# CyberTalents Digital Forensics Journey ![](https://i.imgur.com/PPxdjpv.png) I feel like doing some of the forensics challenges on cybertalents. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics] └─$ ls adsl-modem_COMPLETE ctbank_COMPLETE gp-list_COMPLETE jtag-dump_COMPLETE monaliza softwareco-registration-v2 anonymous_COMPLETE cypher-anxiety_COMPLETE hack-a-nice-day_COMPLETE just-smile_COMPLETE packet-abomination_COMPLETE try-to-see-me antonia_COMPLETE deleted_COMPLETE help-ann_COMPLETE keep-calm_COMPLETE partition-lost_COMPLETE x-file_COMPLETE bflag_COMPLETE eagle-eye hidden-message_COMPLETE keep-it-simple_COMPLETE raw-disk_COMPLETE xmen-files_COMPLETE can-you-find-me file-found_COMPLETE i-love-images_COMPLETE linuxcmd101_COMPLETE sad-mummy_COMPLETE you-have-been-hacked_COMPLETE check-my-usb_COMPLETE files-leakage image-catch_COMPLETE mailer_COMPLETE search-in-trash_COMPLETE counter_COMPLETE finding-voice images3c_COMPLETE message-in-a-bottle_COMPLETE software-co-registeration ``` I've solved most of them and i kinda just want to do the easy ones and script stuff here and there. ### **First Challenge: G&P List** ```Just Open the File and Capture the flag . Submission in MD5``` We're given a word document file. Basic thing to do is running strings on it. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/gp-list_COMPLETE] └─$ strings -n 8 G\&P+lists.docx docProps/PK docProps/app.xml docProps/core.xml Flag.txt877c1fa0445adaedc5365d9c139c5219PK ``` **Scripting** Let's script this in bash. ```bash= #!/usr/bin/env bash # @author: mug3njutsu strings -n 8 G\&P+lists.docx | grep -oE [a-f0-9]{32} ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/gp-list_COMPLETE] └─$ ./ape.sh 877c1fa0445adaedc5365d9c139c5219 ``` What this does is, it runs strings on the file and looks for a pattern of a hash which is usually like [a-f0-9] and looks for a 32 character long string. Nice and easy! ### **Second Challenge: Hidden Message** `A cyber Criminal is hiding information in the below file . capture the flag ? submit Flag in MD5 Format` We're given a JPEG file and when we run strings on it... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/hidden-message_COMPLETE] └─$ strings -n 8 hidden_message.jpg XPhotoshop 3.0 b1a1f2855d2428930e0c9c4ce10500d5 %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz Z&d-8;IRF@8 KMil^Q3Z w;QO;D~Y k cgVeV* [y$d{c ;c |77-q*#H vXqnVo1d DO9r~fvB }|PhngY% "KpZDPIB =29^Fr?* ``` Got the flag, too easy! **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu strings -n 8 hidden_message.jpg | grep -oE [a-f0-9]{32} ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/hidden-message_COMPLETE] └─$ ./ape.sh b1a1f2855d2428930e0c9c4ce10500d5 ``` Easy! ### **Third Challenge: Partition Lost** `Our Company's CEO had a car accident. His HDD was damaged and he lost all his files and partitions. Can you help him to recover his important data` We're given an image file. When you run strings, it'll race through a couple of lines, but eventually, you'll see the flag. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/partition-lost_COMPLETE] └─$ strings -n 8 partition-lost.img| grep -oiP "flag(.*)" | tail -n 1 FLAG(701_L@b$_DR_DFIR) ``` ### **Fourth Challenge: Search in Trash** `My HDD was destroyed in an accident. However, I was able to recover my recycle bin file . Can you know the flag ?` We're given a Windows Recycle Bin INFO2 file. I won't even say it... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/search-in-trash_COMPLETE] └─$ strings -n 8 search-trash | grep -oiP "flag{.*}" FLag{Fat_32_DF_2} ``` Too easy. ### **Fifth Challenge: File Found** `We found the following file on a machine, we know it contains a secret but we do not know what this file is can you help us obtain the code?` We're given a file, running strings, we get a flag, but one's that rotated. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/file-found_COMPLETE] └─$ strings -n 8 foundfile LineNumberTable ([Ljava/lang/String;)V StackMapTable SourceFile HelloWorld.java SYNT{SBERAFVPF_101} HelloWorld java/lang/Object java/lang/String java/lang/System Ljava/io/PrintStream; java/io/PrintStream ``` This challenge is relatively easy. What you can do is use `caesar` to loop through rotations. And if you don't have it, you can run `sudo apt install bsdgames` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/file-found_COMPLETE] └─$ for i in {1..26}; do echo -n "rot$i: "; echo $(strings -n 8 foundfile | grep -oE {.*?}) | caesar $i; done rot1: TZOU{TCFSBGWQG_101} rot2: UAPV{UDGTCHXRH_101} rot3: VBQW{VEHUDIYSI_101} rot4: WCRX{WFIVEJZTJ_101} rot5: XDSY{XGJWFKAUK_101} rot6: YETZ{YHKXGLBVL_101} rot7: ZFUA{ZILYHMCWM_101} rot8: AGVB{AJMZINDXN_101} rot9: BHWC{BKNAJOEYO_101} rot10: CIXD{CLOBKPFZP_101} rot11: DJYE{DMPCLQGAQ_101} rot12: EKZF{ENQDMRHBR_101} rot13: FLAG{FORENSICS_101} rot14: GMBH{GPSFOTJDT_101} rot15: HNCI{HQTGPUKEU_101} rot16: IODJ{IRUHQVLFV_101} rot17: JPEK{JSVIRWMGW_101} rot18: KQFL{KTWJSXNHX_101} rot19: LRGM{LUXKTYOIY_101} rot20: MSHN{MVYLUZPJZ_101} rot21: NTIO{NWZMVAQKA_101} rot22: OUJP{OXANWBRLB_101} rot23: PVKQ{PYBOXCSMC_101} rot24: QWLR{QZCPYDTND_101} rot25: RXMS{RADQZEUOE_101} rot26: SYNT{SBERAFVPF_101} ``` The flag was clearly a rot13. ### **Sixth Challenge: I love images** `A hacker left us something that allows us to track him in this image, can you find it?` We're given a PNG file. Strings... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/i-love-images_COMPLETE] └─$ strings -n 8 godot.png HZYZ(@Vk wSZ\@^N& _Tauxivt] v:G-D{$xXF"/ *TYlT_qP IZGECR33JZXXIX2PNZWHSX2CMFZWKNRUPU====== ``` At the very end there's a base32 encoded text. And i know this coz the padding is a little different from base64. Decoding that is pretty easy. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/i-love-images_COMPLETE] └─$ strings -n 8 godot.png | tail -n 1 | base32 -d 127 ⨯ FLAG{Not_Only_Base64} ``` Done! You could also paste the string on cyberchef to automatically decode that. ![](https://i.imgur.com/kUiL8li.png) ### **Seventh Challenge: Keep it Simple** `The answer is simple` This is a webish + forensics one. ![](https://i.imgur.com/tQ36K4M.png) You're given such a page. Entering the password is just a rabbithole lol! Looking at the page source though... ![](https://i.imgur.com/zAjUg4e.png) You notice there's more than one 'the_eye.jpeg' file. One is in the img directory on the webserver and the other is in the /var/www/html/ directory that we see when we go to the page. If you download both files and run ```diff``` you'll see that they're not the same. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-it-simple_COMPLETE] └─$ diff the_eye.jpeg the_eye2.jpeg Binary files the_eye.jpeg and the_eye2.jpeg differ ``` Running strings on 'the_eye2.jpeg', the one that was in the img directory... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-it-simple_COMPLETE] └─$ strings -n 8 the_eye2.jpeg | head -n 35 | tail -n 1 {S1mpl3sty_i$_th_@nswer} ``` Got the flag. Made a script for this in python that does everything all the way from the top. **Scripting** ```python= #!/usr/bin/env python3 # @author: mug3njutsu import urllib.request import requests import re import os url = "http://35.225.187.108/Keep_it_Simple/" r = requests.get("http://35.225.187.108/Keep_it_Simple/") content = re.findall(r'src=".*"', r.text) image1 = content[0].split('"')[1] image2 = content[1].split('"')[1] urllib.request.urlretrieve(url+image1, os.getcwd()+'/the_eye.jpeg') urllib.request.urlretrieve(url+image2, os.getcwd()+'/the_eye2.jpeg') command = "strings -n 8 the_eye2.jpeg | head -n 35 | tail -n 1" os.system(command) ``` And what this basically does is, it will get both image files from the webpage, download them and run strings to get the flag. Nice and easy! ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-it-simple_COMPLETE] └─$ python3 ape.py {S1mpl3sty_i$_th_@nswer} ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-it-simple_COMPLETE] └─$ ls ape.py the_eye2.jpeg the_eye.jpeg ``` ### **Eighth Challenge: CTBank** `our client bank is under attack, may the logs will help` We're given a 7-zip archive data file. Unzipping the file, we get a log file running strings, got an interesting url-encoded text. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/ctbank_COMPLETE] └─$ strings -n 8 access.log | tail -n 10 | head -n 1 10.10.10.77 - - [13/Feb/2020:03:36:21 -0400] "GET /mutillidae/index.php?page=user-info.php&username='%20union%20all%20select%201,String.fromCharCode(%20102,%20108,%2097,%20103,%20123,%2033,%2095,%20108,%2048,%20118,%2051,%2095,%20115,%20113,%20108,%2095,%2033,%20110,%20106,%2051,%2099,%20116,%2033,%2048,%20110,%20125,%2010),3%20--+&password=&user-info-php-submit-button=View%20Account%20Details%20HTTP/1.1%22%20200%209582%20%22http://10.10.10.200/mutillidae/index.php?page=user-info.php&username=something&password=&user-info-php-submit-button=View%20Account%20Details%22%20%22 "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" ``` Decoding it... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/ctbank_COMPLETE] └─$ urlencode -d "%20union%20all%20select%201,String.fromCharCode(%20102,%20108,%2097,%20103,%20123,%2033,%2095,%20108,%2048,%20118,%2051,%2095,%20115,%20113,%20108,%2095,%2033,%20110,%20106,%2051,%2099,%20116,%2033,%2048,%20110,%20125,%2010),3%20--+&password=&user-info-php-submit-button=View%20Account%20Details%20HTTP/1.1%22%20200%209582%20%22http://10.10.10.200/mutillidae/index.php?page=user-info.php&username=something&password=&user-info-php-submit-button=View%20Account%20Details%22%20%22" union all select 1,String.fromCharCode( 102, 108, 97, 103, 123, 33, 95, 108, 48, 118, 51, 95, 115, 113, 108, 95, 33, 110, 106, 51, 99, 116, 33, 48, 110, 125, 10),3 -- &password=&user-info-php-submit-button=View Account Details HTTP/1.1" 200 9582 "http://10.10.10.200/mutillidae/index.php?page=user-info.php&username=something&password=&user-info-php-submit-button=View Account Details" " ``` Seems like the attacker was doing some sql injection, but what's promising here is the ascii characters. Let's decode them. **Scripting** ```python= #!/usr/bin/env python3 # @author: mug3njutsu flag = [102, 108, 97, 103, 123, 33, 95, 108, 48, 118, 51, 95, 115, 113, 108, 95, 33, 110, 106, 51, 99, 116, 33, 48, 110, 125, 10] print("".join(map(chr, flag)).strip()) ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/ctbank_COMPLETE] └─$ python3 ape.py flag{!_l0v3_sql_!nj3ct!0n} ``` Done! ### **Ninth Challenge: Antonia** ```Antonia evidence from the IR team, can you pls double-check the photo hash for integrity``` ```flag format flag{md5:sha1}``` This one is purely a guessing game. Running strings, got scattered md5s and sha1s that are supposed to give us the flag. ``` 1e3edf3ddecde0d526f39b43bab32c2d 5555f38733d3c62a7b5b05f4aae53b46c34c1be3 New Text Document.txt 20200321T082113.203125 20200321T082104.312500 20200321T082111.671875 a847963f79865e0147ccd0ebc6a9a49f 005bfb145d016ca7967912426fa01fafd8d2a004 Thumbs.db **U9`1/0| 20200321T082050.125000jx 20200321T082050.125000 20200321T082052.140000 4dfd8747a917f9aeb9e30607b2593732 1c23fc605d78d0739063d2dbcf6c2ea5e000fb71 ``` So, from the bottom, tried those, didn't work. The ones right above those, didn't work either, but the very top worked. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu md5=`strings -n 8 ANT.ad1 | tail -n 15 | head -n 2 | head -n 1` sha1=`strings -n 8 ANT.ad1 | tail -n 15 | head -n 2 | tail -n 1` echo "flag{$md5:$sha1}" ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/antonia_COMPLETE] └─$ ./ape.sh flag{1e3edf3ddecde0d526f39b43bab32c2d:5555f38733d3c62a7b5b05f4aae53b46c34c1be3} ``` Easy. ### **Tenth Challenge: deleted** ```hi john i need your assistance to recover my drive``` We're given a EWF/Expert Witness/EnCase image file. Running strings, didn't get much. Doing abit of googling, found out how to mount such files on the system using ```ewfmount```. You can install this by running ```sudo apt install ewf-tools```. Let's create a mount directory and mount the file. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/deleted_COMPLETE] └─$ mkdir mountpoint ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/deleted_COMPLETE] └─$ ewfmount deleted.E01 mountpoint ewfmount 20140807 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/deleted_COMPLETE] └─$ cd mountpoint ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cybertalents/forensics/deleted_COMPLETE/mountpoint] └─$ ls ewf1 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cybertalents/forensics/deleted_COMPLETE/mountpoint] └─$ file ewf1 ewf1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 63, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 208781, $MFT start cluster 69594, $MFTMirror start cluster 104390, clusters/RecordSegment 2, clusters/index block 8, serial number 07898a75c98a71820; contains bootstrap NTLDR ``` So now we have that file. Running strings now to get the flag... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cybertalents/forensics/deleted_COMPLETE/mountpoint] └─$ strings -n 8 ewf1| grep -oE "flag{.*?}" | sort -u flag{d3l3t3dbuty0ukn0wit} ``` Easy as pie. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu mkdir mountpoint ewfmount deleted.E01 mountpoint cd mountpoint; strings -n 8 ewf1 | grep -oE "flag{.*?}" | sort -u ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/deleted_COMPLETE] └─$ ./ape.sh ewfmount 20140807 flag{d3l3t3dbuty0ukn0wit} ``` Easy as pie. ### **Eleventh Challenge: Anonymous** ```Can you trace the anonymous guy?``` We're given a PCAP file. Running strings we get a base64 encoded string which is being typed out from flag.txt. ``` 125 Data connection already open. Transfer starting. drwxrwxrwt 2 root root 4096 Mar 11 18:29 .ICE-unix drwxrwxrwt 2 root root 4096 Mar 11 18:29 .Test-unix drwxrwxrwt 2 root root 4096 Mar 11 18:29 .X11-unix drwxrwxrwt 2 root root 4096 Mar 11 18:29 .XIM-unix drwxrwxrwt 2 root root 4096 Mar 11 18:29 .font-unix -rw-r--r-- 1 root root 37 Mar 11 18:35 flag.txt drwx------ 3 root root 4096 Mar 11 18:29 systemd-private-554f9bdfbd734f3b8cac1440e18753dc-apache2.service-Rsquyf drwx------ 3 root root 4096 Mar 11 18:29 systemd-private-554f9bdfbd734f3b8cac1440e18753dc-systemd-logind.service-nXcWeh drwx------ 3 root root 4096 Mar 11 18:29 systemd-private-554f9bdfbd734f3b8cac1440e18753dc-systemd-resolved.service-8ajXRf 226 Transfer complete. CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 200 Type set to: Binary. PORT 192,168,0,164,182,186 200 Active data connection established. RETR flag.txt 125 Data connection already open. Transfer starting. ZmxhZ3thbm9ueW1vdXNfdDBfdGgzX2VuZH0= 226 Transfer complete. ``` Decoding the string... ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/anonymous_COMPLETE] └─$ strings -n 8 anonymous.pcap | tail -n 2 | head -n 1 | base64 -d flag{anonymous_t0_th3_end} ``` We get the flag. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu strings -n 8 anonymous.pcap | tail -n 2 | head -n 1 | base64 -d ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/anonymous_COMPLETE] └─$ ./ape.sh flag{anonymous_t0_th3_end} ``` Short and sweet. ### **Twelfth Challenge: Images3c** ```Securing an important image requires good encryption. so we added extra security layer for your photo and now is unbreakable!``` We're given a zipfile, unzipping it gives as an image file. ![](https://i.imgur.com/b1ogT5q.png) Nothing interesting there. Speaking of encryption, does it have like data hidden in the imagefile? I finally get to showcase the beast of steganography tools, please welcome ```stegseek``` lmao! This tool literally goes through the entire rockyou wordlist in less than 2 seconds. I have much respect. | password | Line | Stegseek | StegCracker | StegBrute | | -------- | ---- | -------- | ----------- | --------- | |"cassandra" | 1 000 | 0.05s | 3.1s | 0.7s | | "kupal" | 10 000 | 0.05s | 14.4s | 7.1s | | "sagar" | 100 000 | 0.09s | 2m23.0s | 1m21.9s | | "budakid1" | 1 000 000 | 0.73s | [p] 23m50.0s | 13m45.7s | Alright, let's give it a try. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/images3c_COMPLETE] └─$ stegseek cyber.jpg /usr/share/wordlists/rockyou.txt -xf flag.txt StegSeek version 0.5 Progress: 0.20% (285294 bytes) [i] --> Found passphrase: "1234" [i] Original filename: "flag.txt" [i] Extracting to "flag.txt" ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/images3c_COMPLETE] └─$ cat flag.txt flag{cyb3rs3cisaw3s0me} ``` Done! ### **Thirteenth Challenge: X-File** ```someone hiding a secret in this file. can you help me to recover the flag from the secret``` We're given a txt file with a hex dump. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/x-file_COMPLETE] └─$ cat dump.txt 00000000: 504b 0304 0a00 0000 0000 26ac 9150 0000 PK........&..P.. 00000010: 0000 0000 0000 0000 0000 0700 1c00 7365 ..............se 00000020: 6372 6574 2f55 5409 0003 d758 9a5e d958 cret/UT....X.^.X 00000030: 9a5e 7578 0b00 0104 0000 0000 0400 0000 .^ux............ 00000040: 0050 4b03 040a 0009 0000 0026 ac91 50f1 .PK........&..P. 00000050: d7c2 0a2c 0000 0020 0000 000f 001c 0073 ...,... .......s 00000060: 6563 7265 742f 666c 6167 2e74 7874 5554 ecret/flag.txtUT 00000070: 0900 03d7 589a 5ed7 589a 5e75 780b 0001 ....X.^.X.^ux... 00000080: 0400 0000 0004 0000 0000 5040 6f2a bace ..........P@o*.. 00000090: e4f3 0346 a042 54f3 e824 0243 e61d b20c ...F.BT..$.C.... 000000a0: 486e cf83 ab2e cb18 7acf cb61 86b1 4d9b Hn......z..a..M. 000000b0: 7915 3f89 781c 504b 0708 f1d7 c20a 2c00 y.?.x.PK......,. 000000c0: 0000 2000 0000 504b 0102 1e03 0a00 0000 .. ...PK........ 000000d0: 0000 26ac 9150 0000 0000 0000 0000 0000 ..&..P.......... 000000e0: 0000 0700 1800 0000 0000 0000 1000 ed41 ...............A 000000f0: 0000 0000 7365 6372 6574 2f55 5405 0003 ....secret/UT... 00000100: d758 9a5e 7578 0b00 0104 0000 0000 0400 .X.^ux.......... 00000110: 0000 0050 4b01 021e 030a 0009 0000 0026 ...PK..........& 00000120: ac91 50f1 d7c2 0a2c 0000 0020 0000 000f ..P....,... .... 00000130: 0018 0000 0000 0001 0000 00a4 8141 0000 .............A.. 00000140: 0073 6563 7265 742f 666c 6167 2e74 7874 .secret/flag.txt 00000150: 5554 0500 03d7 589a 5e75 780b 0001 0400 UT....X.^ux..... 00000160: 0000 0004 0000 0000 504b 0506 0000 0000 ........PK...... 00000170: 0200 0200 a200 0000 c600 0000 0000 .............. ``` Let's reverse it using xxd. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/x-file_COMPLETE] └─$ cat dump.txt | xxd -r PK &��Psecret/UT �X�^�X�^ux PK &��P��� , secret/flag.txtUT �X�^�X�^ux P@o*����F�BT��$C�� Hnσ�.�z��a��M�y?�xP��� , PK &��P�Asecret/UT�X�^ux PK &��P��� , ��Asecret/flag.txtUT�X�^ux PK�� ``` We get what seems to be a zipfile telling from the PK header. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/x-file_COMPLETE] └─$ unzip extracted.zip Archive: extracted.zip creating: secret/ [extracted.zip] secret/flag.txt password: skipping: secret/flag.txt incorrect password ``` Oh but it's encrypted. I used my custom tool(still in dev) to crack the zipfile automatically. ``` mug3njutsu🧑‍💻⛩ ~> czip ver 1.0 extracted.zip/secret/ is not encrypted, or stored with non-handled compression type ver 1.0 efh 5455 efh 7875 extracted.zip/secret/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=44, decmplen=32, crc=0AC2D7F1 ts=AC26 cs=ac26 type=0 Using default input encoding: UTF-8 Will run 4 OpenMP threads Press Ctrl-C to abort, or send SIGUSR1 to john process for status 1g 0:00:00:00 DONE (2022-04-05 20:40) 3.225g/s 26425p/s 26425c/s 26425C/s 123456..total90 Use the "--show" option to display all of the cracked passwords reliably Session completed. Archive: extracted.zip creating: secret/ extracting: secret/flag.txt mug3njutsu🧑‍💻⛩ ~> !cat flag.txt flag{Pa55w0rd_Cracking_is_3asy} ``` ### **Fourteenth Challenge: Sad mummy** ```Every great tomb has a lot of decoys and we think this mummy has a lot inside it but first can you make the way clearer?``` We're given a zipfile, unzipping it, we notice it's password protected. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/sad-mummy_COMPLETE] └─$ unzip SadMummy.zip Archive: SadMummy.zip skipping: SadMummy.jpg need PK compat. v5.1 (can do v4.6) ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/sad-mummy_COMPLETE] └─$ 7z e SadMummy.zip 81 ⨯ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 241771 bytes (237 KiB) Extracting archive: SadMummy.zip WARNINGS: There are data after the end of archive -- Path = SadMummy.zip Type = zip WARNINGS: There are data after the end of archive Physical Size = 241752 Tail Size = 19 Enter password (will not be echoed): ERROR: Wrong password : SadMummy.jpg Sub items Errors: 1 Archives with Errors: 1 Warnings: 1 Sub items Errors: 1 ``` I'll use my custom tool to crack the zipfile. ``` mug3njutsu🧑‍💻⛩ ~> !ls ape.sh hash pass SadMummy.jpg SadMummy.zip ``` Running the JPEG file against `binwalk`, got a lot of output. Let's extract it. We get this Trash Folder with 999 folders and each of them has a txt file with a fake flag in it lol! ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/sad-mummy_COMPLETE] └─$ binwalk -eq SadMummy.jpg ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/sad-mummy_COMPLETE] └─$ ls hash SadMummy.jpg _SadMummy.jpg.extracted SadMummy.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/sad-mummy_COMPLETE] └─$ cd _SadMummy.jpg.extracted ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cybertalents/forensics/sad-mummy_COMPLETE/_SadMummy.jpg.extracted] └─$ ls 36AE0.zip Trash ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cybertalents/forensics/sad-mummy_COMPLETE/_SadMummy.jpg.extracted] └─$ cd Trash ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/forensics/sad-mummy_COMPLETE/_SadMummy.jpg.extracted/Trash] └─$ cat 1/1.txt flag{Keep_searching} ``` I'll use find to get around this. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/forensics/sad-mummy_COMPLETE/_SadMummy.jpg.extracted/Trash] └─$ find . -exec strings -n 8 {} \; 2>/dev/null | grep -oE {.*?} | grep -v "Keep_searching" flag{Grep_R_1s_Gr8} ``` Easy. And what this has done is, it has looked for files in all folders, ran strings on each file, then looked for a file that doesn't have "flag{Keep_searching}"..an invert selection basically. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu binwalk -eq SadMummy.jpg cd _SadMummy.jpg.extracted/Trash/ find . -exec strings -n 8 {} \; 2>/dev/null | grep -oE {.*?} | grep -v "Keep_searching" ``` ``` Trash/555/555.txtflag{Grep_R_1s_Gr8} ``` ### **Fifteeth Challenge: ADSL Modem** ```After tracking a cyber criminal, We were able to extract this firmware from a DSL modem . Try to find the flag !!!``` We're given a file called Adsl-modem.bin, but when you run file on it you see it's a RAR archive. So, unrar. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/adsl-modem_COMPLETE] └─$ file Adsl-modem.bin Adsl-modem.bin: RAR archive data, v4, os: Win32 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/adsl-modem_COMPLETE] └─$ unrar e Adsl-modem.bin UNRAR 6.00 freeware Copyright (c) 1993-2020 Alexander Roshal Extracting from Adsl-modem.bin Flag{reversing_FW_is_interesting_but_this_is_for_fun} Extracting TL-MR3220 V2 _FW.bin OK All OK ``` And we get the flag. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu unrar e Adsl-modem.bin | grep -oE {.*?} ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/adsl-modem_COMPLETE] └─$ ./ape.sh Flag{reversing_FW_is_interesting_but_this_is_for_fun} ``` ### **Sixteenth Challenge: Raw Disk** ```extract the flag from the raw disk``` We're given an image file. Running file on it, we discover it's actually a PNG file. Opening it... ![](https://i.imgur.com/yqjnkwA.png) We get the flag. ### **Seventeenth Challenge: Check My USB** `this is a usb traffic capture, capture the flag` We're given a Composite Document File V2 Document file. Strings strings strings. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/check-my-usb_COMPLETE] └─$ strings -n 8 myusb | tail -n 16 Flag{This_Usb_Traffic_Capture} Flag{This_Usb_Traffic_Capture} MSDOS5.0 &NO NAME FAT32 3 fXfXfXfX BOOTMGR Remove disks or other media. Disk error Press any key to restart MSDOS5.0 &NO NAME FAT32 3 fXfXfXfX BOOTMGR Remove disks or other media. Disk error Press any key to restart ``` The simplicity should be illegal you know...haha. **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu strings -n 8 myusb | grep -oiP "flag{.*}" | sort -u ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/check-my-usb_COMPLETE] └─$ ./ape.sh Flag{This_Usb_Traffic_Capture} ``` ### **Eighteenth Challenge: Hack a nice day** ```can you get the flag out to hack a nice day. Note: Flag format flag{XXXXXXX}``` Another stego challenge! Yees...yeees...`stegseek` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/hack-a-nice-day_COMPLETE] └─$ stegseek info.jpg /usr/share/wordlists/rockyou.txt -xf flaggg.txt StegSeek version 0.5 Progress: 69.69% (97507950 bytes) [i] --> Found passphrase: "badisbad" [i] Original filename: "flaggg.txt" [i] Extracting to "flaggg.txt" ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/hack-a-nice-day_COMPLETE] └─$ cat flaggg.txt flag{Stegn0_1s_n!ce} ``` **Scripting** ```bash= #!/usr/bin/env bash # @author: mug3njutsu stegseek info.jpg /usr/share/wordlists/rockyou.txt -xf flaggg.txt cat flaggg.txt ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/hack-a-nice-day_COMPLETE] └─$ ./ape.sh StegSeek version 0.5 Progress: 71.57% (100137067 bytes) [i] --> Found passphrase: "badisbad" [i] Original filename: "flaggg.txt" [i] Extracting to "flaggg.txt" flag{Stegn0_1s_n!ce} ``` ### **Nineteenth Challenge: Keep Calm** ```Keep calm and submit the flag!!``` We're given a GIF image with strings quickly rushing through the screen. The best way to view the contents is to convert it to a pdf file using ```convert``` command then using evince to read the pdf file. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-calm_COMPLETE] └─$ convert scatter.gif scatter.pdf ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-calm_COMPLETE] └─$ file scatter.pdf scatter.pdf: PDF document, version 1.4 ``` When you open the PDF file, looks like 5 base64 encoded strings which are scattered hence the name. The string `MAo=` is obviously the last string and i know this because of base64 padding. I purely scripted this challenge out, don't know of any other way to solve it. **Solution** ```python= #!/usr/bin/env python3 # @author: mug3njutsu from base64 import b64decode from itertools import permutations arr = "zg5 zND MTI U2N".split() temp = list(permutations(arr)) for i in temp: flag = "".join(i) + "MAo=" print(f'{flag} : {b64decode(flag).decode("latin-1").strip()}') ``` ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/keep-calm_COMPLETE] └─$ python3 ape.py 0 z05zNDU2NMTIMAo= : Îs4564ÄÈ0 zg5MTIU2NzNDMAo= : ÎLLÍ 673C0 zg5U2NzNDMTIMAo= : ÎTØÜÍ ÄÈ0 zg5U2NMTIzNDMAo= : ÎTØÓ#0C0 zNDzg5U2NMTIMAo= : ÌÐó64ÄÈ0 zNDMTIU2Nzg5MAo= : ÌÐÌLàåM 67890 zNDU2Nzg5MTIMAo= : ÌÐÔØÜàäÄÈ0 z0DU2NMTIzg5MAo= : ÌÐÔØÓ#890 MTIzg5U2NzNDMAo= : 123673C00 MTIzNDU2Nzg5MAo= : 1234567890 MTIU2Nzg5zNDMAo= : 12ØÜàç3C0 MTIU2NzNDzg5MAo= : 12ØÜÍ890 U2Nzg5zNDMTIMAo= : ScsÍ ÄÈ0 U2Nzg5MTIzNDMAo= : Scs#3C0 U2NzNDzg5MTIMAo= : Scs4<àäÄÈ0 U2NzNDMTIzg5MAo= : Scs43#890 U2NMTIzg5zNDMAo= : ScLLàç3C0 U2NMTIzNDzg5MAo= : ScLLÍ890 ``` And you get the flag. What the script does is, it arranges a bunch of combinations of the base64 encoded the strings, such that when it decodes them, the output that makes sense is what we're looking for. ### **Twentieth Challenge: XMEN-Files** ```There is a cyberwar coming. are you ready to decrypt the enemy secrets``` ![](https://i.imgur.com/Qv0jFI8.png) Was one of the very first people to solve this one...hehe ![](https://i.imgur.com/gD8r1Zo.gif) We're given a file with a hexdump. Just like before, i'm going to reverse it using ```xxd```. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/xmen-files_COMPLETE] └─$ cat xmendump | xxd -r PK ���Pxmen/UT Bc�^Rc�^ux �PK men/flag.txtUTo'Bc�^Bc�^ux ��@������'��E٩��V�6C�Hފ����H2�{�PȵZo'�Axmen/UTBc�^ux �PK ��?xmen/flag.txtUTBc�^ux �PK�� ``` A zipfile! ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/xmen-files_COMPLETE] └─$ file extracted.zip extracted.zip: Zip archive data, at least v1.0 to extract ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/xmen-files_COMPLETE] └─$ unzip extracted.zip Archive: extracted.zip creating: xmen/ [extracted.zip] xmen/flag.txt password: skipping: xmen/flag.txt incorrect password ``` I'll use my custom tool to crack the zipfile automatically. ``` mug3njutsu🧑‍💻⛩ ~> czip ver 1.0 extracted.zip/xmen/ is not encrypted, or stored with non-handled compression type ver 1.0 efh 5455 efh 7875 extracted.zip/xmen/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=39, decmplen=27, crc=6F5AB5C8 ts=9699 cs=9699 type=0 Using default input encoding: UTF-8 Will run 4 OpenMP threads Press Ctrl-C to abort, or send SIGUSR1 to john process for status 1g 0:00:00:00 DONE (2022-04-05 20:51) 3.125g/s 25600p/s 25600c/s 25600C/s 123456..total90 Use the "--show" option to display all of the cracked passwords reliably Session completed. Archive: extracted.zip creating: xmen/ extracting: xmen/flag.txt mug3njutsu🧑‍💻⛩ ~> !cat flag.txt flag{w0lv3rin3_hey_it5_m3} ``` Done! ### **Twenty First Challenge: Linuxcmd 101** ```Each point is linked to another point, connect the link and win the Flag!``` I really liked this one. The flow of the challenge is ideal! ![](https://i.imgur.com/E7TJgR5.gif) We're given a gzip compressed file, decompressing it(```gunzip <file>```), we get a POSIX tar archive file. Unzipping that file, we get a folder called linux-chall. Looking at the folder, we get another folder called cat. Looking at that folder, we get a zipfile called exec.zip. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/linuxcmd101_COMPLETE] └─$ tar -xvf linux-chal.tar linux-chal/cat/.pass.txt linux-chal/cat/exec.zip linux-chal/cat/ linux-chal/ ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/cybertalents/forensics/linuxcmd101_COMPLETE] └─$ tree linux-chal linux-chal └── cat └── exec.zip 1 directory, 1 file ``` Unzipping the file, well it's encrypted. You'll notice there's a .pass.txt file that contains a string in that directory. Let's use that as the password for the zipfile. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/forensics/linuxcmd101_COMPLETE/linux-chal/cat] └─$ 7z x exec.zip -p`cat .pass.txt` 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 6960 bytes (7 KiB) Extracting archive: exec.zip -- Path = exec.zip Type = zip Physical Size = 6960 Everything is Ok Folders: 1 Files: 2 Size: 21977 Compressed: 6960 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/forensics/linuxcmd101_COMPLETE/linux-chal/cat] └─$ ls exec exec.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/forensics/linuxcmd101_COMPLETE/linux-chal/cat] └─$ tree exec exec ├── - └── ascii.zip 0 directories, 2 files ``` Works! We get a folder called exec, '-' and ascii.zip files. The exec folder is empty. Running the '-' file, we get a number. Maybe that's the password for ascii.zip. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linuxcmd101_COMPLETE/linux-chal/cat/exec] └─$ ./- 998877665544332211 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linuxcmd101_COMPLETE/linux-chal/cat/exec] └─$ 7z x ascii.zip -p`./-` 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 5281 bytes (6 KiB) Extracting archive: ascii.zip -- Path = ascii.zip Type = zip Physical Size = 5281 Everything is Ok Folders: 1 Files: 10 Size: 4351 Compressed: 5281 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linuxcmd101_COMPLETE/linux-chal/cat/exec] └─$ ls - ascii ascii.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linuxcmd101_COMPLETE/linux-chal/cat/exec] └─$ tree ascii ascii ├── f0 ├── f1 ├── f2 ├── f3 ├── f4 ├── f5 ├── f6 ├── f7 ├── f8 └── size37.zip 0 directories, 10 files ``` Yeap! Moving on. Trying to unzip the size37.zip file, it's encrypted. We can use the files we extracted. You'll notice most of them have a bunch of junk, but one has ASCII. That is most likely the password. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linux-chal/cat/exec/ascii] └─$ file * f0: data f1: data f2: data f3: data f4: data f5: data f6: ASCII text f7: data f8: data size37.zip: Zip archive data, at least v2.0 to extract ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linux-chal/cat/exec/ascii] └─$ cat f6 rryuiytqpyuiqyofdkhsjhfewojnhfdss ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linux-chal/cat/exec/ascii] └─$ 7z x size37.zip -p`cat f6` 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 4025 bytes (4 KiB) Extracting archive: size37.zip -- Path = size37.zip Type = zip Physical Size = 4025 Everything is Ok Folders: 1 Files: 8 Size: 2644 Compressed: 4025 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linux-chal/cat/exec/ascii] └─$ ls f0 f1 f2 f3 f4 f5 f6 f7 f8 size37 size37.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/linux-chal/cat/exec/ascii] └─$ tree size37 size37 ├── next.zip ├── test1 ├── test2 ├── test3 ├── test4 ├── test5 ├── test6 └── test7 0 directories, 8 files ``` Correct. The password for next.zip might be in one of the extracted files. I'll use a simple oneliner to crack the zipfile and then pass it to 7zip which will extract the contents. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cat/exec/ascii/size37] └─$ 7z x next.zip -p$(zip2john next.zip > hash; cat test* > wordlist; john -w=wordlist hash | tail -n 4 | cut -d " " -f 1 | tail -n 1) next.zip/next/ is not encrypted! ver 78.8 next.zip/next/ is not encrypted, or stored with non-handled compression type ver 81.9 next.zip/next/NumberOne.zip is not encrypted, or stored with non-handled compression type ver 81.9 next.zip/next/nexttocybertalents is not encrypted, or stored with non-handled compression type Using default input encoding: UTF-8 Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 7 candidates left, minimum 32 needed for performance. 1g 0:00:00:00 DONE (2021-04-26 08:22) 4.000g/s 28.00p/s 28.00c/s 28.00C/s dfhsvhsjkhuhgsadhuianvjsgufafrjimiouoiah..847n889t282m4y89txy58tx984379nv3498yvn934 Use the "--show" option to display all of the cracked passwords reliably Session completed 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 2404 bytes (3 KiB) Extracting archive: next.zip -- Path = next.zip Type = zip Physical Size = 2404 Everything is Ok Folders: 1 Files: 2 Size: 9931 Compressed: 2404 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cat/exec/ascii/size37] └─$ ls hash next next.zip test1 test2 test3 test4 test5 test6 test7 wordlist ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/cat/exec/ascii/size37] └─$ tree next next ├── nexttocybertalents └── NumberOne.zip 0 directories, 2 files ``` Got the password! The password for NumberOne.zip is suggested by the file nexttocybertalents, meaning the word cybertalents is in the nexttocybertalents file and the word next to it is the password for NumberOne.zip. Worth a try. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/exec/ascii/size37/next] └─$ cat nexttocybertalents| grep -i "cybertalents" cybertalentsorderby1337 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/exec/ascii/size37/next] └─$ cat nexttocybertalents| grep -i "cybertalents" | cut -c 13-23 orderby1337 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/exec/ascii/size37/next] └─$ 7z x NumberOne.zip -p$(cat nexttocybertalents| grep -i "cybertalents" | cut -c 13-23) 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 1471 bytes (2 KiB) Extracting archive: NumberOne.zip -- Path = NumberOne.zip Type = zip Physical Size = 1471 Everything is Ok Folders: 1 Files: 2 Size: 14379 Compressed: 1471 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/exec/ascii/size37/next] └─$ ls nexttocybertalents NumberOne NumberOne.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/exec/ascii/size37/next] └─$ tree NumberOne NumberOne ├── decodeme1.zip └── One 0 directories, 2 files ``` Oright. It seems we need to crack the zipfile using the other file called One as the wordlist. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/ascii/size37/next/NumberOne] └─$ 7z x decodeme1.zip -p$(zip2john decodeme1.zip > hash; john -w=One hash | tail -n 4 | cut -d " " -f 1 | tail -n 1) decodeme1.zip/decodeme1/ is not encrypted! ver 78.8 decodeme1.zip/decodeme1/ is not encrypted, or stored with non-handled compression type ver 81.9 decodeme1.zip/decodeme1/decodeme2.zip is not encrypted, or stored with non-handled compression type ver 81.9 decodeme1.zip/decodeme1/pass is not encrypted, or stored with non-handled compression type Using default input encoding: UTF-8 Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1g 0:00:00:00 DONE (2021-04-26 08:30) 2.777g/s 5141p/s 5141c/s 5141C/s fare..west Use the "--show" option to display all of the cracked passwords reliably Session completed 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 754 bytes (1 KiB) Extracting archive: decodeme1.zip -- Path = decodeme1.zip Type = zip Physical Size = 754 Everything is Ok Folders: 1 Files: 2 Size: 388 Compressed: 754 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/ascii/size37/next/NumberOne] └─$ ls decodeme1 decodeme1.zip hash One ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/ascii/size37/next/NumberOne] └─$ tree decodeme1 decodeme1 ├── decodeme2.zip └── pass 0 directories, 2 files ``` This time, the file called pass has a base64 encoded string which i believe to be the password we're supposed to use to unzip decodeme2.zip. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/size37/next/NumberOne/decodeme1] └─$ cat pass dXNlbWVhc3Bhc3N3b3Jk ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/size37/next/NumberOne/decodeme1] └─$ cat pass | base64 -d usemeaspassword ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/size37/next/NumberOne/decodeme1] └─$ 7z x decodeme2.zip -p$(cat pass | base64 -d) 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 367 bytes (1 KiB) Extracting archive: decodeme2.zip -- Path = decodeme2.zip Type = zip Physical Size = 367 Everything is Ok Folders: 1 Files: 1 Size: 23 Compressed: 367 ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/size37/next/NumberOne/decodeme1] └─$ ls decodeme2 decodeme2.zip pass ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/size37/next/NumberOne/decodeme1] └─$ tree decodeme2 decodeme2 └── flag.txt 0 directories, 1 file ``` Finally. The folder has the flag.txt file. But you notice the flag is rotated. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/next/NumberOne/decodeme1/decodeme2] └─$ cat flag.txt synt{f1zcyr_yvahk_101} ``` I'm going to use caesar to loop through the 26 rotations and then grep the flag format from the output. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/…/next/NumberOne/decodeme1/decodeme2] └─$ for i in {1..26}; do echo "synt{f1zcyr_yvahk_101}" | caesar $i; done | grep -oE "flag{.*?}" flag{s1mple_linux_101} ``` Autorun script? Why sure. ```bash= #!/usr/bin/env bash # @author: mug3njutsu gunzip linux-chal.tar.gz tar -xvf linux-chal.tar cd linux-chal && cd cat pass=`cat .pass.txt` 7z x exec.zip -p$pass cd exec pass2=`./-` 7z x ascii.zip -p$pass2 cd ascii pass3=`cat f6` 7z x size37.zip -p$pass3 cd size37 pass4=`cat test* | head -n 5 | tail -n 1` 7z x next.zip -p$pass4 cd next pass5=`cat nexttocybertalents | grep -i "cybertalents" | cut -c 13-23` 7z x NumberOne.zip -p$pass5 cd NumberOne pass6=`zip2john decodeme1.zip > hash; john -w=One hash | head -n 5 | tail -n 1 > pass; cat pass | cut -d " " -f 1` 7z x decodeme1.zip -p$pass6 cd decodeme1 pass7=`cat pass | base64 -d` 7z x decodeme2.zip -p$pass7 cd decodeme2; for i in {1..26}; do echo $(cat flag.txt) | caesar $i; done | grep -oE "flag{.*?}" --color=always ``` ``` Extracting archive: decodeme2.zip -- Path = decodeme2.zip Type = zip Physical Size = 367 Everything is Ok Folders: 1 Files: 1 Size: 23 Compressed: 367 flag{s1mple_linux_101} ./ape.sh 5.00s user 0.10s system 262% cpu 1.945 total ``` Well, that was a tonne of fun. <a href="https://www.buymeacoffee.com/mug3njutsu"><img class="bounce" src="https://img.buymeacoffee.com/button-api/?text=Buy me a coffee&emoji=&slug=vsalguero&button_colour=BD5FFF&font_colour=ffffff&font_family=Cookie&outline_colour=000000&coffee_colour=FFDD00"></a> <style> /*Bounce*/ @keyframes bounce { 0%, 5%, 15%, 25% { -webkit-transform: translateY(0); transform: translateY(0); } 10% { -webkit-transform: translateY(-20px); transform: translateY(-20px); } 20% { -webkit-transform: translateY(-10px); transform: translateY(-10px); } } .bounce{ animation: bounce 5s infinite; } </style> <style> .twitter a { font-family: "Roboto", "Noto Sans", "Open Sans", "sans-serif"; display: inline-flex; color: #fff; border-radius: 5px; background: #1b95e0; padding: .4em .8em; text-decoration: none; font-weight: bold; text-align: left; position: absolute; bottom:138px; left:300px; } </style> <div class="twitter" style="height: 35px; width: 300px;"><a target="_blank" rel="noopener noreferrer" href="https://twitter.com/mug3njutsu"> <svg height="20px" width="20px" style="margin-right: 5px; fill: #fff;" viewBox="0 0 512 512" preserveAspectRatio="none"> <path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z" /></a></div> <style> body[style], body[style*="background-color: white;"] { background-color: #1e1e1e !important; } body { color: #abb2bf; } .ui-view-area, .markdown-body, .ui-content { background: #1e1e1e; color: #abb2bf; } h1, h2, h3, h4, h5, h6, p { color: #ddd; } /* form */ .form-control { background: #333; color: #fff; border-color: #8e8e8e; } .form-control::placeholder, .form-control::-webkit-input-placeholder, .form-control:-moz-placeholder, .form-control::-moz-placeholder, .form-control:-ms-input-placeholder { color: #eee; } /*--------------- navbar ---------------*/ .header { background-color: #0e0e0e; border-color: #0e0e0e; } .navbar { background-color: #0e0e0e; border-color: #0e0e0e; } .navbar a { color: #eee !important; } .navbar .btn-group label { background-color: #0e0e0e; color: #eee; border-color: #555; } .navbar .btn-group label.btn-default:focus, .navbar .btn-group label.btn-default:hover { background-color: #2a2a2a; color: #eee; border-color: #555; } .navbar .btn-group label.active { background-color: #555; color: #eee; border-color: #555; } .navbar .btn-group label.active:focus, .navbar .btn-group label.active:hover { background-color: #555; color: #eee; border-color: #555; } .navbar-default .btn-link:focus, .navbar-default .btn-link:hover { color: #eee; } .navbar-default .navbar-nav>.open>a, .navbar-default .navbar-nav>.open>a:focus, .navbar-default .navbar-nav>.open>a:hover { background-color: #555; } .dropdown-header { color: #eee; } .dropdown-menu { background-color: #222; border: 1px solid #555; border-top: none; } .dropdown-menu>li>a { color: #eee; } .dropdown-menu>li>a:focus, .dropdown-menu>li>a:hover { background-color: #555555; color: #eee; } .dropdown-menu .divider { background-color: #555; } .header .open .dropdown-menu { background-color: #202020; } .ui-share-menu .ui-share-copy, .ui-share-menu .ui-share-preview { border-color: #6d6d6d !important; background-color: #333 !important; color: #FFF !important; } .ui-share-menu .ui-share-copy:hover, .ui-share-menu .ui-share-copy:focus, .ui-share-menu .ui-share-preview:hover, .ui-share-menu .ui-share-preview:focus { background-color: #737373 !important; color: #FFF !important; } .permission-dropdown .ui-more-settings, .permission-dropdown .sidenav-trigger { color: #7bf; } .public-published-toggle .unpublish:hover { background-color: #286090; } .menuitem-dropdown .menuitem-dropdown-trigger { border-color: #8e8e8e; } .menuitem-dropdown .menuitem-dropdown-trigger:hover, .menuitem-dropdown .menuitem-dropdown-trigger:focus { background-color: #3e4045; } .navbar .announcement-popover { background: #4F4F4F; } .navbar .announcement-popover .announcement-popover-header { background: #2e2e2e; border-bottom: 1px solid #2e2e2e; } .navbar .announcement-popover .announcement-popover-body { background: #4F4F4F; color: #eee; } .navbar .announcement-popover .announcement-popover-footer { background: #4F4F4F; } .navbar .announcement-area .caption.inverse { color: #eee; } .label-warning { background-color: #ffc107; color: #212529; } /*--------------- history / recent ---------------*/ .list.row-layout li .item { border-color: #696c7d; } .list.row-layout li:nth-last-of-type(1) .item { border-bottom: none; } .list li .item { background: #1c1c1c; color: #fff; } .list li:hover .item, .list li:focus .item { background: #404040; } .list li .item h4 { color: #fff; } .list li p { color: #ccc; } .list li p i { font-style: normal; } .list li .item .content .tags span { background: #555; } .list li .item.wide .content .title a, .list li .item.wide .content .title a:focus, .list li .item.wide .content .title a:hover { color: #ddd; } .ui-item { color: #fff; opacity: 0.7; } .ui-item:hover, .ui-item:focus { opacity: 1; color: #fff; } .list li .item.wide hr { border-color: #6d6d6d; } .overview-widget-group .btn, .multi-select-dropdown-menu .ui-dropdown-label, .multi-select-dropdown-menu .dropdown-options, .form-control { border-color: #8e8e8e; } .multi-select-dropdown-menu .dropdown-options .ui-option:hover { background-color: #4d4d4d; color: #eee; } #overview-control-form #overview-keyword-input-container .select2-container { background-color: #3e4045 !important; } #overview-control-form #overview-keyword-input-container .select2-container .select2-choices { background-color: #3e4045; } .search { background-color: #3e4045; color: #eee; } .btn.btn-gray { background: #1b1b1b; } .btn.btn-gray:hover { background: #4d4d4d; color: #eee; } .search::placeholder, .search::-webkit-input-placeholder, .search:-moz-placeholder, .search::-moz-placeholder, .search:-ms-input-placeholder { color: #eee; } .btn.btn-gray { border-color: #6d6d6d; background: #333; color: #eee; } .select2-default { color: #eee !important; } .select2-results .select2-highlighted { background: #4d4d4d; color: #eee; } .select2-container-multi .select2-choices { background: #3e4045; } .select2-container-multi .select2-choices .select2-search-choice { background: #131313; color: #eee; border-color: #555; box-shadow: none; } .btn-default, .btn-default:focus { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .btn-default.active.focus, .btn-default.active:focus, .btn-default.active:hover, .btn-default:active.focus, .btn-default:active:focus, .btn-default:active:hover, .open>.dropdown-toggle.btn-default.focus, .open>.dropdown-toggle.btn-default:focus, .open>.dropdown-toggle.btn-default:hover { background: #737373; } .btn-default:hover { color: #fff; background-color: #7d7d7d; border-color: #6a6a6a; } .overview-widget-group .btn.active { background-color: #6a6a6a; color: #eee; } .overview-widget-group .btn:hover { background-color: #7d7d7d; color: #eee; border-color: #636363; } .overview-widget-group .slider.round { border-color: #ccc; } .overview-widget-group .slider.round:before { border-color: #ccc; } .overview-widget-group input:checked+.slider { background-color: #ccc; } .ui-category-description-icon a { color: #eee; } .item .ui-history-pin.active { color: #f00; } .ui-history-close { color: #eee; opacity: 0.5; } .pagination>li>a, .pagination>li>span { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .pagination>li>a:hover { color: #fff; background-color: #7d7d7d; border-color: #6a6a6a; } .pagination>.disabled>a, .pagination>.disabled>a:focus, .pagination>.disabled>a:hover, .pagination>.disabled>span, .pagination>.disabled>span:focus, .pagination>.disabled>span:hover { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .pagination.dark>li>a, .pagination.dark>li>span { color: #aaa; } /*--------------- new overview ---------------*/ .overview-component .list li .item { background: #1c1c1c; color: #fff; } .overview-component .list li:hover .item, .overview-component .list li:focus .item { background: #404040; } .overview-component .list li p { color: #ccc; } .overview-component .list li .item { color: #888888; } .overview-component .ui-overview-pin { opacity: 1; } /*--------------- settings ---------------*/ .section .form-horizontal .form-group .btn-default { font-size: 16px; border-color: #6d6d6d; background-color: #333; color: #FFF; } .section .form-horizontal .form-group .btn-default:hover, .section .form-horizontal .form-group .btn-default:focus { background-color: #737373; color: #FFF; } .section .form-horizontal .form-control:focus { border-color: #bbb; } /*--------------- share view ---------------*/ #notificationLabel, .ui-infobar .btn.ui-edit { color: #eee; border-color: #6a6a6a; } .ui-infobar__user-info li { color: #bbb; } footer { background: #101010; color: #bbb; border-top: 1px solid #454545; } footer a { color: #bbb; } /*--------------- doc view ---------------*/ .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6, #doc>h1 { color: #ddd; border-color: #777 !important; } .markdown-body hr { background-color: #7e7e7e; } .h1 .small, .h1 small, .h2 .small, .h2 small, .h3 .small, .h3 small, .h4 .small, .h4 small, .h5 .small, .h5 small, .h6 .small, .h6 small, h1 .small, h1 small, h2 .small, h2 small, h3 .small, h3 small, h4 .small, h4 small, h5 .small, h5 small, h6 .small, h6 small { color: #ddd; } .markdown-body p { color: #ddd; } .markdown-body a { color: #7bf; } .markdown-body a code { color: #7bf !important; } .markdown-body ul li, .markdown-body ol li { color: #ddd; } .markdown-body blockquote { color: #ddd; border-left-color: #777; font-size: 16px; } .markdown-body code, code { color: #dfdfdf !important; background-color: #424a55; } .markdown-body code { padding: 1px 2px; } .markdown-body pre { background-color: #1e1e1e; border: 1px solid #555 !important; color: #dfdfdf; } .markdown-body details { margin-bottom: 16px; } blockquote .small, blockquote footer, blockquote small { color: #bbb; } .mark, mark { background-color: rgba(255, 255, 0, 0.32) !important; color: #ddd; margin: .1em; padding: .1em .2em; } /* Todo list */ .task-list-item-checkbox { margin: 0.18em 0 0.2em -1.3em !important; } .task-list-item input[type=checkbox] { -webkit-appearance: none; -moz-appearance: none; appearance: none; position: relative; top: -1px; margin: 0 1rem 0 0; cursor: pointer; } .task-list-item input[type=checkbox]::before { -webkit-transition: all 0.1s ease-in-out; -moz-transition: all 0.1s ease-in-out; transition: all 0.1s ease-in-out; content: ""; position: absolute; left: 0; z-index: 1; width: 16px; height: 16px; border: 2px solid #F44336; } .task-list-item input[type=checkbox]:checked::before { -webkit-transform: rotate(-48deg); -moz-transform: rotate(-48deg); -ms-transform: rotate(-48deg); -o-transform: rotate(-48deg); transform: rotate(-48deg); height: 9px; border-color: #00E676; border-top-style: none; border-right-style: none; } .task-list-item input[type=checkbox]::after { content: ""; position: absolute; top: -0.125rem; left: 0; width: 16px; height: 16px; background: #333; cursor: pointer; } /* table */ .markdown-body table tr { background-color: #1e1e1e; border-color: #626262; } .markdown-body table tr:last-child { border-bottom: 1px solid #626262; } .markdown-body table tr:nth-child(2n) { background-color: #333; } .markdown-body table tr th { color: #64B5F6; } .markdown-body table th, .markdown-body table td { border: none; border-color: #626262; } .markdown-body table tr td { color: #ddd; } .markdown-body table tr th:first-child, .markdown-body table tr td:first-child { border-left: 1px solid #626262; } .markdown-body table tr th:last-child, .markdown-body table tr td:last-child { border-right: 1px solid #626262; } .markdown-body pre.flow-chart, .markdown-body pre.sequence-diagram, .markdown-body pre.graphviz, .markdown-body pre.mermaid, .markdown-body pre.abc { background-color: #fff !important; } /* alert */ .alert-danger h1, .alert-danger h2, .alert-danger h3, .alert-danger h4, .alert-danger h5, .alert-danger h6, .alert-danger p, .alert-danger mark, .alert-danger ul li, .alert-danger ol li { color: #721c24; } .alert-danger hr { background-color: #721c24; } .alert-warning h1, .alert-warning h2, .alert-warning h3, .alert-warning h4, .alert-warning h5, .alert-warning h6, .alert-warning p, .alert-warning mark, .alert-warning ul li, .alert-warning ol li { color: #856404; } .alert-warning hr { background-color: #856404; } .alert-success h1, .alert-success h2, .alert-success h3, .alert-success h4, .alert-success h5, .alert-success h6, .alert-success p, .alert-success mark, .alert-success ul li, .alert-success ol li { color: #155724; } .alert-success hr { background-color: #155724; } .alert-info h1, .alert-info h2, .alert-info h3, .alert-info h4, .alert-info h5, .alert-info h6, .alert-info p, .alert-info mark, .alert-info ul li, .alert-info ol li { color: #004085; } .alert-info hr { background-color: #004085; } .alert a { color: #002752; font-weight: 700; } .alert h1:first-child, .alert h2:first-child, .alert h3:first-child, .alert h4:first-child, .alert h5:first-child, .alert h6:first-child { margin-top: 0; } .markdown-body .alert>p { margin-top: 0px; margin-bottom: 10px; } .markdown-body .alert>ul, .markdown-body .alert>ol { margin-bottom: 16px; } .markdown-body .alert>*:last-child { margin-bottom: 0; } .alert-warning { background-color: #fff3cd; border-color: #ffeeba; } .alert-danger mark { background-color: #ffb7b7 !important; } .alert-warning mark { background-color: #ffe966 !important; } .alert-success mark { background-color: #b9e990 !important; } .alert-info mark { background-color: #b1d6ff !important; } /* scroll bar */ .ui-edit-area .ui-resizable-handle.ui-resizable-e { background-color: #303030; border: 1px solid #303030; box-shadow: none; } /* info bar */ .ui-infobar { color: #999; } /* permission */ .permission-popover-btn-group .btn.focus, .permission-popover-btn-group .btn:active, .permission-popover-btn-group .btn:focus, .permission-popover-btn-group .btn.active { background-color: #6a6a6a !important; color: #eee !important; border-color: #555 !important; } .permission-popover-btn-group .btn:hover, .permission-popover-btn-group .btn.active:hover { background-color: #7d7d7d !important; color: #eee !important; border-color: #636363 !important; } .ui-delete-note:hover, .ui-delete-note:focus, .ui-delete-note:active { background-color: #dc3545 !important; } .ui-invitee-invite { border-color: #8e8e8e !important; } .ui-invitee-invite:hover, .ui-invitee-invite:focus { background-color: #737373; color: #eee !important; } .ui-no-invitee-label { color: #ccc !important; } .select2-container { background: #202020; } .select2-container-multi .select2-choices .select2-search-field input { color: #eee; } .select2-container-multi .select2-choices .select2-search-field input.select2-active { color: #000; } .select2-drop { background: #202020; color: #eee; } .select2-results .select2-no-results, .select2-results .select2-searching, .select2-results .select2-ajax-error, .select2-results .select2-selection-limit { background: #202020; } /* table of contents block*/ .ui-toc-dropdown { width: 42vw; max-height: 90vh; overflow: auto; text-align: inherit; } /* table of contents text*/ .ui-toc-dropdown .nav>li>a { font-size: 14px; font-weight: bold; color: #ddd; } /* table of contents text: active*/ .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: #7bf; border-left-color: #7bf; } /* table of contents text: focus, hover*/ .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: #7bf; border-left-color: #7bf; } /* drop down floating table of contents */ .ui-toc-dropdown.dropdown-menu { background: #333; } .toc-menu a { color: #ddd; } .toc-menu a:focus, .toc-menu a:hover { color: #7bf; } /*--------------- editor ---------------*/ .cm-m-markdown { color: #ddd; } .cm-s-one-dark .cm-header, .cm-m-xml.cm-attribute { color: #ffa653; } .cm-m-markdown.cm-variable-3 { color: #ff7e7e; } .cm-s-one-dark .cm-string, .cm-s-one-dark .cm-variable-2, .cm-s-one-dark .cm-m-markdown.cm-url{ color: #7bf; } .cm-s-one-dark .cm-m-markdown.cm-link { color: #b0ee83; } .cm-s-one-dark .CodeMirror-linenumber { color: #666; } .cm-strong { color: #f4511e; } .cm-s-one-dark .cm-comment { color: #a9a9a9; } .cm-matchhighlight { color: #ffea00; } .cm-positive { color: #11bf64; } .cm-negative { color: #ff3e3e; } .dropdown-menu.CodeMirror-other-cursor { border: 2px solid #4d4d4d; background-color: #202020; } .dropdown-menu.CodeMirror-other-cursor li a { color: #ececec; } /*--------------- book mode ---------------*/ .topbar { background: #1e1e1e; } .btn.focus, .btn:focus, .btn:hover { color: #fff; background-color: #333; } .summary { background: #1e1e1e; } .summary, .toolbar { background: #1e1e1e !important; border-color: #4d4d4d !important; } .toolbar i { color: #fff; } .summary h1, .summary h2, .summary h3 .summary hr { color: #ddd; border-color: #777 !important; } .summary .nav>li>a { color: #7bf; } .summary .nav-pills>li.active>a, .summary .nav-pills>li.active>a:focus, .summary .nav-pills>li.active>a:hover { color: #ff9100; } .ui-summary-search { font-size: 16px; border: 1px solid #6D6D6D; background-color: #333; color: #FFF; } .summary h1, .summary h2, .summary h3, .summary h4, .summary h5, .summary h6 { border-color: #454545; } /* fix body background color to dark */ div[class$=container-mask] { background: #1e1e1e; z-index: 1; display: block; } /* notification */ .dropdown.ui-notification .ui-notification-label, .dropdown.ui-invitee .ui-invitee-label { color: #eee; border-color: #6a6a6a; } .ui-notification .dropdown-menu { border-top: 1px solid #555; } /*--------------- help ---------------*/ .modal-header { background-color: #2a2a2a; } .panel-default { border-color: #6d6d6d; } .panel-default>.panel-heading { background-color: #2a2a2a; color: #eee; border-color: #6d6d6d; } .panel-body { background: #2e2e2e; } .panel-body a { color: #7bf; } .table>tbody>tr>td, .table>tbody>tr>th, .table>tfoot>tr>td, .table>tfoot>tr>th, .table>thead>tr>td, .table>thead>tr>th { border-color: #6d6d6d; } /*--------------- comment ---------------*/ .ui-comment-container .ui-comment-header { background-color: #2a2a2a; color: #eee; border-color: #6d6d6d; } .ui-comment-container { background-color: #2e2e2e; border-color: #6d6d6d; } .ui-comment-container .ui-comments-container .ui-comment .comment-author { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .timestamp { color: #aaa; } .ui-comment-container .ui-comments-container .ui-comment .comment-content { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu .comment-dropdown-menu { background: #222; color: #eee; border-color: #555; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu .comment-dropdown-menu>div:hover { background-color: #555555; color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu:hover, .ui-comment-container .ui-comments-container .ui-comment .comment-menu:active, .ui-comment-container .ui-comments-container .ui-comment .comment-menu.active { background-color: #737373; color: #eee; } .ui-comment-container .ui-comment-input-container { background-color: #3c3c3c; } .ui-comment-container textarea { background-color: #3e4045; color: #eee; border: 1px solid #6d6d6d; } .ui-comment-container textarea::placeholder, .ui-comment-container textarea::-webkit-input-placeholder, .ui-comment-container textarea:-moz-placeholder, .ui-comment-container textarea::-moz-placeholder, .ui-comment-container textarea:-ms-input-placeholder { color: #eee; } @keyframes highlight { 0% { background-color: #3c3c3c; } 30% { background-color: #3c3c3c; } 100% { background-color: transparent; } } /*--------------- template ---------------*/ .template-content .modal-header { background: #2a2a2a; } .template-content .close { color: #fff; } .template-content .modal-title { color: #eee; } .template-content .ui-templates-container { border-color: #6d6d6d; } .ui-templates-container .ui-create-template-btn { background: #446fab; color: #fff; } .ui-template-list-filter .ui-template-list-filter-label, .ui-template-list-filter .ui-template-list-filter-label:hover { color: #eee; } .ui-template-list .list-group-item.active { background: #4d4d4d; } .ui-template-list .list-group-item.active:focus { background: #4d4d4d !important; } .list-group-item.active, .list-group-item.active:focus, .list-group-item.active:hover { color: #eee; } .ui-template-list .list-group-item .list-group-item-heading { color: #eee; } .ui-template-list .list-group-item.active .list-group-item-heading { color: #eee; } .ui-template-list .list-group-item:hover { background: #4d4d4d !important; } .ui-template-item-menu { color: #eee !important; } .ui-template-list .list-group-item { color: #fff; } .ui-template-list .list-group-item .dropdown-container.open { background-color: #2a2a2a; } .ui-template-list .list-group-item .dropdown-container:hover { background-color: #2a2a2a !important; } .template-menu .more-template { border-color: #6d6d6d; } .template-menu .more-template:hover { color: #eee; border-color: #6d6d6d; } /*--------------- code mirror ---------------*/ .modal-content { background: #1f2226; } .modal-header { border-bottom: 1px solid #46484f; } .modal-footer { border-top: 1px solid #46484f; } a.list-group-item { background: #1f2226; color: #ddd; border: 1px solid #46484f; } a.list-group-item .list-group-item-heading { color: #ddd; } a.list-group-item:focus, a.list-group-item:hover { background: #434651; color: #ddd; } button.close { color: #ddd; opacity: .5; } .close:focus, .close:hover { color: #fff; opacity: .8; } .CodeMirror { background: #1f2226; } .CodeMirror-gutters { background: #1f2226; border-right: 1px solid rgba(204, 217, 255, 0.1); } .cm-s-default .cm-comment { color: #888; } .cm-s-default .cm-quote { color: #ddd; } .cm-s-default .cm-header { color: #ffa653; } .cm-s-default .cm-link { color: #b0ee83; } .cm-s-default .cm-string, .cm-s-default .cm-variable-2 { color: #7bf; } .cm-s-default .cm-def { color: #c678dd; } .cm-s-default .cm-number, .cm-s-default .cm-attribute, .cm-s-default .cm-qualifier, .cm-s-default .cm-plus, .cm-s-default .cm-atom { color: #eda35e; } .cm-s-default .cm-property, .cm-s-default .cm-variable, .cm-s-default .cm-variable-3, .cm-s-default .cm-operator, .cm-s-default .cm-bracket { color: #f76e79; } .cm-s-default .cm-keyword, .cm-s-default .cm-builtin, .cm-s-default .cm-tag { color: #98c379; } .modal-title { color: #ccc; } .modal-body { color: #ccc !important; } div[contenteditable]:empty:not(:focus):before { color: #aaa; } .CodeMirror pre { color: #ddd; } .CodeMirror pre span[style^="background-color: rgb(221, 251, 230)"] { background-color: #288c27 !important; } .CodeMirror pre span[style^="background-color: rgb(249, 215, 220)"] { background-color: #a52721 !important; } /*------- code highlight: Visual Stutdio Code theme for highlight.js -------*/ .hljs { background: #1E1E1E; color: #DCDCDC; } .hljs-keyword, .hljs-literal, .hljs-symbol, .hljs-name { color: #569CD6; } .hljs-link { color: #569CD6; text-decoration: underline; } .hljs-built_in, .hljs-type { color: #4EC9B0; } .hljs-number, .hljs-class { color: #B8D7A3; } .hljs-string, .hljs-meta-string { color: #D69D85; } .hljs-regexp, .hljs-template-tag { color: #d16969; } .hljs-title { color: #dcdcaa; } .hljs-subst, .hljs-function, .hljs-formula { color: #DCDCDC; } .hljs-comment, .hljs-quote { color: #57A64A; } .hljs-doctag { color: #608B4E; } .hljs-meta, .hljs-meta-keyword, .hljs-tag { color: #9B9B9B; } .hljs-variable, .hljs-template-variable { color: #BD63C5; } .hljs-params, .hljs-attr, .hljs-attribute, .hljs-builtin-name { color: #9CDCFE; } .hljs-section { color: gold; } .hljs-emphasis { font-style: italic; } .hljs-strong { font-weight: bold; } /* .hljs-code { font-family:'Monospace'; } */ .hljs-bullet, .hljs-selector-tag, .hljs-selector-id, .hljs-selector-class, .hljs-selector-attr, .hljs-selector-pseudo { color: #D7BA7D; } .hljs-addition { background-color: #155a36; color: #dfdfdf; display: inline-block; width: 100%; } .hljs-deletion { background-color: #872e2e; color: #dfdfdf; display: inline-block; width: 100%; } /*---------- code highlight: Visual Stutdio Code theme for Prism.js ----------*/ code[class*="language-"], pre[class*="language-"] { color: #DCDCDC; } :not(pre)>code[class*="language-"], pre[class*="language-"] { background: #1E1E1E; } .token.comment, .token.block-comment, .token.prolog, .token.cdata { color: #57A64A; } .token.doctype, .token.punctuation { color: #9B9B9B; } .token.tag, .token.entity { color: #569CD6; } .token.attr-name, .token.namespace, .token.deleted, .token.property, .token.builtin { color: #9CDCFE; } .token.function, .token.function-name { color: #dcdcaa; } .token.boolean, .token.keyword, .token.important { color: #569CD6; } .token.number { color: #B8D7A3; } .token.class-name, .token.constant { color: #4EC9B0; } .token.symbol { color: #f8c555; } .token.rule { color: #c586c0; } .token.selector { color: #D7BA7D; } .token.atrule { color: #cc99cd; } .token.string, .token.attr-value { color: #D69D85; } .token.char { color: #7ec699; } .token.variable { color: #BD63C5; } .token.regex { color: #d16969; } .token.operator { color: #DCDCDC; background: transparent; } .token.url { color: #67cdcc; } .token.important, .token.bold { font-weight: bold; } .token.italic { font-style: italic; } .token.entity { cursor: help; } .token.inserted { color: green; } /*---------- code highlight: dark theme for Gist ----------*/ .gist .gist-file { border: 1px solid #555; } .gist .gist-data { background-color: #1e1e1e; border-bottom: 1px solid #555; } .gist .gist-meta { background-color: #424a55; color: #eee; } .gist .gist-meta a { color: #eee; } .gist .highlight { color: #eee; background-color: #1e1e1e; } .gist .blob-num { color: #afafaf; } .gist .blob-code-inner { color: #dfdfdf; } .pl-mb { color: #fff !important; } .pl-c { color: #57A64A !important; } /* comment */ .pl-ent { color: #569CD6 !important; } /* entity */ .pl-e { color: #9CDCFE !important; } .pl-en { color: #4EC9B0 !important; } /* entity attribute */ .pl-smi { color: #9CDCFE !important; } .pl-k { color: #569cd6 !important; } .pl-c1, .pl-s .pl-v { color: #4EC9B0 !important; } .pl-pds, .pl-s, .pl-s .pl-pse .pl-s1, .pl-sr, .pl-sr .pl-cce, .pl-sr .pl-sra, .pl-sr .pl-sre, .pl-s .pl-s1 { color: #D69D85 !important; } .pl-s .pl-s1 .pl-pse { color: #c5dbff !important; } /* strings */ .diff-table .pl-c, .diff-table .pl-ent, .diff-table .pl-e, .diff-table .pl-en, .diff-table .pl-pds, .diff-table .pl-s, .diff-table .pl-s .pl-s1, .diff-table .pl-s .pl-pse .pl-s1, .diff-table .pl-sr, .diff-table .pl-sr .pl-cce, .diff-table .pl-sr .pl-sra, .diff-table .pl-sr .pl-sre, .diff-table .pl-k, .diff-table .pl-smi, .diff-table .pl-c1, .diff-table .pl-v { color: #eee !important; } </style>