There were three stages in this Pre-Selection Rookie-hello-wurld

Stage: Rookie(5/9)

Question: hello-wurld(30pts)

Rookie-hello-wurld I believe this is just a warm-up question and I also think that hint was unnecessary for this question. Anyway, the given file contained this unicode string:

      U+57 U+65 U+6C U+63 U+6F U+6D U+65 U+20 U+74 U+6F U+20 U+74 U+68 U+65 U+20 U+67 U+61 U+6D U+65 U+20 U+73 U+6F U+6C U+64 U+69 U+65 U+72 U+2E U+20 U+54 U+68 U+69 U+73 U+20 U+6F U+6E U+65 U+20 U+77 U+61 U+73 U+20 U+6F U+6E U+20 U+74 U+68 U+65 U+20 U+68 U+6F U+75 U+73 U+65 U+21 U+20 U+68 U+65 U+72 U+65 U+20 U+69 U+73 U+20 U+79 U+6F U+75 U+72 U+20 U+66 U+69 U+72 U+73 U+74 U+20 U+66 U+6C U+61 U+67 U+20 U+69 U+73 U+3A U+20 U+77 U+33 U+6C U+63 U+30 U+6D U+33 U+37 U+30 U+48 U+49 U+32 U+30 U+31 U+38 

And if you convert[1] above to the text you will see the flag. Rookie-hello-wurld-flag

Flag: w3lc0m370HI2018

Question: look-to-see(50pts)

Rookie-look-to-see In this question there was a goog.gl link in the question file and I followed that link.

     here is your order sir:
     g o o . g l / Q T 2 c r Z

It was pointed to https://www.inaccessible-servers.38022283.tokai.net.thisisnottherocketsciencejustlearntoseethedetails.com:8080/?id=your%20flag%20is%3A%204lw4y5l00k70s33 url. Then I realized flag was there as a value of the id parameter. Then there was just a URL-decode remaining.

Flag: 4lw4y5l00k70s33

Question: hint-hint(90pts)

hint-hint

This was an easy question I think, therefore I will directly jump to the conclusion. We were given the following image: hint-hint

I just used strings command to this image file then the flag showed up. hint-hint

Flag: 57uck0ny0urt41l

Question: noisy-network(100pts)

noisy-network In this question we were given a .pcap file and asked to find Albert’s FTP password.

I opened the .pcap file with the wireshark program and I followed FTP’s TCP stream then FTP password showed up as the flag.

noisy-network

Flag: thisistheflag_O9kLd!!

Question: good-old-caesar(40pts)

good-old-caesar This was an another easy question I think. In this question we were given a Caesar cipher encoded text.

I successfully decoded the cipher with the following properties[2]:

   shift: 16
   alphabet: abcdefghijklmnopqrstuvwxyz0123456789

good-old-caesar

Flag: 5h1f71n0rd3r5

Stage: Skilled(5/9)

Question: depressed-image[160pts]

depressed-image We were given a JPG image file with a hint “JPG is a good image compression algorithm but this one seems a little bit too god.”

When I investigated with the binwalk I saw the following: depressed-image

Binwalk said there was a 7-zip archive data. Then I extracted it. depressed-image

Boom the flag was there. depressed-image

Flag: f98d0ks0aBr13

Question: next-target(I forgot to take a screenshot therefore I couldn’t remember its point.)

next-target In this question we were given a google-maps screenshot of Istanbul city. Asked to find a location called next-target and the hint was something like “If you couln’t see it flip the image upside down.” (I cannot remember the exact text).

Then we started investigating the given image file. Binwalk said there was nothing but the PNG file. Stegsolve and Steghide couldn’t find anything. Then one of my team members(MFO) said “Hey there is something like Base-64 in the meta-data”. It’s good to have a team because I totally skipped the meta-data because the file size was about 1.5MB and I thought there should be a another file inside this image.

next-target Base-64 decoded data shown above.

Then the question said that again we should have reverse something. After that we began investigating the hex-code of the image file.

I looked for the PNG file signature on the internet and results showed me that every PNG file begins with 89 50 4E 47 hex-code and ends with 49 45 4E 44 AE 42 60 82 hex-code. Then I searched for the ending hex on Bless hex editor. After that I realized there was 82 60 42 AE 44 4E 45 49 hex-code and that was reversed hex-code of the PNG file footer signature hex-code.

next-target

We cutted the reversed hex code from the next-target.png file and pasted into a new file and called it Untitled1. Then with the following command we reversed entire hex-code from the Untitled1 file to file.png.

next-target

Then we looked the file.png and flag was there. next-target

Flag: ...601d3nh0rn...

Question: social-heartbeat(I forgot to take a screenshot therefore I couldn’t remember its point.)

social-heartbeat In this question a twitter profile(see above) was given with meaningless tweets. Then one of my team members(MFO) said “I can solve this”. After couple of minutes he said the flag.

social-heartbeat He added-up the tweets from the first tweet to the last tweet.

Flag: 313377W337S

Question: malware-analysis-101(I forgot to take a screenshot therefore I couldn’t remember its point.)

In this question a malware was given and asked to analyze it and find the IP:PORT information. Thanks to MFO he executed the malware in a isolated-sandbox while wireshark was listening. Then the flag showed up. malware-analysis-101

Flag: 10.217.36.45:62190

Question: the-count-of-monte-cisco(150pts)

the-count-of-monte-cisco We were given a cisco configuration file and asked to find a password from it. Hint was “if it takes more than a minute then you must be on the wrong path”

While I was trying to run the hashcat to the hash(type:CiscoIOS-MD5) from the given config file. One of my team members(miador) said the flag :) I couldn’t think of it could be the flag. the-count-of-monte-cisco

Flag: no-password-created

Stage: Wiseman(2/9)

Question: head-check(I forgot to take a screenshot therefore I couldn’t remember its point)

In this question a password protected .zip file was given and asked to find a phone number of someone. Hint was something like “password 4 digits and remove the spaces”(Again I couldn’t remember the exact text).

My team member miador said the zip password is 8472 and he used a online tool to crack it[3]. We extracted that zip and a .dcm file showed up and we used another online tool to view it[4]. head-check

This image seems like a MRI head-scan. Since we asked to find a phone number we looked the meta-data of that image. head-check

Flag: +4920152377

Question: bats-beneath(I forgot to take a screenshot therefore I couldn’t remember its point)

We were given a .mp3 file. When we listened that file somewhere wasn’t sounded right. Since we have already seen such questions like this one it wasn’t that hard for us.

My friend MFO opened the mp3 file with Sonic Visualizer and he saw a text such as “Tool of thief, toy of queen. Always used to be unseen” in the spectrogram pane.

bats-beneath

He googled it, it was a riddle and the answer was A mask. bats-beneath

Flag: mask



Reference:

  1. 1: Unicode to text converter https://r12a.github.io/app-conversion/ 

  2. 2: Caesar Cipher encoder/decoder https://cryptii.com/caesar-cipher 

  3. 3: Online zip password cracker http://lostmypass.com 

  4. 4: Online dicom viewer http://dicomviewer.booogle.net