Hacker’s Hour CTF was organized by The Hackers Meetup and this CTF had beginner to intermediate level challenge with category of Cryptography, Web, OSINT, Misc, Forensics, Stegnography, Reverse engineering. Let’s get started for writeup/solution for all challenge.
Cryptography
As the Description says this was something related to SERN inc and year 1998 and then after checking the file provided for the challenge it was kind of messy with all printable character and it was easy to identify this was esoteric programming language and its Malbolge.
Malbolge Interpreter
Flag: THM{3st0ric_1s_Fun!!}
As the challenge name and description say its a GIF file given with link in the GIF which comes in sight and then disappears. Then made the gif into frames and got the link.
But domain of the link was encode with base64 and decode(anBzdC5pdCA=) which is jpst.it and visiting the site it was paster site which had text encrypted using Ook Esoteric language.
Using dcode.fr we get the flag : THM{this_is_your_flag}
From description I would not figure out what was the challenge actually then after looking into the given file it was monkey with different dancing pose and then with help of Dcode.fr it was Chiffre des Hommes Dansants which is a dancing men cipher.
Flag: THM{true_fan_of_sherlock_holmes}
On reading this challenge and seing the file seriously I could not relate the thing but the encode technique was base91 and It was pretty easy to decode and get the flag
Flag: THM{0k_y0u_G0t_M3}
This was a very easy one, we had decimal number on image, by seing it you can guess this is ascii to decimal coverted string and doing it reverse gives the flag.
THM{u_r_stegno_champ}
As usual the challenge was given with zip file and inside that we had a pdf file which was protected with password but with help of Johntheripper tool and rockyou wordlist list it was easy to crack and password was easy.
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ perl ~/Tools/JohnTheRipper/run/pdf2john.pl GoEasy.pdf > hash
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PDF \[MD5 SHA2 RC4/AES 32/64\])
No password hashes left to crack (see FAQ)
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ john hash --show
GoEasy.pdf:**easy**1 password hash cracked, 0 left
But opening pdf we had a brainf*ck cipher which we could see common in all CTF competition. decode that gave anther cipher.
Frustrated User : What the hell, give me my key..!!
Happy Admin : Hacking is fun buddy.
Frustrated User : I'm not here to listen to your stupid stuff, give me my key.
Happy Admin : Hacking is fun, your gift - **06092717301a331200433b3206092f303028133237** (decrypt the cipher)
But during the event I wasn’t able to figure out what was this cipher but next day I came across this OneTimePad cipher and Wrote a python script to break the cipher.
import onetimepadprint(onetimepad.decrypt("**06092717301a331200433b3206092f303028133237**","random"))thIs\_wAsn'T\_thAT\_EaSY
flag: THM{thIs_wAsn’T_thAT_EaSY}
I didnot solve this challenge during the event but after the event I spend sometime and after corelating with the file give which had hex code and decimal number which denotes to the hex colours code so I wrote a python script to automate the process.
import webcolorskey = \["00","00","8B","FF","A5","00","E0","FF","FF","00","00","00","00","80","80","FF","FA","FA","1E","90","FF","FF","7F","50","48","D1","CC","BA","55","D3","F5","FF","FA"\]ind=\["5","3","6","5","1","3","7","4","14","11","5"\]flag="THM{"
j=0
for i in range(0,len(key),3):
flag+=str(webcolors.hex\_to\_name('#'+key\[i\]+key\[i+1\]+key\[i+2\]))\[int(ind\[j\])-1\]
j+=1
flag+="}"print(flag)
THM{backtobasic}
Misc
As description gives idea about the challenge this could be pdf locked with password and it was true, pdf file had random paragraph text with random font but we had one with the flag in reverse.
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ unzip FlauntingFonts.zip
Archive: FlauntingFonts.zip
inflating: FlauntingFonts.pdf
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ perl ~/Tools/JohnTheRipper/run/pdf2john.pl FlauntingFonts.pdf
FlauntingFonts.pdf:$pdf$4\*4\*128\*-4\*1\*16\*a46e9d55f8fbe53ced58b1ebe1204f73\*32\*0277f2cd2972a2f313a64aad17d492be28bf4e5e4e758a4164004e56fffa0108\*32\*375ff6c64cffe960160b2e6696361836d18cd0b2304201377031e8b544947044
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ perl ~/Tools/JohnTheRipper/run/pdf2john.pl FlauntingFonts.pdf > hash
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PDF \[MD5 SHA2 RC4/AES 32/64\])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
**justdoit** (FlauntingFonts.pdf)
1g 0:00:00:00 DONE 2/3 (2020-09-29 11:02) 1.428g/s 18545p/s 18545c/s 18545C/s flowerpot..keeper
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ eog "}eil\_a\_t'nera\_stnof{" | rev
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ echo "}eil\_a\_t'nera\_stnof{" | rev
**{fonts\_aren't\_a\_lie}**
THM{fonts_aren’t_a_lie}
This was classic CTF style challenge, zip consist of recursive folders with multiple txt files inside them but only one file actually has the flag. With help of Regex we can figure out the flag easily.
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour/LooP\]
└─$ find . -exec strings {} \\; | grep "\_"
strings: Warning: '.' is a directory
strings: Warning: './8' is a directory
**{yOu\_soLVeD\_tHE\_LooP}**
strings: Warning: './6' is a directory
strings: Warning: './5' is a directory
strings: Warning: './2' is a directory
strings: Warning: './1' is a directory
strings: Warning: './7' is a directory
strings: Warning: './4' is a directory
strings: Warning: './3' is a directory
strings: Warning: './9' is a directory
strings: Warning: './10' is a directory
THM{yOu_soLVeD_tHE_LooP}
This was a pretty easy challenge, since this challenge was named as callmex and the given file was exe but checking the file formated of the given file was a png and it had the flag in it.
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ file CallMeX.exe
CallMeX.exe: PNG image data, 1360 x 540, 8-bit/color RGB, non-interlaced
┌──(aravindha㉿t3chw1z4rd)-\[~/Downloads/CTF/hackershour\]
└─$ mv CallMeX.exe flag.png
```
**THM{ExTensIons\_CAN\_fooL\_You}**
From the Challenge file we had two files, one was zip file with password protected and another was a pdf with pastebin description and route — /8S9V29QC which would be the pastebin secret.
Here we have another misc which was Ook Esoteric language again. Decoding we got the **Your Password is : Unlock\_King#$!@\*&**
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour/Baffled]
└─$ unzip UnlockMe.zip
Archive: UnlockMe.zip
creating: UnlockMe/
[UnlockMe.zip] UnlockMe/Congrats.txt password:
extracting: UnlockMe/Congrats.txt
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour/Baffled]
└─$ cat UnlockMe/Congrats.txt
{miSceLLanEous_IncLudeS_maNY_tHingS}
**THM{miSceLLanEous\_IncLudeS\_maNY\_tHingS}**
This was a crazy Challenge we had running GIF with flag in it but GIF was too horrible with RGB colours and it was 150% faster too. But I converted them to frames and got the flag.
You can use [https://onlineimagetools.com/extract-gif-frames](https://onlineimagetools.com/extract-gif-frames) to extract frames from GIF.
**THM{one\_flag\_many\_effects}**
This was one of crazy challenge which had only few solve, i wasn’t among them. Actually closing up the ctf I used my points to check the hint and Second hint was the key to solve this challenge Actually.
As usual we get a zip file here too and its password proctected again, lets use john to crack it and unzip. But this time we get a bmp files here is where hint is used to solve the challenge.
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ zip2john Locked.zip > hash
ver 2.0 Locked.zip/Covid19.bmp PKZIP Encr: cmplen=385608, decmplen=784015, crc=19BEF8AE
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ john hash --show
Locked.zip/Covid19.bmp:pandemic:Covid19.bmp:Locked.zip::Locked.zip1 password hash cracked, 0 left
From hint, it denotes to a stegnography tool [https://xiao-steganography.en.softonic.com/](https://xiao-steganography.en.softonic.com/) you can download and install in windows and load the source files and when you extract those files it will zip again.
On unzip this file you will get a flag as jpeg which is not true its just a text file named as jpeg and you can find a base64 string inside it. which should be decode.
Q29yb25hdmlydXNlcyBhcmUgYSBncm91cCBvZiByZWxhdGVkIFJOQSB2aXJ1c2VzIHRoYXQgY2F1c2UgZGlzZWFzZXMgaW4gbWFtbWFscyBhbmQgYmlyZHMuIEluIGh1bWFucyBhbmQgYmlyZHMsIHRoZXkgY2F1c2UgcmVzcGlyYXRvcnkgdHJhY3QgaW5mZWN0aW9ucyB0aGF0IGNhbiByYW5nZSBmcm9tIG1pbGQgdG8gbGV0aGFsLiBNaWxkIGlsbG5lc3NlcyBpbiBodW1hbnMgaW5jbHVkZSBzb21lIGNhc2VzIG9mIHRoZSBjb21tb24gY29sZCAoR1Vae2NOYXFyWnZwX2pWeXlfckFRX2YwMEF9KSwgd2hpbGUgbW9yZSBsZXRoYWwgdmFyaWV0aWVzIGNhbiBjYXVzZSBTQVJTLCBNRVJTLCBhbmQgQ09WSUQtMTkuIEluIGNvd3MgYW5kIHBpZ3MgdGhleSBjYXVzZSBkaWFycmhlYSwgd2hpbGUgaW4gbWljZSB0aGV5IGNhdXNlIGhlcGF0aXRpcyBhbmQgZW5jZXBoYWxvbXllbGl0aXMu---decoded Message---
Coronaviruses are a group of related RNA viruses that cause diseases in mammals and birds. In humans and birds, they cause respiratory tract infections that can range from mild to lethal. Mild illnesses in humans include some cases of the common cold (GUZ{cNaqrZvp_jVyy_rAQ_f00A}), while more lethal varieties can cause SARS, MERS, and COVID-19. In cows and pigs they cause diarrhea, while in mice they cause hepatitis and encephalomyelitis.
You get the flag in encoded technique again, on seing itself we can conclude this a rot 13 cipher.
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads]
└─$ echo "GUZ{cNaqrZvp_jVyy_rAQ_f00A}" | rot13 THM{pAndeMic_wIll_eND_s00N}
**THM{pAndeMic\_wIll\_eND\_s00N}**
Again like previous challenges we have pdf with unzip and its locked with password and we had morse code inside the pdf. Decode the morse code with online tool [https://v2.cryptii.com/morsecode/text](https://v2.cryptii.com/morsecode/text)
.... . .-. . / .. ... / -.-- --- ..- .-. / .--. .- ... ... .-- --- .-. -.. / ---... / .. .... .- ...- . -.-- --- ..- .-. ..-. .-.. .- --.
HAHAH, Is this a trap ?here is your password : ihaveyourflag
Unzip the file we again get Esoteric language of malbolge. Compiling the program we will get the flag.
**THM{MaLbOlgE\_iS\_EsoLAnG\_1998}**
Forensics
=========
we have zip file with jpeg image in Forensics category I taught this could be header error but we had encrypted comment in Metadata of the image.
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour/Brainstorm]
└─$ exiftool SomeThingDifferent.jpg 130 ⨯
ExifTool Version Number : 12.06
File Name : SomeThingDifferent.jpg
Directory : .
File Size : 26 kB
File Modification Date/Time : 2020:09:14 13:33:54+05:30
File Access Date/Time : 2020:09:29 11:31:44+05:30
File Inode Change Date/Time : 2020:09:29 11:31:44+05:30
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : <(K`16$$O-8RH11?Z&Y]?Xc<3I/
Image Width : 602
Image Height : 339
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 602x339
Megapixels : 0.204
By seing this comment this a encrypted in Base85 and decoding it with [https://gchq.github.io/CyberChef/#recipe=From\_Base85('!-u')&input=PChLYDE2JCRPLThSSDExP1omWV0/WGM8M0kv](https://gchq.github.io/CyberChef/#recipe=From_Base85('!-u')&input=PChLYDE2JCRPLThSSDExP1omWV0/WGM8M0kv)
**THM{AscII\_iS\_nOt\_bAd}**
Here we have log analysis and log had all the request for a website and it was a easy challenge where flag was divided into two parts and thrown to log.
another part of the flag was in line no 811.
**THM{aCCeSS\_lOgS\_aRe\_ImpORtanT}**
Again we have log analysis but this time we have login brute force attack. but again we can extract flag with regex.
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ cat login.log| grep "_" 2 ⨯
kali tty7 yOu'rE_ a_ fOrEnsiCs_hErO 38 - crash (17:21)
kali tty7 yOu'rE_ a_ fOrEnsiCs_hErO 38 - crash (17:21)
kali tty7 yOu'rE_ a_ fOrEnsiCs_hErO 38 - crash (17:21)
kali tty7 yOu'rE_ a_ fOrEnsiCs_hErO 38 - crash (17:21)
kali tty7 yOu'rE_ a_ fOrEnsiCs_hErO 38 - crash (17:21)
**THM{yOu’rE\_a\_fOrEnsiCs\_hErO}**
As the Description says this is something about hash which was discovered in year of 1995 and seeing the file we had hash and to find the name of the hash
1. fc3cc2a81e4a73eed943f5253bd80d4e2. Find the flag in the file......0. { _iS_gOOd_hAsH} - My 1st word is missing and it is lowercase ( example - abcd ), just identify the above hash (no need to calculate the hash) and the name of the has is my first word.
With help of findmyhash you can find the hash type and it was tiger hash and flag is THM{tiger\_iS\_gOOd\_hAsH}
This was again a classic challenge giving a jpeg image and flag was directly found with string command in linux which prints all printable strings character of the file.
**THM{yOu’rE\_A\_FOrEnsIcS\_guY}**
This was a different challenge with pdf and it say it got corrupted file and looking on this it was kind of ppt file which was tried to convert to pdf, we had 10 slides but I found one slides with had strings which was hidden back of the image.
And with help of strings command to get the flag.**THM{yOu\_sOlvEd\_A\_cRimE}**
This time we have pcap analysis, and from description and challenge name this was unsecured communication and we had the login credentials in unencrypted manner. With help of Wireshark tool we can get the flag by following the http request.
**THM{tHis\_Is\_nEtw0rK\_f0reNsiCs}**
Web
===
This was the only challenge out of 5 was able to solve in web category I dont know why all challenge had same site and We didnot know which flag was for this challenge.
This was the landing page on visiting the given link, On looking around I could not get any information for getting the flag but visiting the login route found a login panel and tried for default credentials and admin:admin worked and it got logged in but there to we did not have anything as flag. Then in source code I found a command string which was encode with base64 again.
THM{wE\_aRe\_nOt\_ScrIptBuDdy}
Steganography
=============
Finally we are into stegnography category and given file was png file and went to strings, pngcheck, binwalk and zsteg then we had binary code but it did not give me full flag then found [https://stylesuxx.github.io/steganography/](https://stylesuxx.github.io/steganography/) to solve.
converting binary to ascii will give the flag: **THM{lEarnInG\_bInarY\_wIth\_stEGanOgrAPhY}**
Nice and Cool challenge again here we have zip with bmp image as usual we use xiao stegnography tool to extract the file and we get a other zip which hash another bmp file. where I dont know what to with that. By unlocking the hint may to know about the tool called Quickstego. Which is used to get the flag.
**THM{yOu’re\_nOt\_A\_n00B}**
Again a classic wav file CTF challenge, On listening to it I taught this was SSTV imaging but since this was easy level we had the flag in spectrogram. With help of audacity we can check the spectrogram image of the wav.
One of the cool challenge again we have here, we were given with zip which contains mp4 video with 107mb which was huge. I could not find what was there first then came to know about tool called openpuff [https://www.darknessgate.com/2015/06/07/openpuff/](https://www.darknessgate.com/2015/06/07/openpuff/) Which helped to extract the flag and it had password as fsociety.
**THM{Mr\_RobOT\_LOveS\_SteGANOgrAPHy}**
This time we had a wav file, initially I tried for steghide, rsteg and other tools which did not works actually and then Found this tool called deepsound 2.0 which is used to wav stegnography and with description you come to know about the song Nucleya — Going to Ameria where nucleya is the password to extract secret files.
**THM{yoUr\_sTeGanogRAPhy\_hAs\_iMprovEd}**
Reverse engineering
===================
This was very easy challenge, we were given with a java file and it was direct source code and view the code you could find the if condition for checking the string and we get the flag.
import java.util.Scanner;
public class getsetgo {
public static final int Flag_LENGTH = 8;
public static void main(String[] args) {
Scanner input = new Scanner(System.in);
System.out.print(
"1. A Flag must have at least eight characters.\n" +
"2. A Flag consists of only letters and digits.\n" +
"3. A Flag must contain at least two digits \n" +
"Input a Flag ");
String s = input.nextLine();
if (is_Valid_Flag(s)) {
System.out.println(" h4ck_7h3_pl4n3t ");
} else {
System.out.println("Not a valid Flag: " + s);
}
}
public static boolean is_Valid_Flag(String Flag) {
if (Flag.length() < Flag_LENGTH) return false;
int charCount = 0;
int numCount = 0;
for (int i = 0; i < Flag.length(); i++) {
char ch = Flag.charAt(i);
if (is_Numeric(ch)) numCount++;
else if (is_Letter(ch)) charCount++;
else return false;
}
return (charCount >= 2 && numCount >= 2);
}
public static boolean is_Letter(char ch) {
ch = Character.toUpperCase(ch);
return (ch >= 'A' && ch <= 'Z');
}
public static boolean is_Numeric(char ch) {
return (ch >= '0' && ch <= '9');
}
**THM{h4ck\_7h3\_pl4n3t}**
The given file was named with extension of exe but it was html file and printing the string out with grep regex will give you the flag.
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ file easy.exe
easy.exe: HTML document, UTF-8 Unicode text, with very long lines
┌──(aravindha㉿t3chw1z4rd)-[~/Downloads/CTF/hackershour]
└─$ strings easy.exe | grep "THM{"
It was really a very good experience **THM{4lways_THinG_ouTsiDE_0F_thE_box}**to attend Hackers Meetup, it is Helping us to know and learn too many things in a better way, enriching experience overall Thank you.
Thank you guys for all the way reading till the end, if you like this writeup for the CTF do give some claps to this post which will encourage me to post more writeup for upcoming CTF. If you have any doubt or need clarification on above solution you can contact me from below
You will find me on
Linkedin: https://www.linkedin.com/in/aravindhahariharan/
Github: https://github.com/Aravindha1234u
Discord : T3cH_W1z4rD#5916
Instagram: https://www.instagram.com/aravindha_hariharan/
Twitter : https://twitter.com/aravindha1234u
Facebook: https://www.facebook.com/aravindha1234u
