forensics: add already solved challenges

2024-09-01 23:23:47 +02:00 · 2024-09-01 23:23:47 +02:00 · 1ca81359ba
parent b1c7b28af0
commit 1ca81359ba
37 changed files with 2552 additions and 0 deletions
--- a/forensics/eavesdrop/capture.flag.pcap
+++ b/forensics/eavesdrop/capture.flag.pcap
--- a/forensics/eavesdrop/file.des3
+++ b/forensics/eavesdrop/file.des3
@ -0,0 +1,2 @@
 Salted__Ó†<¦PÚÿO¾r †E~cbkí¦Æ’ÍÒp&®}î¦Ñé³Ô
 F
--- a/forensics/eavesdrop/file.txt
+++ b/forensics/eavesdrop/file.txt
@ -0,0 +1 @@
 picoCTF{nc_73115_411_5786acc3}
--- a/forensics/eavesdrop/solution.md
+++ b/forensics/eavesdrop/solution.md
@ -0,0 +1,20 @@
 Taken from `tcp.stream eq 0`
 > Hey, how do you decrypt this file again?
 > You're serious?
 > Yeah, I'm serious
 > *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
 > Ok, great, thanks.
 > Let's use Discord next time, it's more secure.
 > C'mon, no one knows we use this program like this!
 > Whatever.
 > Hey.
 > Yeah?
 > Could you transfer the file to me again?
 > Oh great. Ok, over 9002?
 > Yeah, listening.
 > Sent it
 > Got it.
 > You're unbelievable
 `file.des3` taken from `tcp.stream eq 2`, by showing data as `Raw` and saving to file.
--- a/forensics/eavesdrop/solve.sh
+++ b/forensics/eavesdrop/solve.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p bash openssl
 openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
--- a/forensics/enhance/drawing.flag.svg
+++ b/forensics/enhance/drawing.flag.svg
@ -0,0 +1,122 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
 <svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   width="210mm"
   height="297mm"
   viewBox="0 0 210 297"
   version="1.1"
   id="svg8"
   inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
   sodipodi:docname="drawing.svg">
  <defs
     id="defs2" />
  <sodipodi:namedview
     id="base"
     pagecolor="#ffffff"
     bordercolor="#666666"
     borderopacity="1.0"
     inkscape:pageopacity="0.0"
     inkscape:pageshadow="2"
     inkscape:zoom="0.69833333"
     inkscape:cx="400"
     inkscape:cy="538.41159"
     inkscape:document-units="mm"
     inkscape:current-layer="layer1"
     showgrid="false"
     inkscape:window-width="1872"
     inkscape:window-height="1016"
     inkscape:window-x="48"
     inkscape:window-y="27"
     inkscape:window-maximized="1" />
  <metadata
     id="metadata5">
    <rdf:RDF>
      <cc:Work
         rdf:about="">
        <dc:format>image/svg+xml</dc:format>
        <dc:type
           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
        <dc:title></dc:title>
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <g
     inkscape:label="Layer 1"
     inkscape:groupmode="layer"
     id="layer1">
    <ellipse
       id="path3713"
       cx="106.2122"
       cy="134.47203"
       rx="102.05357"
       ry="99.029755"
       style="stroke-width:0.26458332" />
    <circle
       style="fill:#ffffff;stroke-width:0.26458332"
       id="path3717"
       cx="107.59055"
       cy="132.30211"
       r="3.3341289" />
    <ellipse
       style="fill:#000000;stroke-width:0.26458332"
       id="path3719"
       cx="107.45217"
       cy="132.10078"
       rx="0.027842503"
       ry="0.031820003" />
    <text
       xml:space="preserve"
       style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
       x="107.43014"
       y="132.08501"
       id="text3723"><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.08501"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3748">p </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.08942"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3754">i </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.09383"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3756">c </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.09824"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3758">o </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.10265"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3760">C </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.10706"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3762">T </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.11147"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3764">F { 3 n h 4 n </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.11588"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3752">c 3 d _ d 0 a 7 5 7 b f }</tspan></text>
  </g>
 </svg>
--- a/forensics/enhance/flag.txt
+++ b/forensics/enhance/flag.txt
@ -0,0 +1 @@
 picoCTF{3nh4nc3d_d0a757bf}
--- a/forensics/extensions/flag.png
+++ b/forensics/extensions/flag.png
--- a/forensics/extensions/flag.txt
+++ b/forensics/extensions/flag.txt
--- a/forensics/file_types/Flag.sh
+++ b/forensics/file_types/Flag.sh
@ -0,0 +1,172 @@
 #!/bin/sh
 # This is a shell archive (produced by GNU sharutils 4.15.2).
 # To extract the files from this archive, save it to some FILE, remove
 # everything before the '#!/bin/sh' line above, then type 'sh FILE'.
 #
 lock_dir=_sh00046
 # Made on 2023-03-16 01:40 UTC by <root@e076735df429>.
 # Source directory was '/app'.
 #
 # Existing files will *not* be overwritten, unless '-c' is specified.
 #
 # This shar contains:
 # length mode       name
 # ------ ---------- ------------------------------------------
 #   1092 -rw-r--r-- flag
 #
 MD5SUM=${MD5SUM-md5sum}
 f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
 test -n "${f}" && md5check=true || md5check=false
 ${md5check} || \
  echo 'Note: not verifying md5sums.  Consider installing GNU coreutils.'
 if test "X$1" = "X-c"
 then keep_file=''
 else keep_file=true
 fi
 echo=echo
 save_IFS="${IFS}"
 IFS="${IFS}:"
 gettext_dir=
 locale_dir=
 set_echo=false
 for dir in $PATH
 do
  if test -f $dir/gettext \
     && ($dir/gettext --version >/dev/null 2>&1)
  then
    case `$dir/gettext --version 2>&1 | sed 1q` in
      *GNU*) gettext_dir=$dir
      set_echo=true
      break ;;
    esac
  fi
 done
 if ${set_echo}
 then
  set_echo=false
  for dir in $PATH
  do
    if test -f $dir/shar \
       && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
    then
      locale_dir=`$dir/shar --print-text-domain-dir`
      set_echo=true
      break
    fi
  done
  if ${set_echo}
  then
    TEXTDOMAINDIR=$locale_dir
    export TEXTDOMAINDIR
    TEXTDOMAIN=sharutils
    export TEXTDOMAIN
    echo="$gettext_dir/gettext -s"
  fi
 fi
 IFS="$save_IFS"
 if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
 then if (echo -n test; echo 1,2,3) | grep n >/dev/null
     then shar_n= shar_c='
 '
     else shar_n=-n shar_c= ; fi
 else shar_n= shar_c='\c' ; fi
 f=shar-touch.$$
 st1=200112312359.59
 st2=123123592001.59
 st2tr=123123592001.5 # old SysV 14-char limit
 st3=1231235901
 if   touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
     test ! -f ${st1} && test -f ${f}; then
  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
 elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
     test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
 elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
     test ! -f ${st3} && test -f ${f}; then
  shar_touch='touch -am $3$4$5$6$2 "$8"'
 else
  shar_touch=:
  echo
  ${echo} 'WARNING: not restoring timestamps.  Consider getting and
 installing GNU '\''touch'\'', distributed in GNU coreutils...'
  echo
 fi
 rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
 #
 if test ! -d ${lock_dir} ; then :
 else ${echo} "lock directory ${lock_dir} exists"
     exit 1
 fi
 if mkdir ${lock_dir}
 then ${echo} "x - created lock directory ${lock_dir}."
 else ${echo} "x - failed to create lock directory ${lock_dir}."
     exit 1
 fi
 # ============= flag ==============
 if test -n "${keep_file}" && test -f 'flag'
 then
 ${echo} "x - SKIPPING flag (file already exists)"
 else
 ${echo} "x - extracting flag (text)"
  sed 's/^X//' << 'SHAR_EOF' | uudecode &&
 begin 600 flag
 M(3QA<F-H/@IF;&%G+R`@("`@("`@("`@,"`@("`@("`@("`@,"`@("`@,"`@
 M("`@-C0T("`@("`Q,#(T("`@("`@8`K'<>H`.Y*D@0`````!````$F2#<P4`
 M``#^`69L86<``$)::#DQ05DF4UF(WJSO```@____Y)U_U<SW/^OTZ?'U_=L^
 M[6U=O_O(8_WQ_?;^]R_>L[`!&U8(`T&F0VH`T&@:```#0!IH``&@'J:#1HT`
 M]"`!H-``!M0;4VH>IM3,:FH@T:&(#3)B:`T,F@:-!IDTT-&AHP3(&@T-,0T&
 M(&0Q#1IH/2`,(-H1H`R9`%4T3)H>D:`TR9&AHT`R!H&09#",0``8C0#$,@,@
 MR8F@`TT:!H:!D8C0`0`@`"01`H!^_$QU,`V*$A`!6'F(]N[-;FC]^&3PR1#9
 MPR,KRW><F<49%$Q!!N[Y?=40;N##KW4D[`_\>RXRA?-VG(E/=DW&Q`:DU8G>
 MMFW,-D>1C@-1P&"MR*[TX&O7KM9]S5=DU0VC=9?.T'0?DVD+/#[?',M)']85
 M*8@&IZ7%1U*=`[3V(?.C;*QER!+T,)6UYG?BLMV7!\L\;3$+^W%89SR(9RO(
 M>+3K'>QL]21+'O&!V`_:4<<C7R!.D'BG?GI\GT1*W#AC625`V>W`87AZF@[I
 M:]!!QL1^'NUJ#8O\=0A54@29A#E-6B(?TR(09S3_#,Z0H'SQBO?]^LMC2G$!
 MA!19*?93"DWLZ`^I!$.L*!%ILMU#!AJ3SP_!>:^5PJIFC)-,*5ERC!7="@"$
 M,$;I*<PV8-8[\ORRQ:K_%W)%.%"0B-ZL[\=Q``````````````$`````````
 M"P``````5%)!24Q%4B$A(0``````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 M````````````````````````````````````````````````````````````
 ,````````````````
 `
 end
 SHAR_EOF
  (set 20 23 03 16 01 40 19 'flag'
   eval "${shar_touch}") && \
  chmod 0644 'flag'
 if test $? -ne 0
 then ${echo} "restore of flag failed"
 fi
  if ${md5check}
  then (
       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'flag': 'MD5 check failed'
       ) << \SHAR_EOF
 0838b0ca0f0415b3cb6f24da377204de  flag
 SHAR_EOF
 else
 test `LC_ALL=C wc -c < 'flag'` -ne 1092 && \
  ${echo} "restoration warning:  size of 'flag' is not 1092"
  fi
 fi
 if rm -fr ${lock_dir}
 then ${echo} "x - removed lock directory ${lock_dir}."
 else ${echo} "x - failed to remove lock directory ${lock_dir}."
     exit 1
 fi
 exit 0
--- a/forensics/file_types/flag.ar
+++ b/forensics/file_types/flag.ar
--- a/forensics/file_types/flag.bz2
+++ b/forensics/file_types/flag.bz2
--- a/forensics/file_types/flag.cpio
+++ b/forensics/file_types/flag.cpio
--- a/forensics/file_types/flag.gz
+++ b/forensics/file_types/flag.gz
--- a/forensics/file_types/flag.lz
+++ b/forensics/file_types/flag.lz
--- a/forensics/file_types/flag.lz4
+++ b/forensics/file_types/flag.lz4
--- a/forensics/file_types/flag.lzip
+++ b/forensics/file_types/flag.lzip
--- a/forensics/file_types/flag.lzop
+++ b/forensics/file_types/flag.lzop
--- a/forensics/file_types/flag.txt
+++ b/forensics/file_types/flag.txt
@ -0,0 +1 @@
 picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_950c4fee}
--- a/forensics/file_types/flag.txt.hex
+++ b/forensics/file_types/flag.txt.hex
@ -0,0 +1,2 @@
 7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
 6630725f3062326375723137795f39353063346665657d0a
--- a/forensics/information/cat.jpg
+++ b/forensics/information/cat.jpg
--- a/forensics/information/solve.sh
+++ b/forensics/information/solve.sh
@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 #
 # NOTE: this is the license in the EXIF data. Not easy to spot...
 #
 echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -d
--- a/forensics/like1000/1000.tar.bak
+++ b/forensics/like1000/1000.tar.bak
--- a/forensics/like1000/flag.png
+++ b/forensics/like1000/flag.png
--- a/forensics/like1000/solve.sh
+++ b/forensics/like1000/solve.sh
@ -0,0 +1,14 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p bash ouch
 cp 1000.tar.bak 1000.tar
 for i in {1000..2}; do
 	ouch decompress $i.tar
 	mv $i/$((i-1)).tar .
 	rm -rf $i $i.tar
 done
 ouch decompress 1.tar
 mv 1/flag.png .
 rm -rf 1 1.tar
--- a/forensics/lookey_here/anthem.flag.txt
+++ b/forensics/lookey_here/anthem.flag.txt
--- a/forensics/lookey_here/solve.sh
+++ b/forensics/lookey_here/solve.sh
@ -0,0 +1,3 @@
 #!/usr/bin/env bash
 grep -o "picoCTF{.*}" anthem.flag.txt
--- a/forensics/milkslap/concat_v.png
+++ b/forensics/milkslap/concat_v.png
--- a/forensics/milkslap/solve.sh
+++ b/forensics/milkslap/solve.sh
@ -0,0 +1,5 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p bash zsteg
 export RUBY_THREAD_VM_STACK_SIZE=500000000
 zsteg concat_v.png
--- a/forensics/redaction_gone_wrong/Financial_Report_for_ABC_Labs.pdf
+++ b/forensics/redaction_gone_wrong/Financial_Report_for_ABC_Labs.pdf
--- a/forensics/redaction_gone_wrong/solve.sh
+++ b/forensics/redaction_gone_wrong/solve.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p bash poppler_utils
 pdftotext ./Financial_Report_for_ABC_Labs.pdf - | grep -o "picoCTF{.*}"
--- a/forensics/shark_on_wire_1/capture.pcap
+++ b/forensics/shark_on_wire_1/capture.pcap
--- a/forensics/shark_on_wire_1/solution.md
+++ b/forensics/shark_on_wire_1/solution.md
@ -0,0 +1,37 @@
 Randomly found in udp stream 6 while going through all the data sent back and forth.
 ```
 70
 69
 63
 6f
 43
 54
 46
 7b
 53
 74
 61
 54
 33
 31
 33
 35
 35
 5f
 36
 33
 36
 66
 36
 65
 36
 65
 7d
 ```
 cyberchef says
 ```
 picoCTF{StaT31355_636f6e6e}
 ```
--- a/forensics/so_meta/pico_img.png
+++ b/forensics/so_meta/pico_img.png
--- a/forensics/so_meta/solve.sh
+++ b/forensics/so_meta/solve.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p bash exiftool
 exiftool ./pico_img.png | grep -o "picoCTF{.*}"
--- a/forensics/wireshark_doo_dooo_do_doo/shark1.pcapng
+++ b/forensics/wireshark_doo_dooo_do_doo/shark1.pcapng
--- a/forensics/wireshark_doo_dooo_do_doo/solution.md
+++ b/forensics/wireshark_doo_dooo_do_doo/solution.md
@ -0,0 +1,9 @@
 Found in tcp stream 5, packet 827 (the first unencrypted stream)
 `Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}`
 Seems flaglike, maybe rot13 to protect against text search?
 **Output from cyberchef:**
 `The flag is picoCTF{p33kab00_1_s33_u_deadbeef}`
		`@ -0,0 +1,2 @@`
							`Salted__Ó†<¦PÚÿO¾r †E~cbkí¦Æ’ÍÒp&®}î¦Ñé³Ô`
							`F`
		`@ -0,0 +1 @@`
							`picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_950c4fee}`
		`@ -0,0 +1,2 @@`
							`7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f`
							`6630725f3062326375723137795f39353063346665657d0a`
		`@ -0,0 +1,3 @@`
							`#!/usr/bin/env bash`

							`grep -o "picoCTF{.*}" anthem.flag.txt`