# PicoCTF 2025
## Ph4nt0m 1ntrud3r
The downloaded PCAP file from this challenge included 22 packets (TCP protocol). I had read the payload of all packet, and I saw that each packet contained a Base64 line (from 8 to 12 bytes).
-> Using tshark to dump all the payloads (ascii) and sort them from earliest to latest (because I saw that the packets were not sorted) to read.
Using Cyberchef to decode Base64.
**=> Our flag is: picoCTF{1t_w4snt_th4t_34sy_tbh_4r_2e1ff063}**
---
## RED
The PNG file we got from the challenge is full of red pixels.
I guessed the flag had been hided by LSB technique so I used the https://desudesutalk.github.io/lsbtools/ to check if it correct.
My guess was right, so I used a script to extract the LSB from RGBA values.
```
from PIL import Image
import numpy as np
import sys
def extract_lsb(image_path, output_file):
try:
img = Image.open(image_path)
img = img.convert("RGBA")
pixels = np.array(img)
height, width, _ = pixels.shape
with open(output_file, "w") as f:
for y in range(height):
for x in range(width):
r, g, b, a = pixels[y, x]
f.write(f"{r & 1}{g & 1}{b & 1}{a & 1}\n")
print(f"Output file: {output_file}")
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: python check_lsb.py <image.png> <output.txt>")
sys.exit(1)
image_path = sys.argv[1]
output_file = sys.argv[2]
extract_lsb(image_path, output_file)
```
I used CyberChef to decode the bits and see what was hidden behind them.
**=> Our flag is: picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}**
---
## flags are stepic
After launching the instance, we will receive a link to a website.
The website displays the flags of countries and territories.
I inspected the sources of the website; it contains a folder with a list of .png files, a CSS file, and an HTML file.
I suspect that this is a steganography challenge and that the flag is hidden within one of these PNG files, but I don't know which image is the one I need.
I start counting the number of flags on the website and see that there are 246 flags, while there are only 245 countries and territories in the world.
I'm too lazy to check each image to see which flag is fake, so I inspected the page source, extracted the script containing the names of these 246 flags, and then sent it to ChatGPT to identify which country or territory is fake.
-> I see that this is the fake flag of a country, so I begin analyzing it.
After analyzing for a while, I noticed that the first few bits of this image contain LSB data, so I proceeded to analyze it.
I reused the script from challenge "RED" to analyze the LSB, but I realized that the alpha channel does not contain LSB, so I analyzed the three RGB channels instead.
After some trial and error, I realized that each character is hidden every 3 pixels in the RGB channels (a total of 9 bits), but the last blue bit is discarded and not used.
<details>
<summary>lsb_data.txt</summary>
011
100
00
011
010
01
011
000
11
011
011
11
010
000
11
010
101
00
010
001
10
011
110
11
011
001
10
011
011
00
001
101
00
011
001
11
010
111
11
011
010
00
001
101
00
001
101
01
010
111
11
011
001
10
011
011
00
001
101
00
011
001
11
001
100
01
001
101
10
011
000
01
011
000
01
001
110
01
001
101
00
011
000
11
011
001
10
011
111
01
</details>
Use CyberChef to decode this encoded data.
**=> Our flag is: picoCTF{fl4g_h45_fl4g16aa94cf}**
---
## Event-Viewing
In this challenge, we received a Windows Event Logs file and our mission is to find the reason why the computer shuts down instantly.
First, I check Event IDs 1074, 6008, and 4688 to see which event might have caused the computer to shut down.
I find this event, the param 1 shows the file shutdown.exe, which could be the command responsible for shutting down the computer.
I also noticed that param 6 contains a string that could be Base64, so I tried decoding it.
-> This this the part 3 of the flag.
I already identified that the file causing the computer to shut down is shutdown.exe, so I tried searching for the keyword shutdown.exe to check if there were any other events executing this file.
-> After that, I found this event.
This event describes that a registry key was modified, adding a new value: ObjectValueName: Immediate Shutdown (NewValue: C:\Program Files (x86)\Totally_Legit_Software\custom_shutdown.exe), which causes the computer to run custom_shutdown.exe immediately after startup, resulting in an instant shutdown.
This event also contains a base64 string so I decode it and get the second part of the flag.
The last step, I find the keyword base on the previous event like (custom_shutdown.exe, Totally_Legit_Software) and I find this event:
-> This event shows that Totally_Legit_Software was installed on the system at 2024-07-15T15:55:57Z.
It also contains a base64 string so I decode it and get the first part.
**=> The flag of this challenge is: picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9}**
---
## Bitlocker-1
The challenge gives us a disk file that appears to be encrypted with BitLocker. Our task is to unlock BitLocker and find the flag.
-> After reading the hint, I know that my task is hash cracking.
## Bitlocker-2
This challenge is similar to BitLocker1, but we are provided with an additional memory file for memory analysis.
I will use the Volatility 2 tool with a plugin called BitLocker to unlock this file.
First, I check the device information of this memory file.
-> The info of the device is: Win10x64_19041
Then I search for the FVEK of this bitlocker file from the memory.
<details>
<summary>Next Step</summary>
Volatility Foundation Volatility Framework 2.6.1
[FVEK] Address : 0x9e8879926a50
[FVEK] Cipher : AES 128-bit (Win 8+)
[FVEK] FVEK: 5b6ff64e4a0ee8f89050b7ba532f6256
[FVEK] Address : 0x9e887496fb30
[FVEK] Cipher : AES 256-bit (Win 8+)
[FVEK] FVEK: 60be5ce2a190dfb760bea1ece40e4223c8982aecfd03221a5a43d8fdd302eaee
[FVEK] Address : 0x9e8874cb5c70
[FVEK] Cipher : AES 128-bit (Win 8+)
[FVEK] FVEK: 1ed2a4b8dd0290f646ded074fbcff8bd
[FVEK] Address : 0x9e88779f1a10
[FVEK] Cipher : AES 128-bit (Win 8+)
[FVEK] FVEK: bccaf1d4ea09e91f976bf94569761654
</details>
I used all 4 of these fvek keys to unlock the bitlocker file and found the correct key.
```
ubuntu@ubuntu:~/Desktop/bitlocker2$ dislocker -k 0x9e8879926a50-Dislocker.fvek bitlocker-2.dd ./output
ubuntu@ubuntu:~/Desktop/bitlocker2$ cd output
ubuntu@ubuntu:~/Desktop/bitlocker2/output$ file dislocker-file
dislocker-file: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 124499968, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 204799, $MFT start cluster 8533, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0804e24974e2487cc; contains bootstrap BOOTMGR
```
Finally, I mount the dislocker-file and get the flag.txt file. After reading that file, I get the flag.
**-> Our flag is: picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_9029ae5b}**
Sign in with Wallet
Connect another wallet