forensics: add already solved challenges

forensics/eavesdrop/file.des3

@@ -0,0 +1,2 @@
+Salted__Ó†<¦PÚÿO¾r †E~cbkí¦Æ’ÍÒp&®}î¦Ñé³Ô
+F

forensics/eavesdrop/file.txt

@@ -0,0 +1 @@
+picoCTF{nc_73115_411_5786acc3}

forensics/eavesdrop/solution.md

@@ -0,0 +1,20 @@
+Taken from `tcp.stream eq 0`
+
+> Hey, how do you decrypt this file again?
+> You're serious?
+> Yeah, I'm serious
+> *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
+> Ok, great, thanks.
+> Let's use Discord next time, it's more secure.
+> C'mon, no one knows we use this program like this!
+> Whatever.
+> Hey.
+> Yeah?
+> Could you transfer the file to me again?
+> Oh great. Ok, over 9002?
+> Yeah, listening.
+> Sent it
+> Got it.
+> You're unbelievable
+
+`file.des3` taken from `tcp.stream eq 2`, by showing data as `Raw` and saving to file.

forensics/eavesdrop/solve.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash openssl
+
+openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

forensics/enhance/drawing.flag.svg

@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="210mm"
+   height="297mm"
+   viewBox="0 0 210 297"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
+   sodipodi:docname="drawing.svg">
+  <defs
+     id="defs2" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="0.69833333"
+     inkscape:cx="400"
+     inkscape:cy="538.41159"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:window-width="1872"
+     inkscape:window-height="1016"
+     inkscape:window-x="48"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1">
+    <ellipse
+       id="path3713"
+       cx="106.2122"
+       cy="134.47203"
+       rx="102.05357"
+       ry="99.029755"
+       style="stroke-width:0.26458332" />
+    <circle
+       style="fill:#ffffff;stroke-width:0.26458332"
+       id="path3717"
+       cx="107.59055"
+       cy="132.30211"
+       r="3.3341289" />
+    <ellipse
+       style="fill:#000000;stroke-width:0.26458332"
+       id="path3719"
+       cx="107.45217"
+       cy="132.10078"
+       rx="0.027842503"
+       ry="0.031820003" />
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
+       x="107.43014"
+       y="132.08501"
+       id="text3723"><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.08501"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3748">p </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.08942"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3754">i </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.09383"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3756">c </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.09824"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3758">o </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.10265"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3760">C </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.10706"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3762">T </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.11147"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3764">F { 3 n h 4 n </tspan><tspan
+         sodipodi:role="line"
+         x="107.43014"
+         y="132.11588"
+         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
+         id="tspan3752">c 3 d _ d 0 a 7 5 7 b f }</tspan></text>
+  </g>
+</svg>

forensics/enhance/flag.txt

@@ -0,0 +1 @@
+picoCTF{3nh4nc3d_d0a757bf}

forensics/file_types/Flag.sh

@@ -0,0 +1,172 @@
+#!/bin/sh
+# This is a shell archive (produced by GNU sharutils 4.15.2).
+# To extract the files from this archive, save it to some FILE, remove
+# everything before the '#!/bin/sh' line above, then type 'sh FILE'.
+#
+lock_dir=_sh00046
+# Made on 2023-03-16 01:40 UTC by <root@e076735df429>.
+# Source directory was '/app'.
+#
+# Existing files will *not* be overwritten, unless '-c' is specified.
+#
+# This shar contains:
+# length mode       name
+# ------ ---------- ------------------------------------------
+#   1092 -rw-r--r-- flag
+#
+MD5SUM=${MD5SUM-md5sum}
+f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
+test -n "${f}" && md5check=true || md5check=false
+${md5check} || \
+  echo 'Note: not verifying md5sums.  Consider installing GNU coreutils.'
+if test "X$1" = "X-c"
+then keep_file=''
+else keep_file=true
+fi
+echo=echo
+save_IFS="${IFS}"
+IFS="${IFS}:"
+gettext_dir=
+locale_dir=
+set_echo=false
+
+for dir in $PATH
+do
+  if test -f $dir/gettext \
+     && ($dir/gettext --version >/dev/null 2>&1)
+  then
+    case `$dir/gettext --version 2>&1 | sed 1q` in
+      *GNU*) gettext_dir=$dir
+      set_echo=true
+      break ;;
+    esac
+  fi
+done
+
+if ${set_echo}
+then
+  set_echo=false
+  for dir in $PATH
+  do
+    if test -f $dir/shar \
+       && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
+    then
+      locale_dir=`$dir/shar --print-text-domain-dir`
+      set_echo=true
+      break
+    fi
+  done
+
+  if ${set_echo}
+  then
+    TEXTDOMAINDIR=$locale_dir
+    export TEXTDOMAINDIR
+    TEXTDOMAIN=sharutils
+    export TEXTDOMAIN
+    echo="$gettext_dir/gettext -s"
+  fi
+fi
+IFS="$save_IFS"
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
+then if (echo -n test; echo 1,2,3) | grep n >/dev/null
+     then shar_n= shar_c='
+'
+     else shar_n=-n shar_c= ; fi
+else shar_n= shar_c='\c' ; fi
+f=shar-touch.$$
+st1=200112312359.59
+st2=123123592001.59
+st2tr=123123592001.5 # old SysV 14-char limit
+st3=1231235901
+
+if   touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
+     test ! -f ${st1} && test -f ${f}; then
+  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
+
+elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
+     test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
+  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
+
+elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
+     test ! -f ${st3} && test -f ${f}; then
+  shar_touch='touch -am $3$4$5$6$2 "$8"'
+
+else
+  shar_touch=:
+  echo
+  ${echo} 'WARNING: not restoring timestamps.  Consider getting and
+installing GNU '\''touch'\'', distributed in GNU coreutils...'
+  echo
+fi
+rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
+#
+if test ! -d ${lock_dir} ; then :
+else ${echo} "lock directory ${lock_dir} exists"
+     exit 1
+fi
+if mkdir ${lock_dir}
+then ${echo} "x - created lock directory ${lock_dir}."
+else ${echo} "x - failed to create lock directory ${lock_dir}."
+     exit 1
+fi
+# ============= flag ==============
+if test -n "${keep_file}" && test -f 'flag'
+then
+${echo} "x - SKIPPING flag (file already exists)"
+
+else
+${echo} "x - extracting flag (text)"
+  sed 's/^X//' << 'SHAR_EOF' | uudecode &&
+begin 600 flag
+M(3QA<F-H/@IF;&%G+R`@("`@("`@("`@,"`@("`@("`@("`@,"`@("`@,"`@
+M("`@-C0T("`@("`Q,#(T("`@("`@8`K'<>H`.Y*D@0`````!````$F2#<P4`
+M``#^`69L86<``$)::#DQ05DF4UF(WJSO```@____Y)U_U<SW/^OTZ?'U_=L^
+M[6U=O_O(8_WQ_?;^]R_>L[`!&U8(`T&F0VH`T&@:```#0!IH``&@'J:#1HT`
+M]"`!H-``!M0;4VH>IM3,:FH@T:&(#3)B:`T,F@:-!IDTT-&AHP3(&@T-,0T&
+M(&0Q#1IH/2`,(-H1H`R9`%4T3)H>D:`TR9&AHT`R!H&09#",0``8C0#$,@,@
+MR8F@`TT:!H:!D8C0`0`@`"01`H!^_$QU,`V*$A`!6'F(]N[-;FC]^&3PR1#9
+MPR,KRW><F<49%$Q!!N[Y?=40;N##KW4D[`_\>RXRA?-VG(E/=DW&Q`:DU8G>
+MMFW,-D>1C@-1P&"MR*[TX&O7KM9]S5=DU0VC=9?.T'0?DVD+/#[?',M)']85
+M*8@&IZ7%1U*=`[3V(?.C;*QER!+T,)6UYG?BLMV7!\L\;3$+^W%89SR(9RO(
+M>+3K'>QL]21+'O&!V`_:4<<C7R!.D'BG?GI\GT1*W#AC625`V>W`87AZF@[I
+M:]!!QL1^'NUJ#8O\=0A54@29A#E-6B(?TR(09S3_#,Z0H'SQBO?]^LMC2G$!
+MA!19*?93"DWLZ`^I!$.L*!%ILMU#!AJ3SP_!>:^5PJIFC)-,*5ERC!7="@"$
+M,$;I*<PV8-8[\ORRQ:K_%W)%.%"0B-ZL[\=Q``````````````$`````````
+M"P``````5%)!24Q%4B$A(0``````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+,````````````````
+`
+end
+SHAR_EOF
+  (set 20 23 03 16 01 40 19 'flag'
+   eval "${shar_touch}") && \
+  chmod 0644 'flag'
+if test $? -ne 0
+then ${echo} "restore of flag failed"
+fi
+  if ${md5check}
+  then (
+       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'flag': 'MD5 check failed'
+       ) << \SHAR_EOF
+0838b0ca0f0415b3cb6f24da377204de  flag
+SHAR_EOF
+
+else
+test `LC_ALL=C wc -c < 'flag'` -ne 1092 && \
+  ${echo} "restoration warning:  size of 'flag' is not 1092"
+  fi
+fi
+if rm -fr ${lock_dir}
+then ${echo} "x - removed lock directory ${lock_dir}."
+else ${echo} "x - failed to remove lock directory ${lock_dir}."
+     exit 1
+fi
+exit 0

forensics/file_types/flag.txt

@@ -0,0 +1 @@
+picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_950c4fee}

forensics/file_types/flag.txt.hex

@@ -0,0 +1,2 @@
+7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
+6630725f3062326375723137795f39353063346665657d0a

forensics/information/solve.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+#
+# NOTE: this is the license in the EXIF data. Not easy to spot...
+#
+echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -d

forensics/like1000/solve.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash ouch
+
+cp 1000.tar.bak 1000.tar
+
+for i in {1000..2}; do
+	ouch decompress $i.tar
+	mv $i/$((i-1)).tar .
+	rm -rf $i $i.tar
+done
+
+ouch decompress 1.tar
+mv 1/flag.png .
+rm -rf 1 1.tar

forensics/lookey_here/solve.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+grep -o "picoCTF{.*}" anthem.flag.txt

forensics/milkslap/solve.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash zsteg
+
+export RUBY_THREAD_VM_STACK_SIZE=500000000
+zsteg concat_v.png

forensics/redaction_gone_wrong/solve.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash poppler_utils
+
+pdftotext ./Financial_Report_for_ABC_Labs.pdf - | grep -o "picoCTF{.*}"

forensics/shark_on_wire_1/solution.md

@@ -0,0 +1,37 @@
+Randomly found in udp stream 6 while going through all the data sent back and forth.
+
+```
+70
+69
+63
+6f
+43
+54
+46
+7b
+53
+74
+61
+54
+33
+31
+33
+35
+35
+5f
+36
+33
+36
+66
+36
+65
+36
+65
+7d
+```
+
+cyberchef says
+
+```
+picoCTF{StaT31355_636f6e6e}
+```

forensics/so_meta/solve.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash exiftool
+
+exiftool ./pico_img.png | grep -o "picoCTF{.*}"

forensics/wireshark_doo_dooo_do_doo/solution.md

@@ -0,0 +1,9 @@
+Found in tcp stream 5, packet 827 (the first unencrypted stream)
+
+`Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}`
+
+Seems flaglike, maybe rot13 to protect against text search?
+
+**Output from cyberchef:**
+
+`The flag is picoCTF{p33kab00_1_s33_u_deadbeef}`