8]'\zz8W\]K-Z=Pw[;T]zn9[;T*iWp?GO2lQOC/*/[O>Yi.N8^U$;_>R%zO>Yi.Na2P0>N-=#GO3']!c8X$n!B-=%IO>,i9b8d#/>N-=#GO3']!c8X$n!B-=#GO3'^9vNO'\u2Bj])r8]@PFFg'v+%4D[_pbWoQ'8Y>H>N3^$4tw_H)UmW9F!B-=#GO3']!c8X$n!B-Bg*08']!c8X$n!B-=#H624\lC8X$n!B-=#H624\lC8X$n!qA*9)0O$<ZT)<W<#<:bt()B-<x+Rc$nZ{7t0A)@'];-r$*U.C-@/L'xQ=[MSFk,0c8Ws2sK-}VTJzl93\@}%A4A']!c8ak<0o9\s2lP\()/O:=++%3_\]p\-}VT^_'$UcE=^'D:[C(kEB=;dA880A)Q2E?GIRU#1$@?/\/.1SZT)8P0>;%\j]O5.1.eRZ()iw-?QQi^YiE/IRP0>c6,hlwr^TJ ``` Decoding using base92. ``` 4@?DE 4CJAE@ l C6BF:C6WV4CJAE@VXj 4@?DE C625=:?6 l C6BF:C6WVC625=:?6VXj ^^ rC62E6 2? :?E6C7246 E@ C625 :?AFE 7C@> E96 FD6C 4@?DE C= l C625=:?6]4C62E6x?E6C7246WL :?AFEi AC@46DD]DE5:?[ @FEAFEi AC@46DD]DE5@FE NXj ^^ x?:E:2= 7=28 AC67:I =6E 7=28!C67:I l Qr|LQj ^^ uF?4E:@? E@ 4964< FD6C :?AFED 2?5 G2=:52E6 E96 7=28 7F?4E:@? 4964<WX L C=]BF6DE:@?WVt?E6C 7:CDE G2=F6i V[ WG2=F6~?6X lm L C=]BF6DE:@?WVt?E6C D64@?5 G2=F6i V[ WG2=F6%H@X lm L C=]BF6DE:@?WVt?E6C E9:C5 G2=F6i V[ WG2=F6%9C66X lm L C=]4=@D6WXj ^^ x?:E:2=:K6 7=28 H:E9 E96 AC67:I =6E 7=28 l 7=28!C67:Ij ^^ pAA6?5 A2CED E@ E96 7=28 32D65 @? :?AFE G2=F6D :7 WG2=F6~?6 lll Q}6HDQX L 7=28 Zl Q}6HD0Qj N :7 WG2=F6%H@ lll Qp=6CEDQX L 7=28 Zl Qp=6CED0Qj N :7 WG2=F6%9C66 lll Qx?4:56?EQX L 7=28 Zl Qx?4:56?EQj N 7=28 Zl QNQj ^^ r964< :7 E96 4@>AFE65 92D9 >2E496D E96 6IA64E65 92D9 4@?DE 6IA64E65w2D9 l Qg_d5eddf_dbhfeb57a_52e23f5dheefe33b52c`2_e526fefdf`g7e4a3fdd2ag5Q :7 W92D9W7=28X lll 6IA64E65w2D9X L 4@?D@=6]=@8WQr@?8C2EF=2E:@?DP %96 7=28 :Di Q Z 7=28Xj N 6=D6 L 4@?D@=6]=@8WQx?4@CC64E 7=28] %CJ 282:?]QXj N NXj NXj NXj N ^^ uF?4E:@? E@ 4@>AFE6 $wp\ade 92D9 7F?4E:@? 92D9W:?AFEX L C6EFC? 4CJAE@]4C62E6w2D9WVD92adeVX]FA52E6W:?AFEX]5:86DEWV96IVXj N ^^ $E2CE E96 492==6?86 4964<WXj ``` Then decode with ROT47. ``` const crypto = require('crypto'); const readline = require('readline'); // Create an interface to read input from the user const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); // Initial flag prefix let flagPrefix = "CM{"; // Function to check user inputs and validate the flag function check() { rl.question('Enter first value: ', (valueOne) => { rl.question('Enter second value: ', (valueTwo) => { rl.question('Enter third value: ', (valueThree) => { rl.close(); // Initialize flag with the prefix let flag = flagPrefix; // Append parts to the flag based on input values if (valueOne === "News") { flag += "News_"; } if (valueTwo === "Alerts") { flag += "Alerts_"; } if (valueThree === "Incident") { flag += "Incident"; } flag += "}"; // Check if the computed hash matches the expected hash const expectedHash = "805d65570539763df20da6ab7d596676bb3da41a06dae7675718f6c2b755a28d" if (hash(flag) === expectedHash) { console.log("Congratulations! The flag is: " + flag); } else { console.log("Incorrect flag. Try again."); } }); }); }); } // Function to compute SHA-256 hash function hash(input) { return crypto.createHash('sha256').update(input).digest('hex'); } // Start the challenge check(); ``` Reading through the code to get the flag, I need to enter 3 values correctly.  Flag: `CM{News_Alerts_Incident}` ### 4. The Key to Nowhere  I downloaded the file and checked the file.  This file is an ELF 64 file and is written in C/C++. I went to the main function to check and saw nothing I tried to enter the function `sub_403A50(v4, a2, a3);` here.  It seems that the file has been encapsulated by `pyinstraxtor`. I found how to open this package using the Python tool here. https://github.com/extremecoders-re/pyinstxtractor/blob/master/pyinstxtractor.py I used this Python program to open this package. ```python= """ PyInstaller Extractor v2.0 (Supports pyinstaller 6.9.0, 6.8.0, 6.7.0, 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.0, 6.0.0, 5.13.2, 5.13.1, 5.13.0, 5.12.0, 5.11.0, 5.10.1, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.2, 5.6.1, 5.6, 5.5, 5.4.1, 5.4, 5.3, 5.2, 5.1, 5.0.1, 5.0, 4.10, 4.9, 4.8, 4.7, 4.6, 4.5.1, 4.5, 4.4, 4.3, 4.2, 4.1, 4.0, 3.6, 3.5, 3.4, 3.3, 3.2, 3.1, 3.0, 2.1, 2.0) Author : Extreme Coders E-mail : extremecoders(at)hotmail(dot)com Web : https://0xec.blogspot.com Date : 26-March-2020 Url : https://github.com/extremecoders-re/pyinstxtractor For any suggestions, leave a comment on https://forum.tuts4you.com/topic/34455-pyinstaller-extractor/ This script extracts a pyinstaller generated executable file. Pyinstaller installation is not needed. The script has it all. For best results, it is recommended to run this script in the same version of python as was used to create the executable. This is just to prevent unmarshalling errors(if any) while extracting the PYZ archive. Usage : Just copy this script to the directory where your exe resides and run the script with the exe file name as a parameter C:\\path\\to\\exe\\>python pyinstxtractor.py <filename> $ /path/to/exe/python pyinstxtractor.py <filename> Licensed under GNU General Public License (GPL) v3. You are free to modify this source. CHANGELOG ================================================ Version 1.1 (Jan 28, 2014) ------------------------------------------------- - First Release - Supports only pyinstaller 2.0 Version 1.2 (Sept 12, 2015) ------------------------------------------------- - Added support for pyinstaller 2.1 and 3.0 dev - Cleaned up code - Script is now more verbose - Executable extracted within a dedicated sub-directory (Support for pyinstaller 3.0 dev is experimental) Version 1.3 (Dec 12, 2015) ------------------------------------------------- - Added support for pyinstaller 3.0 final - Script is compatible with both python 2.x & 3.x (Thanks to Moritz Kroll @ Avira Operations GmbH & Co. KG) Version 1.4 (Jan 19, 2016) ------------------------------------------------- - Fixed a bug when writing pyc files >= version 3.3 (Thanks to Daniello Alto: https://github.com/Djamana) Version 1.5 (March 1, 2016) ------------------------------------------------- - Added support for pyinstaller 3.1 (Thanks to Berwyn Hoyt for reporting) Version 1.6 (Sept 5, 2016) ------------------------------------------------- - Added support for pyinstaller 3.2 - Extractor will use a random name while extracting unnamed files. - For encrypted pyz archives it will dump the contents as is. Previously, the tool would fail. Version 1.7 (March 13, 2017) ------------------------------------------------- - Made the script compatible with python 2.6 (Thanks to Ross for reporting) Version 1.8 (April 28, 2017) ------------------------------------------------- - Support for sub-directories in .pyz files (Thanks to Moritz Kroll @ Avira Operations GmbH & Co. KG) Version 1.9 (November 29, 2017) ------------------------------------------------- - Added support for pyinstaller 3.3 - Display the scripts which are run at entry (Thanks to Michael Gillespie @ malwarehunterteam for the feature request) Version 2.0 (March 26, 2020) ------------------------------------------------- - Project migrated to github - Supports pyinstaller 3.6 - Added support for Python 3.7, 3.8 - The header of all extracted pyc's are now automatically fixed """ from __future__ import print_function import os import struct import marshal import zlib import sys from uuid import uuid4 as uniquename class CTOCEntry: def __init__(self, position, cmprsdDataSize, uncmprsdDataSize, cmprsFlag, typeCmprsData, name): self.position = position self.cmprsdDataSize = cmprsdDataSize self.uncmprsdDataSize = uncmprsdDataSize self.cmprsFlag = cmprsFlag self.typeCmprsData = typeCmprsData self.name = name class PyInstArchive: PYINST20_COOKIE_SIZE = 24 # For pyinstaller 2.0 PYINST21_COOKIE_SIZE = 24 + 64 # For pyinstaller 2.1+ MAGIC = b'MEI\014\013\012\013\016' # Magic number which identifies pyinstaller def __init__(self, path): self.filePath = path self.pycMagic = b'\0' * 4 self.barePycList = [] # List of pyc's whose headers have to be fixed def open(self): try: self.fPtr = open(self.filePath, 'rb') self.fileSize = os.stat(self.filePath).st_size except: print('[!] Error: Could not open {0}'.format(self.filePath)) return False return True def close(self): try: self.fPtr.close() except: pass def checkFile(self): print('[+] Processing {0}'.format(self.filePath)) searchChunkSize = 8192 endPos = self.fileSize self.cookiePos = -1 if endPos < len(self.MAGIC): print('[!] Error : File is too short or truncated') return False while True: startPos = endPos - searchChunkSize if endPos >= searchChunkSize else 0 chunkSize = endPos - startPos if chunkSize < len(self.MAGIC): break self.fPtr.seek(startPos, os.SEEK_SET) data = self.fPtr.read(chunkSize) offs = data.rfind(self.MAGIC) if offs != -1: self.cookiePos = startPos + offs break endPos = startPos + len(self.MAGIC) - 1 if startPos == 0: break if self.cookiePos == -1: print('[!] Error : Missing cookie, unsupported pyinstaller version or not a pyinstaller archive') return False self.fPtr.seek(self.cookiePos + self.PYINST20_COOKIE_SIZE, os.SEEK_SET) if b'python' in self.fPtr.read(64).lower(): print('[+] Pyinstaller version: 2.1+') self.pyinstVer = 21 # pyinstaller 2.1+ else: self.pyinstVer = 20 # pyinstaller 2.0 print('[+] Pyinstaller version: 2.0') return True def getCArchiveInfo(self): try: if self.pyinstVer == 20: self.fPtr.seek(self.cookiePos, os.SEEK_SET) # Read CArchive cookie (magic, lengthofPackage, toc, tocLen, pyver) = \ struct.unpack('!8siiii', self.fPtr.read(self.PYINST20_COOKIE_SIZE)) elif self.pyinstVer == 21: self.fPtr.seek(self.cookiePos, os.SEEK_SET) # Read CArchive cookie (magic, lengthofPackage, toc, tocLen, pyver, pylibname) = \ struct.unpack('!8sIIii64s', self.fPtr.read(self.PYINST21_COOKIE_SIZE)) except: print('[!] Error : The file is not a pyinstaller archive') return False self.pymaj, self.pymin = (pyver//100, pyver%100) if pyver >= 100 else (pyver//10, pyver%10) print('[+] Python version: {0}.{1}'.format(self.pymaj, self.pymin)) # Additional data after the cookie tailBytes = self.fileSize - self.cookiePos - (self.PYINST20_COOKIE_SIZE if self.pyinstVer == 20 else self.PYINST21_COOKIE_SIZE) # Overlay is the data appended at the end of the PE self.overlaySize = lengthofPackage + tailBytes self.overlayPos = self.fileSize - self.overlaySize self.tableOfContentsPos = self.overlayPos + toc self.tableOfContentsSize = tocLen print('[+] Length of package: {0} bytes'.format(lengthofPackage)) return True def parseTOC(self): # Go to the table of contents self.fPtr.seek(self.tableOfContentsPos, os.SEEK_SET) self.tocList = [] parsedLen = 0 # Parse table of contents while parsedLen < self.tableOfContentsSize: (entrySize, ) = struct.unpack('!i', self.fPtr.read(4)) nameLen = struct.calcsize('!iIIIBc') (entryPos, cmprsdDataSize, uncmprsdDataSize, cmprsFlag, typeCmprsData, name) = \ struct.unpack( \ '!IIIBc{0}s'.format(entrySize - nameLen), \ self.fPtr.read(entrySize - 4)) try: name = name.decode("utf-8").rstrip("\0") except UnicodeDecodeError: newName = str(uniquename()) print('[!] Warning: File name {0} contains invalid bytes. Using random name {1}'.format(name, newName)) name = newName # Prevent writing outside the extraction directory if name.startswith("/"): name = name.lstrip("/") if len(name) == 0: name = str(uniquename()) print('[!] Warning: Found an unamed file in CArchive. Using random name {0}'.format(name)) self.tocList.append( \ CTOCEntry( \ self.overlayPos + entryPos, \ cmprsdDataSize, \ uncmprsdDataSize, \ cmprsFlag, \ typeCmprsData, \ name \ )) parsedLen += entrySize print('[+] Found {0} files in CArchive'.format(len(self.tocList))) def _writeRawData(self, filepath, data): nm = filepath.replace('\\', os.path.sep).replace('/', os.path.sep).replace('..', '__') nmDir = os.path.dirname(nm) if nmDir != '' and not os.path.exists(nmDir): # Check if path exists, create if not os.makedirs(nmDir) with open(nm, 'wb') as f: f.write(data) def extractFiles(self): print('[+] Beginning extraction...please standby') extractionDir = os.path.join(os.getcwd(), os.path.basename(self.filePath) + '_extracted') if not os.path.exists(extractionDir): os.mkdir(extractionDir) os.chdir(extractionDir) for entry in self.tocList: self.fPtr.seek(entry.position, os.SEEK_SET) data = self.fPtr.read(entry.cmprsdDataSize) if entry.cmprsFlag == 1: try: data = zlib.decompress(data) except zlib.error: print('[!] Error : Failed to decompress {0}'.format(entry.name)) continue # Malware may tamper with the uncompressed size # Comment out the assertion in such a case assert len(data) == entry.uncmprsdDataSize # Sanity Check if entry.typeCmprsData == b'd' or entry.typeCmprsData == b'o': # d -> ARCHIVE_ITEM_DEPENDENCY # o -> ARCHIVE_ITEM_RUNTIME_OPTION # These are runtime options, not files continue basePath = os.path.dirname(entry.name) if basePath != '': # Check if path exists, create if not if not os.path.exists(basePath): os.makedirs(basePath) if entry.typeCmprsData == b's': # s -> ARCHIVE_ITEM_PYSOURCE # Entry point are expected to be python scripts print('[+] Possible entry point: {0}.pyc'.format(entry.name)) if self.pycMagic == b'\0' * 4: # if we don't have the pyc header yet, fix them in a later pass self.barePycList.append(entry.name + '.pyc') self._writePyc(entry.name + '.pyc', data) elif entry.typeCmprsData == b'M' or entry.typeCmprsData == b'm': # M -> ARCHIVE_ITEM_PYPACKAGE # m -> ARCHIVE_ITEM_PYMODULE # packages and modules are pyc files with their header intact # From PyInstaller 5.3 and above pyc headers are no longer stored # https://github.com/pyinstaller/pyinstaller/commit/a97fdf if data[2:4] == b'\r\n': # < pyinstaller 5.3 if self.pycMagic == b'\0' * 4: self.pycMagic = data[0:4] self._writeRawData(entry.name + '.pyc', data) else: # >= pyinstaller 5.3 if self.pycMagic == b'\0' * 4: # if we don't have the pyc header yet, fix them in a later pass self.barePycList.append(entry.name + '.pyc') self._writePyc(entry.name + '.pyc', data) else: self._writeRawData(entry.name, data) if entry.typeCmprsData == b'z' or entry.typeCmprsData == b'Z': self._extractPyz(entry.name) # Fix bare pyc's if any self._fixBarePycs() def _fixBarePycs(self): for pycFile in self.barePycList: with open(pycFile, 'r+b') as pycFile: # Overwrite the first four bytes pycFile.write(self.pycMagic) def _writePyc(self, filename, data): with open(filename, 'wb') as pycFile: pycFile.write(self.pycMagic) # pyc magic if self.pymaj >= 3 and self.pymin >= 7: # PEP 552 -- Deterministic pycs pycFile.write(b'\0' * 4) # Bitfield pycFile.write(b'\0' * 8) # (Timestamp + size) || hash else: pycFile.write(b'\0' * 4) # Timestamp if self.pymaj >= 3 and self.pymin >= 3: pycFile.write(b'\0' * 4) # Size parameter added in Python 3.3 pycFile.write(data) def _extractPyz(self, name): dirName = name + '_extracted' # Create a directory for the contents of the pyz if not os.path.exists(dirName): os.mkdir(dirName) with open(name, 'rb') as f: pyzMagic = f.read(4) assert pyzMagic == b'PYZ\0' # Sanity Check pyzPycMagic = f.read(4) # Python magic value if self.pycMagic == b'\0' * 4: self.pycMagic = pyzPycMagic elif self.pycMagic != pyzPycMagic: self.pycMagic = pyzPycMagic print('[!] Warning: pyc magic of files inside PYZ archive are different from those in CArchive') # Skip PYZ extraction if not running under the same python version if self.pymaj != sys.version_info.major or self.pymin != sys.version_info.minor: print('[!] Warning: This script is running in a different Python version than the one used to build the executable.') print('[!] Please run this script in Python {0}.{1} to prevent extraction errors during unmarshalling'.format(self.pymaj, self.pymin)) print('[!] Skipping pyz extraction') return (tocPosition, ) = struct.unpack('!i', f.read(4)) f.seek(tocPosition, os.SEEK_SET) try: toc = marshal.load(f) except: print('[!] Unmarshalling FAILED. Cannot extract {0}. Extracting remaining files.'.format(name)) return print('[+] Found {0} files in PYZ archive'.format(len(toc))) # From pyinstaller 3.1+ toc is a list of tuples if type(toc) == list: toc = dict(toc) for key in toc.keys(): (ispkg, pos, length) = toc[key] f.seek(pos, os.SEEK_SET) fileName = key try: # for Python > 3.3 some keys are bytes object some are str object fileName = fileName.decode('utf-8') except: pass # Prevent writing outside dirName fileName = fileName.replace('..', '__').replace('.', os.path.sep) if ispkg == 1: filePath = os.path.join(dirName, fileName, '__init__.pyc') else: filePath = os.path.join(dirName, fileName + '.pyc') fileDir = os.path.dirname(filePath) if not os.path.exists(fileDir): os.makedirs(fileDir) try: data = f.read(length) data = zlib.decompress(data) except: print('[!] Error: Failed to decompress {0}, probably encrypted. Extracting as is.'.format(filePath)) open(filePath + '.encrypted', 'wb').write(data) else: self._writePyc(filePath, data) def main(): if len(sys.argv) < 2: print('[+] Usage: pyinstxtractor.py <filename>') else: arch = PyInstArchive(sys.argv[1]) if arch.open(): if arch.checkFile(): if arch.getCArchiveInfo(): arch.parseTOC() arch.extractFiles() arch.close() print('[+] Successfully extracted pyinstaller archive: {0}'.format(sys.argv[1])) print('') print('You can now use a python decompiler on the pyc files within the extracted directory') return arch.close() if __name__ == '__main__': main() ``` I copied this code and ran it on linux. Format: `pyinstraxtor.py wkwkwkkw`.  If successful, it will show up like this, and the next step I go to folder `wkwkwkkw_extracted`. I'm going to convert the 3.pyc file to 3.py using pylingual.io. https://pylingual.io/ Here's 3.py's code.  I tried to run and the flag was printed.  Flag: `CM{R3V_D4T4_H3rO}` ### 5. Awwwwwwwwwwwwwww!!  Download these 2 files to your device and take a look. `Awaaaaaaaa.png`  `Awwwww.txt` ``` awa awa awa awawawa awa awawawawa awa awawawa awa awa awa awawa awa awa awawawa awa awa awa awawawa awa awawawa awa awa awawa awa awa awa awawawa awa awa awa awa awawa awa awawawa awa awa awawawa awa awa awawawa awa awa awawa awawa awa awawawa awa awa awa awawawa awa awawawa awa awawa awawa awa awa awawawa awawa awawa awa awa awa awawawa awawa awawawa awa awa awawawa awawawa awa awawa awa awawawa awa awa awa awawawa awa awawawa awa awa awa awa awa awa awa awawawa awa awa awa awa awa awa awa awawawa awa awa awa awawa awa awa awawawa awa awa awa awawawa awa awawawa awa awa awawa awa awa awa awawawa awa awa awa awa awawa awa awawawa awa awa awawawa awa awa awawawa awa awa awawa awawa awa awawawa awa awa awa awawawa awa awawawa awa awawa awawa awa awa awawawa awawa awawa awa awa awa awawawa awawa awawawa awa awa awawawa awawawa awa awawa awa awawawa awa awa awa awawawa awa awawawa awa awa awa awa awa awa awa awawawa awa awa awa awa awa awa awa awawawa awa awa awa awa awa awa awa awawawa awawa awa awa awa awa awa awawawa awawawa awawa awa awa awawawa awawawawawawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa awa awa awa awawa ``` From the image above, I can see that perhaps the input is the correct flag and through the code awa will be changed to output. When entering a flag into the input, the sx flag is scrambled into the output. After researching, I tried to code again in Python to decode the input. ```python= # Determine the sequence of indicators after shuffling and output, I just need to enter AWA5.0 and it will be output input = "1234567890_wrtyuioasdfghjlcbnm,." output = "u_ioasd3fg6h9jwl52cb7nm,.t1480ry" lis = [] # List of index after scrambled seq = [] for i in input: lis += i for i in output: for j in lis: if i == j: seq.append(lis.index(j)) awa = "owoosHiai1w1aia_awJ3ally!0awwa_o" redacted = "" o = 0 while o < len(awa) - 1: for i in seq: if i == o: redacted += awa[seq.index(i)] o += 1 print(f"CM{{{redacted}}}") ``` These are the input and output.  After running the above code, we've got our flag.  Flag: `CM{awawawawaawa_0oooosHii11i_J3lly!}` ## Crypto ### 1. Green Flags 🟢.  I downloaded the *.png file to my computer and I looked at it and saw that this was the Navy Signals Code.  https://www.dcode.fr/maritime-signals-code Decoding according to the photo I was flagged according to the format of the question. Flag: `CM{NATO_SIGNALS}` ### 2. I can't see it  The assignment gave me a piece of text with a drawing like this is Braille Alphabet. I tried decoding here. https://www.dcode.fr/braille-alphabet After decoding I had a flag. Flag: `CM{TH15_BR41LL3_1S_43AL}` ### 3. Digital Black Hole  I downloaded the image file to my computer but couldn't open it, then I tried to switch to linux to see what this file is? ``` cRYPTO.PNG: ASCII text, with very long lines (18134), with no line terminators ``` I fixed .png to .txt This file contains a batch of 8bit binaries and is separated by a "," I tried to convert these binary values to text. But first I need the signature bait, in Python. ```python= def remove_commas(s): return s.replace(",", " ") input_str = "00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110000,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110001,00101100,00110000,00110000,00110001,00110001,00110000,00110000,00110000,00110000" result = remove_commas(input_str) print(result) ``` After switching from binary to text we get a bunch of binary values again, and I continue to remove the "," sign and switch to text. Continue to do this 2 more times and we get a chain. ``` 8SNZ9Rn1LCYmWnr5DVLcyhZ ``` Base62 decoding. Flag: `CM{N0t_64_Alway5}` ### 4. Dear Trithemius,  Try looking at the source file `lovelettter.go` and the file `Dear_Trithemius.txt`. ```python= def to_my_honey(owo): return ord(owo) - 0x41 def from_your_lover(uwu): return chr(uwu % 26 + 0x41) def encrypt(billet_doux): letter = '' for heart in range(len(billet_doux)): letters = billet_doux[heart] if not letters.isalpha(): owo = letters else: uwu = to_my_honey(letters) owo = from_your_lover(uwu + heart) letter += owo return letter m = "imissyou" c = encrypt(m) print(c) ``` At first glance, this is actually a Python code, so we need to rewrite a similar decode. I wrote it back as follows. Browse `Dear_Trithemius.txt` file. ``` Dear Trithe, As I write this, my heart brims with emotions that words struggle to express. I feel compelled to share my feelings with you, hoping they reach you as deeply as they reside in me. From the moment we met, I sensed that our bond was unique, as if the universe itself had brought us together. Each day, my admiration for you grows. Your kindness, your intellect, and your laughter are just a few of the many things that captivate me. I treasure every memory we've made together, from our first meeting to our countless conversations. I’ll never forget the bliss of hearing you whisper those special words: “LPXH_Z_AZRDSQZWJI” They echo in my heart, reminding me of the precious gift you are. You are my confidante, my rock, my soulmate. I love you for your strength, your vulnerability, and the way you make me a better person. With all my heart, I promise to cherish and love you always. Yours forever, Siegfried ``` In the letter, there was a message that I needed to decipher as `LPXH_Z_AZRDSQZWJI`. Proceed with decryption. ```python= def to_my_honey(owo): return ord(owo) - 0x41 def from_your_lover(uwu): return chr(uwu % 26 + 0x41) # Decoding Function def decrypt(encrypted_text): decrypted = '' for heart in range(len(encrypted_text)): letters = encrypted_text[heart] if not letters.isalpha(): owo = letters else: uwu = to_my_honey(letters) owo = from_your_lover(uwu - heart) # Reversing the addition of the index (heart) when encoding decrypted += owo return decrypted # Encoded String encrypted_message = "LPXH_Z_AZRDSQZWJI" # Decrypt original_message = decrypt(encrypted_message) print(f"CM{{{decrypt(original_message)}}}") ```  Flag: `CM{LNTB_P_MJZJWSZUFC}` ### 5. My Secret X 'V' My Secret Y  This challenge gave me a piece that could be a hex string and a Seek. I think they're hiding a key to perform XOR with a given hex string. To solve this problem, we need to convert the hex sequence to a character and perform the XOR Brute Force. The hex code snippet is given first after it is converted into characters. ``` hfPCtSytYtHyQrV ``` Perform XOR Brute Force here. https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(1,100,0,'Standard',false,true,false,'')&input=aGZQf0MYHhh0Uxt5dB9ZGHRIeR9RclY At Key = 2b, the flag appears.  Flag: `CM{Th353_x0R_4r3_cR4zY}` ## Osint ### 1. CyberMaterial’s Cyber-Sleuth Newsletter  The title of the article mentions CyberMaterial's Cyber-Sleuth Newsletter search gg with keyword : **CyberMaterial's Cyber-Sleuth Newsletter** Then there is a cyberbriefing page  Looking for 08/08 - 10/08 the scope of the attack  and in the report on 09/08, in the comment section there is a flag Flag: `CM{4rCan3_4nD_h34rTst0P3r}` ### 2. Meet me here !  Get a .png file from the chall  I see that the shirt he is wearing looks like a company uniform, It seems that this is an employee of some company Search google with keyword: COVER6SOLUTION  It's a technology company Use gg map with company address then search nearby with the keyword :**Waffle in**  There is a Subway next to the waffle inn as depicted in the photo  We see that the street name is similar to the format of the flag Flag : `CM{Laurel_Hill_Rd}` ### 3.APT Intel Hunt  From Topics : "A recent CyberMaterial report on their mischievous sub-group, Andariel, might just be the treasure map you need." Searching google with keyword : andariel (lazarus group) – threat actor CyberMaterial Click on the first title  After a while of searching, I found the link "Andariel threat group" Clicking on it accesses a seemingly pastbin of criminals left chatting with each other, and we see hex-like characters on each line of text.  Hex : `43 4d 7b 34 70 54 5f 47 72 30 75 50 35 5f 4c 34 7a 34 52 75 35 7d` Flag : `CM{4pT_Gr0uP5_L4z4Ru5}` ### 4. Catch Me  I have a png picture with name : THIS_IS_MOD (hint) the phone number : 702.724.86 702 is the area code for Las Vegas, Nevada. 724 is the area code for western Pennsylvania, outside Pittsburgh. Search google map with : Las Vegas, Nevada Select Recent Searches with keyword: Mob  It seems that the building above is quite similar to the topic  Here the flag : CM{the_mob_museum} ### 5. Oops! Where Did I Hide the Flag?  I kept checking cybermaterial's linkedin again.  In the last post, I saw the title quite close to the topic: **What are the latest cybersecurity alerts, incidents, and news?** Click On  I saw there was a YouTube video **"I hid the flag in a video post."** Looks like I'm on the right track click on Youtube channel I've watched all the videos and found nothing unusual. What about checking the Youtube channel? I started checking the video descriptions of this youtube channel. And at the **Cyber Briefing video 30/08/2024**. I saw the flag in the description. this is the link: https://www.youtube.com/watch?v=iM4vtqkhmIo  Flag: `CM{SuB5cR1b3_t0_0ur_Y0u7ub3_Ch4nN3L}` ## Conclusion Thank you guys for reading til the end, if you have any problems, or issues, please contact me through my email: `sontung346@gmail.com` or my discord: `nhoktiger12`. Good bye and see you guys in another CTF challenges, best wishes to you guys ! > From f4n_n3r0 with love <3