forensics: add already solved challenges
BIN
forensics/eavesdrop/capture.flag.pcap
Normal file
2
forensics/eavesdrop/file.des3
Normal file
@ -0,0 +1,2 @@
|
||||
Salted__Ó†<¦PÚÿO¾r †E~cbkí¦Æ’ÍÒp&®}î¦Ñé³Ô
|
||||
F
|
1
forensics/eavesdrop/file.txt
Normal file
@ -0,0 +1 @@
|
||||
picoCTF{nc_73115_411_5786acc3}
|
20
forensics/eavesdrop/solution.md
Normal file
@ -0,0 +1,20 @@
|
||||
Taken from `tcp.stream eq 0`
|
||||
|
||||
> Hey, how do you decrypt this file again?
|
||||
> You're serious?
|
||||
> Yeah, I'm serious
|
||||
> *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
|
||||
> Ok, great, thanks.
|
||||
> Let's use Discord next time, it's more secure.
|
||||
> C'mon, no one knows we use this program like this!
|
||||
> Whatever.
|
||||
> Hey.
|
||||
> Yeah?
|
||||
> Could you transfer the file to me again?
|
||||
> Oh great. Ok, over 9002?
|
||||
> Yeah, listening.
|
||||
> Sent it
|
||||
> Got it.
|
||||
> You're unbelievable
|
||||
|
||||
`file.des3` taken from `tcp.stream eq 2`, by showing data as `Raw` and saving to file.
|
4
forensics/eavesdrop/solve.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash openssl
|
||||
|
||||
openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
|
122
forensics/enhance/drawing.flag.svg
Normal file
@ -0,0 +1,122 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
||||
|
||||
<svg
|
||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
||||
xmlns:cc="http://creativecommons.org/ns#"
|
||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
||||
xmlns:svg="http://www.w3.org/2000/svg"
|
||||
xmlns="http://www.w3.org/2000/svg"
|
||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
||||
width="210mm"
|
||||
height="297mm"
|
||||
viewBox="0 0 210 297"
|
||||
version="1.1"
|
||||
id="svg8"
|
||||
inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
|
||||
sodipodi:docname="drawing.svg">
|
||||
<defs
|
||||
id="defs2" />
|
||||
<sodipodi:namedview
|
||||
id="base"
|
||||
pagecolor="#ffffff"
|
||||
bordercolor="#666666"
|
||||
borderopacity="1.0"
|
||||
inkscape:pageopacity="0.0"
|
||||
inkscape:pageshadow="2"
|
||||
inkscape:zoom="0.69833333"
|
||||
inkscape:cx="400"
|
||||
inkscape:cy="538.41159"
|
||||
inkscape:document-units="mm"
|
||||
inkscape:current-layer="layer1"
|
||||
showgrid="false"
|
||||
inkscape:window-width="1872"
|
||||
inkscape:window-height="1016"
|
||||
inkscape:window-x="48"
|
||||
inkscape:window-y="27"
|
||||
inkscape:window-maximized="1" />
|
||||
<metadata
|
||||
id="metadata5">
|
||||
<rdf:RDF>
|
||||
<cc:Work
|
||||
rdf:about="">
|
||||
<dc:format>image/svg+xml</dc:format>
|
||||
<dc:type
|
||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
||||
<dc:title></dc:title>
|
||||
</cc:Work>
|
||||
</rdf:RDF>
|
||||
</metadata>
|
||||
<g
|
||||
inkscape:label="Layer 1"
|
||||
inkscape:groupmode="layer"
|
||||
id="layer1">
|
||||
<ellipse
|
||||
id="path3713"
|
||||
cx="106.2122"
|
||||
cy="134.47203"
|
||||
rx="102.05357"
|
||||
ry="99.029755"
|
||||
style="stroke-width:0.26458332" />
|
||||
<circle
|
||||
style="fill:#ffffff;stroke-width:0.26458332"
|
||||
id="path3717"
|
||||
cx="107.59055"
|
||||
cy="132.30211"
|
||||
r="3.3341289" />
|
||||
<ellipse
|
||||
style="fill:#000000;stroke-width:0.26458332"
|
||||
id="path3719"
|
||||
cx="107.45217"
|
||||
cy="132.10078"
|
||||
rx="0.027842503"
|
||||
ry="0.031820003" />
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
|
||||
x="107.43014"
|
||||
y="132.08501"
|
||||
id="text3723"><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.08501"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3748">p </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.08942"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3754">i </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.09383"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3756">c </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.09824"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3758">o </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.10265"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3760">C </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.10706"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3762">T </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.11147"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3764">F { 3 n h 4 n </tspan><tspan
|
||||
sodipodi:role="line"
|
||||
x="107.43014"
|
||||
y="132.11588"
|
||||
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
|
||||
id="tspan3752">c 3 d _ d 0 a 7 5 7 b f }</tspan></text>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 4.1 KiB |
1
forensics/enhance/flag.txt
Normal file
@ -0,0 +1 @@
|
||||
picoCTF{3nh4nc3d_d0a757bf}
|
BIN
forensics/extensions/flag.png
Normal file
After Width: | Height: | Size: 9.8 KiB |
BIN
forensics/extensions/flag.txt
Normal file
After Width: | Height: | Size: 9.8 KiB |
172
forensics/file_types/Flag.sh
Executable file
@ -0,0 +1,172 @@
|
||||
#!/bin/sh
|
||||
# This is a shell archive (produced by GNU sharutils 4.15.2).
|
||||
# To extract the files from this archive, save it to some FILE, remove
|
||||
# everything before the '#!/bin/sh' line above, then type 'sh FILE'.
|
||||
#
|
||||
lock_dir=_sh00046
|
||||
# Made on 2023-03-16 01:40 UTC by <root@e076735df429>.
|
||||
# Source directory was '/app'.
|
||||
#
|
||||
# Existing files will *not* be overwritten, unless '-c' is specified.
|
||||
#
|
||||
# This shar contains:
|
||||
# length mode name
|
||||
# ------ ---------- ------------------------------------------
|
||||
# 1092 -rw-r--r-- flag
|
||||
#
|
||||
MD5SUM=${MD5SUM-md5sum}
|
||||
f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
|
||||
test -n "${f}" && md5check=true || md5check=false
|
||||
${md5check} || \
|
||||
echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
|
||||
if test "X$1" = "X-c"
|
||||
then keep_file=''
|
||||
else keep_file=true
|
||||
fi
|
||||
echo=echo
|
||||
save_IFS="${IFS}"
|
||||
IFS="${IFS}:"
|
||||
gettext_dir=
|
||||
locale_dir=
|
||||
set_echo=false
|
||||
|
||||
for dir in $PATH
|
||||
do
|
||||
if test -f $dir/gettext \
|
||||
&& ($dir/gettext --version >/dev/null 2>&1)
|
||||
then
|
||||
case `$dir/gettext --version 2>&1 | sed 1q` in
|
||||
*GNU*) gettext_dir=$dir
|
||||
set_echo=true
|
||||
break ;;
|
||||
esac
|
||||
fi
|
||||
done
|
||||
|
||||
if ${set_echo}
|
||||
then
|
||||
set_echo=false
|
||||
for dir in $PATH
|
||||
do
|
||||
if test -f $dir/shar \
|
||||
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
|
||||
then
|
||||
locale_dir=`$dir/shar --print-text-domain-dir`
|
||||
set_echo=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if ${set_echo}
|
||||
then
|
||||
TEXTDOMAINDIR=$locale_dir
|
||||
export TEXTDOMAINDIR
|
||||
TEXTDOMAIN=sharutils
|
||||
export TEXTDOMAIN
|
||||
echo="$gettext_dir/gettext -s"
|
||||
fi
|
||||
fi
|
||||
IFS="$save_IFS"
|
||||
if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
|
||||
then if (echo -n test; echo 1,2,3) | grep n >/dev/null
|
||||
then shar_n= shar_c='
|
||||
'
|
||||
else shar_n=-n shar_c= ; fi
|
||||
else shar_n= shar_c='\c' ; fi
|
||||
f=shar-touch.$$
|
||||
st1=200112312359.59
|
||||
st2=123123592001.59
|
||||
st2tr=123123592001.5 # old SysV 14-char limit
|
||||
st3=1231235901
|
||||
|
||||
if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
|
||||
test ! -f ${st1} && test -f ${f}; then
|
||||
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
|
||||
|
||||
elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
|
||||
test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
|
||||
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
|
||||
|
||||
elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
|
||||
test ! -f ${st3} && test -f ${f}; then
|
||||
shar_touch='touch -am $3$4$5$6$2 "$8"'
|
||||
|
||||
else
|
||||
shar_touch=:
|
||||
echo
|
||||
${echo} 'WARNING: not restoring timestamps. Consider getting and
|
||||
installing GNU '\''touch'\'', distributed in GNU coreutils...'
|
||||
echo
|
||||
fi
|
||||
rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
|
||||
#
|
||||
if test ! -d ${lock_dir} ; then :
|
||||
else ${echo} "lock directory ${lock_dir} exists"
|
||||
exit 1
|
||||
fi
|
||||
if mkdir ${lock_dir}
|
||||
then ${echo} "x - created lock directory ${lock_dir}."
|
||||
else ${echo} "x - failed to create lock directory ${lock_dir}."
|
||||
exit 1
|
||||
fi
|
||||
# ============= flag ==============
|
||||
if test -n "${keep_file}" && test -f 'flag'
|
||||
then
|
||||
${echo} "x - SKIPPING flag (file already exists)"
|
||||
|
||||
else
|
||||
${echo} "x - extracting flag (text)"
|
||||
sed 's/^X//' << 'SHAR_EOF' | uudecode &&
|
||||
begin 600 flag
|
||||
M(3QA<F-H/@IF;&%G+R`@("`@("`@("`@,"`@("`@("`@("`@,"`@("`@,"`@
|
||||
M("`@-C0T("`@("`Q,#(T("`@("`@8`K'<>H`.Y*D@0`````!````$F2#<P4`
|
||||
M``#^`69L86<``$)::#DQ05DF4UF(WJSO```@____Y)U_U<SW/^OTZ?'U_=L^
|
||||
M[6U=O_O(8_WQ_?;^]R_>L[`!&U8(`T&F0VH`T&@:```#0!IH``&@'J:#1HT`
|
||||
M]"`!H-``!M0;4VH>IM3,:FH@T:&(#3)B:`T,F@:-!IDTT-&AHP3(&@T-,0T&
|
||||
M(&0Q#1IH/2`,(-H1H`R9`%4T3)H>D:`TR9&AHT`R!H&09#",0``8C0#$,@,@
|
||||
MR8F@`TT:!H:!D8C0`0`@`"01`H!^_$QU,`V*$A`!6'F(]N[-;FC]^&3PR1#9
|
||||
MPR,KRW><F<49%$Q!!N[Y?=40;N##KW4D[`_\>RXRA?-VG(E/=DW&Q`:DU8G>
|
||||
MMFW,-D>1C@-1P&"MR*[TX&O7KM9]S5=DU0VC=9?.T'0?DVD+/#[?',M)']85
|
||||
M*8@&IZ7%1U*=`[3V(?.C;*QER!+T,)6UYG?BLMV7!\L\;3$+^W%89SR(9RO(
|
||||
M>+3K'>QL]21+'O&!V`_:4<<C7R!.D'BG?GI\GT1*W#AC625`V>W`87AZF@[I
|
||||
M:]!!QL1^'NUJ#8O\=0A54@29A#E-6B(?TR(09S3_#,Z0H'SQBO?]^LMC2G$!
|
||||
MA!19*?93"DWLZ`^I!$.L*!%ILMU#!AJ3SP_!>:^5PJIFC)-,*5ERC!7="@"$
|
||||
M,$;I*<PV8-8[\ORRQ:K_%W)%.%"0B-ZL[\=Q``````````````$`````````
|
||||
M"P``````5%)!24Q%4B$A(0``````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
M````````````````````````````````````````````````````````````
|
||||
,````````````````
|
||||
`
|
||||
end
|
||||
SHAR_EOF
|
||||
(set 20 23 03 16 01 40 19 'flag'
|
||||
eval "${shar_touch}") && \
|
||||
chmod 0644 'flag'
|
||||
if test $? -ne 0
|
||||
then ${echo} "restore of flag failed"
|
||||
fi
|
||||
if ${md5check}
|
||||
then (
|
||||
${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'flag': 'MD5 check failed'
|
||||
) << \SHAR_EOF
|
||||
0838b0ca0f0415b3cb6f24da377204de flag
|
||||
SHAR_EOF
|
||||
|
||||
else
|
||||
test `LC_ALL=C wc -c < 'flag'` -ne 1092 && \
|
||||
${echo} "restoration warning: size of 'flag' is not 1092"
|
||||
fi
|
||||
fi
|
||||
if rm -fr ${lock_dir}
|
||||
then ${echo} "x - removed lock directory ${lock_dir}."
|
||||
else ${echo} "x - failed to remove lock directory ${lock_dir}."
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
BIN
forensics/file_types/flag.ar
Normal file
BIN
forensics/file_types/flag.bz2
Normal file
BIN
forensics/file_types/flag.cpio
Normal file
BIN
forensics/file_types/flag.gz
Normal file
BIN
forensics/file_types/flag.lz
Normal file
BIN
forensics/file_types/flag.lz4
Normal file
BIN
forensics/file_types/flag.lzip
Normal file
BIN
forensics/file_types/flag.lzop
Normal file
1
forensics/file_types/flag.txt
Normal file
@ -0,0 +1 @@
|
||||
picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_950c4fee}
|
2
forensics/file_types/flag.txt.hex
Normal file
@ -0,0 +1,2 @@
|
||||
7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
|
||||
6630725f3062326375723137795f39353063346665657d0a
|
BIN
forensics/information/cat.jpg
Normal file
After Width: | Height: | Size: 858 KiB |
5
forensics/information/solve.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# NOTE: this is the license in the EXIF data. Not easy to spot...
|
||||
#
|
||||
echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -d
|
BIN
forensics/like1000/1000.tar.bak
Normal file
BIN
forensics/like1000/flag.png
Executable file
After Width: | Height: | Size: 13 KiB |
14
forensics/like1000/solve.sh
Executable file
@ -0,0 +1,14 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash ouch
|
||||
|
||||
cp 1000.tar.bak 1000.tar
|
||||
|
||||
for i in {1000..2}; do
|
||||
ouch decompress $i.tar
|
||||
mv $i/$((i-1)).tar .
|
||||
rm -rf $i $i.tar
|
||||
done
|
||||
|
||||
ouch decompress 1.tar
|
||||
mv 1/flag.png .
|
||||
rm -rf 1 1.tar
|
2146
forensics/lookey_here/anthem.flag.txt
Normal file
3
forensics/lookey_here/solve.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
grep -o "picoCTF{.*}" anthem.flag.txt
|
BIN
forensics/milkslap/concat_v.png
Normal file
After Width: | Height: | Size: 17 MiB |
5
forensics/milkslap/solve.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash zsteg
|
||||
|
||||
export RUBY_THREAD_VM_STACK_SIZE=500000000
|
||||
zsteg concat_v.png
|
BIN
forensics/redaction_gone_wrong/Financial_Report_for_ABC_Labs.pdf
Normal file
4
forensics/redaction_gone_wrong/solve.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash poppler_utils
|
||||
|
||||
pdftotext ./Financial_Report_for_ABC_Labs.pdf - | grep -o "picoCTF{.*}"
|
BIN
forensics/shark_on_wire_1/capture.pcap
Normal file
37
forensics/shark_on_wire_1/solution.md
Normal file
@ -0,0 +1,37 @@
|
||||
Randomly found in udp stream 6 while going through all the data sent back and forth.
|
||||
|
||||
```
|
||||
70
|
||||
69
|
||||
63
|
||||
6f
|
||||
43
|
||||
54
|
||||
46
|
||||
7b
|
||||
53
|
||||
74
|
||||
61
|
||||
54
|
||||
33
|
||||
31
|
||||
33
|
||||
35
|
||||
35
|
||||
5f
|
||||
36
|
||||
33
|
||||
36
|
||||
66
|
||||
36
|
||||
65
|
||||
36
|
||||
65
|
||||
7d
|
||||
```
|
||||
|
||||
cyberchef says
|
||||
|
||||
```
|
||||
picoCTF{StaT31355_636f6e6e}
|
||||
```
|
BIN
forensics/so_meta/pico_img.png
Normal file
After Width: | Height: | Size: 106 KiB |
4
forensics/so_meta/solve.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash exiftool
|
||||
|
||||
exiftool ./pico_img.png | grep -o "picoCTF{.*}"
|
BIN
forensics/wireshark_doo_dooo_do_doo/shark1.pcapng
Normal file
9
forensics/wireshark_doo_dooo_do_doo/solution.md
Normal file
@ -0,0 +1,9 @@
|
||||
Found in tcp stream 5, packet 827 (the first unencrypted stream)
|
||||
|
||||
`Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}`
|
||||
|
||||
Seems flaglike, maybe rot13 to protect against text search?
|
||||
|
||||
**Output from cyberchef:**
|
||||
|
||||
`The flag is picoCTF{p33kab00_1_s33_u_deadbeef}`
|