There were three stages in this Pre-Selection
I believe this is just a warm-up question and I also think that hint was unnecessary for this question. Anyway, the given file contained this unicode string:
U+57 U+65 U+6C U+63 U+6F U+6D U+65 U+20 U+74 U+6F U+20 U+74 U+68 U+65 U+20 U+67 U+61 U+6D U+65 U+20 U+73 U+6F U+6C U+64 U+69 U+65 U+72 U+2E U+20 U+54 U+68 U+69 U+73 U+20 U+6F U+6E U+65 U+20 U+77 U+61 U+73 U+20 U+6F U+6E U+20 U+74 U+68 U+65 U+20 U+68 U+6F U+75 U+73 U+65 U+21 U+20 U+68 U+65 U+72 U+65 U+20 U+69 U+73 U+20 U+79 U+6F U+75 U+72 U+20 U+66 U+69 U+72 U+73 U+74 U+20 U+66 U+6C U+61 U+67 U+20 U+69 U+73 U+3A U+20 U+77 U+33 U+6C U+63 U+30 U+6D U+33 U+37 U+30 U+48 U+49 U+32 U+30 U+31 U+38
And if you convert above to the text you will see the flag.
In this question there was a goog.gl link in the question file and I followed that link.
here is your order sir: g o o . g l / Q T 2 c r Z
It was pointed to
https://www.inaccessible-servers.38022283.tokai.net.thisisnottherocketsciencejustlearntoseethedetails.com:8080/?id=your%20flag%20is%3A%204lw4y5l00k70s33 url. Then I realized flag was there as a value of the id parameter. Then there was just a URL-decode remaining.
This was an easy question I think, therefore I will directly jump to the conclusion. We were given the following image:
I just used
strings command to this image file then the flag showed up.
In this question we were given a
.pcap file and asked to find Albert’s FTP password.
I opened the .pcap file with the wireshark program and I followed FTP’s TCP stream then FTP password showed up as the flag.
This was an another easy question I think. In this question we were given a Caesar cipher encoded text.
I successfully decoded the cipher with the following properties:
shift: 16 alphabet: abcdefghijklmnopqrstuvwxyz0123456789
We were given a JPG image file with a hint “JPG is a good image compression algorithm but this one seems a little bit too god.”
When I investigated with the binwalk I saw the following:
Binwalk said there was a 7-zip archive data. Then I extracted it.
Boom the flag was there.
Question: next-target(I forgot to take a screenshot therefore I couldn’t remember its point.)
In this question we were given a google-maps screenshot of Istanbul city. Asked to find a location called next-target and the hint was something like “If you couln’t see it flip the image upside down.” (I cannot remember the exact text).
Then we started investigating the given image file. Binwalk said there was nothing but the PNG file. Stegsolve and Steghide couldn’t find anything. Then one of my team members(MFO) said “Hey there is something like Base-64 in the meta-data”. It’s good to have a team because I totally skipped the meta-data because the file size was about 1.5MB and I thought there should be a another file inside this image.
Base-64 decoded data shown above.
Then the question said that again we should have reverse something. After that we began investigating the hex-code of the image file.
I looked for the PNG file signature on the internet and results showed me that every PNG file begins with
89 50 4E 47 hex-code and ends with
49 45 4E 44 AE 42 60 82 hex-code. Then I searched for the ending hex on Bless hex editor. After that I realized there was
82 60 42 AE 44 4E 45 49 hex-code and that was reversed hex-code of the PNG file footer signature hex-code.
We cutted the reversed hex code from the
next-target.png file and pasted into a new file and called it Untitled1. Then with the following command we reversed entire hex-code from the Untitled1 file to
Then we looked the
file.png and flag was there.
Question: social-heartbeat(I forgot to take a screenshot therefore I couldn’t remember its point.)
In this question a twitter profile(see above) was given with meaningless tweets. Then one of my team members(MFO) said “I can solve this”. After couple of minutes he said the flag.
He added-up the tweets from the first tweet to the last tweet.
Question: malware-analysis-101(I forgot to take a screenshot therefore I couldn’t remember its point.)
In this question a malware was given and asked to analyze it and find the IP:PORT information. Thanks to MFO he executed the malware in a isolated-sandbox while wireshark was listening. Then the flag showed up.
We were given a cisco configuration file and asked to find a password from it. Hint was “if it takes more than a minute then you must be on the wrong path”
While I was trying to run the hashcat to the hash(type:CiscoIOS-MD5) from the given config file. One of my team members(miador) said the flag :) I couldn’t think of it could be the flag.
Question: head-check(I forgot to take a screenshot therefore I couldn’t remember its point)
In this question a password protected
.zip file was given and asked to find a phone number of someone. Hint was something like “password 4 digits and remove the spaces”(Again I couldn’t remember the exact text).
This image seems like a MRI head-scan. Since we asked to find a phone number we looked the meta-data of that image.
Question: bats-beneath(I forgot to take a screenshot therefore I couldn’t remember its point)
We were given a
.mp3 file. When we listened that file somewhere wasn’t sounded right. Since we have already seen such questions like this one it wasn’t that hard for us.
My friend MFO opened the mp3 file with Sonic Visualizer and he saw a text such as “
Tool of thief, toy of queen. Always used to be unseen” in the spectrogram pane.
He googled it, it was a riddle and the answer was