Hackistanbul CTF Pre-Selection Writeup

There were three stages in this Pre-Selection
pre-selection-stages

Stage: Rookie(5/9)

Question: hello-wurld(30pts)

rookie-stage

I believe this is just a warm-up question and I also think that hint was unnecessary for this question. Anyway, the given file contained this unicode string:

U+57 U+65 U+6C U+63 U+6F U+6D U+65 U+20 U+74 U+6F U+20 U+74 U+68 U+65 U+20 U+67 U+61 U+6D U+65 U+20 U+73 U+6F U+6C U+64 U+69 U+65 U+72 U+2E U+20 U+54 U+68 U+69 U+73 U+20 U+6F U+6E U+65 U+20 U+77 U+61 U+73 U+20 U+6F U+6E U+20 U+74 U+68 U+65 U+20 U+68 U+6F U+75 U+73 U+65 U+21 U+20 U+68 U+65 U+72 U+65 U+20 U+69 U+73 U+20 U+79 U+6F U+75 U+72 U+20 U+66 U+69 U+72 U+73 U+74 U+20 U+66 U+6C U+61 U+67 U+20 U+69 U+73 U+3A U+20 U+77 U+33 U+6C U+63 U+30 U+6D U+33 U+37 U+30 U+48 U+49 U+32 U+30 U+31 U+38

And if you convert[1] above to the text you will see the flag.
rookie-stage

Flag: w3lc0m370HI2018

Question: look-to-see(50pts)

rookie-stage

In this question there was a goog.gl link in the question file and I followed that link.

here is your order sir:
g o o . g l / Q T 2 c r Z

It was pointed to https://www.inaccessible-servers.38022283.tokai.net.thisisnottherocketsciencejustlearntoseethedetails.com:8080/?id=your%20flag%20is%3A%204lw4y5l00k70s33 url. Then I realized flag was there as a value of the id parameter. Then there was just a URL-decode remaining.

Flag: 4lw4y5l00k70s33

Question: hint-hint(90pts)

rookie-stage

This was an easy question I think, therefore I will directly jump to the conclusion. We were given the following image:
rookie-stage

I just used strings command to this image file then the flag showed up.
rookie-stage

Flag: 57uck0ny0urt41l

Question: noisy-network(100pts)

rookie-stage

In this question we were given a .pcap file and asked to find Albert’s FTP password.

I opened the .pcap file with the wireshark program and I followed FTP’s TCP stream then FTP password showed up as the flag.

rookie-stage

Flag: thisistheflag_O9kLd!!

Question: good-old-caesar(40pts)

rookie-stage

This was an another easy question I think. In this question we were given a Caesar cipher encoded text.

I successfully decoded the cipher with the following properties[2] :

shift: 16
alphabet: abcdefghijklmnopqrstuvwxyz0123456789
rookie-stage

Flag: 5h1f71n0rd3r5

Stage: Skilled(5/9)

Question: depressed-image[160pts]

skilled-stage

We were given a JPG image file with a hint “JPG is a good image compression algorithm but this one seems a little bit too god.”

When I investigated with the binwalk I saw the following:
skilled-stage

Binwalk said there was a 7-zip archive data. Then I extracted it.
skilled-stage

Boom the flag was there.
skilled-stage

Flag: f98d0ks0aBr13

Question: next-target

(I forgot to take a screenshot therefore I couldn’t remember its point.)
skilled-stage
In this question we were given a google-maps screenshot of Istanbul city. Asked to find a location called next-target and the hint was something like “If you couln’t see it flip the image upside down.” (I cannot remember the exact text).

Then we started investigating the given image file. Binwalk said there was nothing but the PNG file. Stegsolve and Steghide couldn’t find anything. Then one of my team members(MFO) said “Hey there is something like Base-64 in the meta-data”. It’s good to have a team because I totally skipped the meta-data because the file size was about 1.5MB and I thought there should be a another file inside this image.

skilled-stage

Base-64 decoded data shown above.

Then the question said that again we should have reverse something. After that we began investigating the hex-code of the image file.

I looked for the PNG file signature on the internet and results showed me that every PNG file begins with 89 50 4E 47 hex-code and ends with 49 45 4E 44 AE 42 60 82 hex-code. Then I searched for the ending hex on Bless hex editor. After that I realized there was 82 60 42 AE 44 4E 45 49 hex-code and that was reversed hex-code of the PNG file footer signature hex-code.

skilled-stage

We cutted the reversed hex code from the next-target.png file and pasted into a new file and called it Untitled1. Then with the following command we reversed entire hex-code from the Untitled1 file to file.png.

skilled-stage

Then we looked the file.png and flag was there.
skilled-stage

Flag: ...601d3nh0rn...

Question: social-heartbeat

(I forgot to take a screenshot therefore I couldn’t remember its point.)
skilled-stage
In this question a twitter profile(see above) was given with meaningless tweets. Then one of my team members(MFO) said “I can solve this”. After couple of minutes he said the flag.

skilled-stage

He added-up the tweets from the first tweet to the last tweet.

Flag: 313377W337S

Question: malware-analysis-101

(I forgot to take a screenshot therefore I couldn’t remember its point.)
In this question a malware was given and asked to analyze it and find the IP:PORT information. Thanks to MFO he executed the malware in a isolated-sandbox while wireshark was listening. Then the flag showed up.
skilled-stage

Flag: 10.217.36.45:62190

Question: the-count-of-monte-cisco(150pts)

skilled-stage

We were given a cisco configuration file and asked to find a password from it. Hint was “if it takes more than a minute then you must be on the wrong path”

While I was trying to run the hashcat to the hash(type:CiscoIOS-MD5) from the given config file. One of my team members(miador) said the flag :) I couldn’t think of it could be the flag.
skilled-stage

Flag: no-password-created

Stage: Wiseman(2/9)

Question: head-check

(I forgot to take a screenshot therefore I couldn’t remember its point)
In this question a password protected .zip file was given and asked to find a phone number of someone. Hint was something like “password 4 digits and remove the spaces”(Again I couldn’t remember the exact text).

My team member miador said the zip password is 8472 and he used a online tool to crack it[3]. We extracted that zip and a .dcm file showed up and we used another online tool to view it[4].
wiseman-stage

This image seems like a MRI head-scan. Since we asked to find a phone number we looked the meta-data of that image.
wiseman-stage

Flag: +4920152377

Question: bats-beneath

(I forgot to take a screenshot therefore I couldn’t remember its point)
We were given a .mp3 file. When we listened that file somewhere wasn’t sounded right. Since we have already seen such questions like this one it wasn’t that hard for us.

My friend MFO opened the mp3 file with Sonic Visualizer and he saw a text such as “Tool of thief, toy of queen. Always used to be unseen“ in the spectrogram pane.

wiseman-stage

He googled it, it was a riddle and the answer was A mask.
wiseman-stage

Flag: mask

Reference:


  1. 1.Unicode to text converter https://r12a.github.io/app-conversion/
  2. 2.Caesar Cipher encoder/decoder https://cryptii.com/caesar-cipher
  3. 3.Online zip password cracker http://lostmypass.com
  4. 4.Online dicom viewer http://dicomviewer.booogle.net