Open in app

Sign in

Write

Sign in

PicoCTF 2019 — Forensics Challenges

Kamran Saifullah
5 min readOct 28, 2019

--

I started with the “Forensics Challenges” as i have been participating in a number of online CTF. My first priority is to solve the forensics challenges as they seemed to be much more easier to me. So let’s dive into solving the forensics problems.

Glory of the Garden — Points: 50

On downloading and viewing the file it seemed to be a picture of garden!

The first thing is to look onto the strings. By using the string utility and grep we can find our flag!

unzip — Points: 50

In this challenge we are provided with a zip file and all we need is to unzip it and find the flag!

On unzipping the zip file we are provided with an image and that image contains the text which is our flag!

So Meta — Points: 150

This challenge provides us with an image and as the names suggests “META” the flag is going to be in “META TAGS”. ExifTool is the key here!

What Lies Within — Points: 150

In this challenge we are provided with an image file and we need to find it what lies within this image. The image looks something like the below picture.

On using “zsteg” we can find our flag which is stored in the least significant bits of the pixels.

extensions — Points: 150

In this challenge we are provided with the TXT file and all we need is to find the correct extension of the file!

This can be done using “File” command. We can see that it was a PNG file. We simply changed the extension and were provided with the flag!

shark on wire 1 — Points: 150

In this challenge we are provided with the .pcap file and we need to find the flag. On opening it in the Wireshark we can see different packets and by selecting the UDP packets we can get our flag!

WhitePages — Points: 250

In this challenge, we are provided with an empty txt file. On checking the file type we can see that the data present in this file is UTF-8 encoded and also the data is too large. Also there is nothing within the file.

We can now check if there is something in it using hexdump or xxd.

We can see that two values i.e. e28083 and 20 are being repeated throughout the hexdump. We can write a small python script where we will load this file and will convert these two values.

shark on wire 2

In this challenge we are provided with another pcap file. All we need is to analyze it. Opening it in Wireshark gives us something like this!

There is quite a big chunk of data. It will be better if we analyze the packets step by step. At first the TCP and then the UDP. On analyzing the UDP packets. I came across ip addresses with some strange output.

This packet has “start” in it. On tweaking around with this challenge i started to convert the Info values and they started to reveal the flag.

So i just wrote a simple python script and it did all the work required!

like1000 — Points: 250

In this challenge we have a tar file which has been tarred multiple times. All we can do is to automate this using a bash script!

After a while. I saw a PNG file which was present in one of the tar files.

On opening it we had our flag!

Thank you for reading!

Hacking
Picoctf
2019
Picoctf2019
Forensics

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

419 Followers
56 Following

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams