OS: Kali Linux 2.0 (host)
VM Software: VirtualBox
So while this isn’t exactly my FIRST CTF, this is essentially the first documented work I’m putting into one. I’ve only done a few so far and I didn’t get very far. I was looking around online to try to find some CTFs to try out in my off time. I found this one hosted at Dakota State University, which is even better since I’m going to start taking classes there this year.
My arrangement on WordPress might be a bit messy as I do this and type things up so I’m going to try to document as much as possible that I can do per day. Now that the boring part is over, let’s get going!
This one was fairly easy. Both the name and description hinted morse code. So I opened up Audacity to look at the file. Figured it would be a lot easier than trying to listen to it repeatedly and sure enough, it was. The file looked like this:
From here, the rest was pretty easy. Grabbed a morse code chart, broke out the letters and got the following: resolute yoke broken kittens. Turned out to be the flag. Weird words but if the rest of the flags followed this format of four random words, that would be nice.
Good thing I fixed my Wireshark. At my last few CTFs, I couldn’t do any of the packet analysis problems because I had no “nice” way to read packets. Let’s check this out:
Oh dope. A TCP stream. Easy enough to check out. Aaaaand….there’s an image in there. You can even see it in the pic above. Luckily, Wireshark has the ability to export that stream together as an object. Saved off the email.jpg, renamed it to PNG (as indicated in the HTTP stream) and noted the magic four words: explode scientific skirt dinosaurs.
MISC 300 – Give ’em the Boot
Well, then. “Boot”? Image file? Well then. Just to make sure, I ran the file command on the IMG. This was nice:
Four partitions? Maybe four words!
This could just be a coincidence but before I start breaking out any software, I figured I should play around with these words. Maybe it’s a cipher. First thing I noticed was that the character “h” occurred every 3 letters. So I removed them:
rykeoccrt engmfit eacl ulangr
Thought this might have been a word jumble because I immediately noticed that the second and third words could be arranged to “figment lace”. Then according to Google, the fourth could be arranged to “langur“. The first could be made into rocketry or crockery but with an extra “c”. No luck there though.
Enough of that…..finally decided to mount the IMG in Virtualbox. And sure enough, right up on the screen pops up the flag: granule cleat figment crockery.
I was so close just going by the strings command! Thought I could try to solve it without booting up. But oh well…another flag down.
MISC 400 – Old Toolz
Ooooooookay. No clue what this is but can clearly see the words are behind the mess and are mirrored. But before going to the internet, ran the “exiftool” command to see if anything came up. It pretty much told me that I should know more memes like gmask.
I’ve never seen a gmasked picture before so I downloaded the software. This was the point that I realized I misplaced my drive that had Windows VMs on it so I had to switch over to my desktop to mess around. I didn’t take any screenshots but the order for unmasking was:
Middle Left: Horizontal + FL
Middle Right: FL Mask
Finally giving that sweet, sweet flag of: icy island celery fool.
These challenges were great for a beginner CTFer like myself. These MISC problems covered a variety of knowledge points. That last Gmask one had me stuck for a bit though. Took me about an hour to figure out that Middle Left, for some reason. At any rate, good stuff!