CTF collection Vol.1
Task 2: What does the base said?
Feed me the flag!
We can decode the flag using the base64 utility.
$ echo "VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==" | base64 -d
THM{ju57_d3c0d3_7h3_b453}
Answer
THM{ju57_d3c0d3_7h3_b453}
Task 3: Meta meta
I'm hungry, I need the flag.
The name of the task hints us that the flag might be in the image metadata.
We can extract this metadata using exiftool.
$ exiftool Findme.jpg
ExifTool Version Number : 12.44
File Name : Findme.jpg
Directory : .
File Size : 35 kB
File Modification Date/Time : 2023:12:09 10:26:58+05:30
File Access Date/Time : 2023:12:09 10:26:58+05:30
File Inode Change Date/Time : 2023:12:09 10:27:26+05:30
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : inches
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
Flashpix Version : 0100
Owner Name : THM{3x1f_0r_3x17}
Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 60.
Image Width : 800
Image Height : 480
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 800x480
Megapixels : 0.384
Answer
THM{3x1f_0r_3x17}
Task 4: Mon, are we going to be okay?
It is sad. Feed me the flag.
Sometimes other data or files can be hidden inside of JPG files.
We can use steghide to extract these hidden files.
$ steghide extract -sf Extinction.jpg
Enter passphrase:
wrote extracted data to "Final_message.txt".
- Let's read the
Final_message.txtfile.
$ cat Final_message.txt
It going to be over soon. Sleep my child.
THM{500n3r_0r_l473r_17_15_0ur_7urn}
Answer
THM{500n3r_0r_l473r_17_15_0ur_7urn}
Task 5: Erm......Magick
Did you find the flag?
If we just select the task string, we will see the flag.
Answer
THM{wh173_fl46}
Task 6: QRrrrr
More flag please!
The image we have is a QR code. In order to extract the flag, we can use the ZXing Decoder.
Answer
THM{qr_m4k3_l1f3_345y}
Task 7: Reverse it or read it?
Found the flag?
For this challenge we are given an executable file.
$ file hello.hello
hello.hello: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=02900338a56c3c8296f8ef7a8cf5df8699b18696, for GNU/Linux 3.2.0, not stripped
We can check the strings inside the file using the strings command.
$ strings hello.hello
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
printf
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
THM{345y_f1nd_345y_60}
-- snip --;
Answer
THM{345y_f1nd_345y_60}
Task 8 Another decoding stuff
Oh, Oh, Did you get it?
We can use the Magic function from CyberChef to decode the flag.
Answer
THM{17_h45_l3553r_l3773r5}
Task 9 Left or right
Left, right, left, right... Rot 13 is too mainstream. Solve this
MAF{atbe_max_vtxltk} Let's use the
Rot13function with the amount set to7.
Answer
THM{hail_the_caesar}
Task 10: Make a comment
I'm hungry now... I need the flag
Let's inspect the page.
Answer
THM{4lw4y5_ch3ck_7h3_c0m3mn7}
Task 11: Can you fix it?
What is the content?
Let's check the hash dump of the PNG file.
$ xxd spoil.png | head
00000000: 2333 445f 0d0a 1a0a 0000 000d 4948 4452 #3D_........IHDR
00000010: 0000 0320 0000 0320 0806 0000 00db 7006 ... ... ......p.
00000020: 6800 0000 0173 5247 4200 aece 1ce9 0000 h....sRGB.......
00000030: 0009 7048 5973 0000 0ec4 0000 0ec4 0195 ..pHYs..........
00000040: 2b0e 1b00 0020 0049 4441 5478 9cec dd79 +.... .IDATx...y
00000050: 9c9c 559d eff1 cf79 9e5a bb7a 5f92 7477 ..U....y.Z.z_.tw
00000060: f640 4802 0920 1150 c420 bba2 88a8 805c .@H.. .P. .....\
00000070: 1906 7c5d 64c0 79e9 752e 03ce 38e3 0e8e ..|]d.y.u...8...
00000080: 2f75 e63a 23ea 8c0c e830 8e03 6470 c191 /u.:#....0..dp..
00000090: cd80 880c 4b20 0909 184c 42b6 4ed2 e9f4 ....K ...LB.N...
So the first 4 characters are wrong. In a PNG file the first 4 characters should be 89 50 4E 47 as shown in this image:
Let's use hexedit to fix the bytes.
$ hexedit spoil.png
We should now be able to view the image.
THM{y35_w3_c4n}
Task 12 Read it
Did you found the hidden flag?
For this question, we have to perform some Google dorking.
Enter the following text in the search bar and click on the first link:
site:reddit.com/[r/tryhackme](https://www.reddit.com/r/tryhackme/) intext:THM{*}
Answer
THM{50c14l_4cc0un7_15_p4r7_0f_051n7}
Task 13: Spin my head
Can you decode it?
The text is encrypted using Brainfuck.
We can decode it using an online decoder.
Answer
THM{0h_my_h34d}
Task 14: An exclusive!
Did you crack it? Feed me now!
Since there are two strings, the possible decryption method is XOR.
Let's use an online decoder.
Answer
THM{3xclu51v3_0r}
Task 15 Binary walk
Flag! Flag! Flag!
We have to extract the embedded files from the JPG file using binwalk.
$ binwalk -e hell.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02
30 0x1E TIFF image data, big-endian, offset of first image directory: 8
265845 0x40E75 Zip archive data, at least v2.0 to extract, uncompressed size: 69, name: hello_there.txt
266099 0x40F73 End of Zip archive, footer length: 22
We can now read the flag from the hello.txt file.
$ cat _hell.jpg.extracted/hello_there.txt
Thank you for extracting me, you are the best!
THM{y0u_w4lk_m3_0u7}
Answer
THM{y0u_w4lk_m3_0u7}
Task 16 Darkness
What does the flag said?
We have to first download stegsolve for this task using the following command:
$ wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
$ chmod +x stegsolve.jar
$ mkdir bin
$ mv stegsolve.jar bin/
We have to now move the dark.png image to the bin folder that we crated.
$ mv dark.png bin
We are now ready to use stegsolve.
$ java -jar stegsolve.jar
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
After opening the image using stegsolve, we have to go to Blue plane 1 to be able to see the flag.
Answer
THM{7h3r3_15_h0p3_1n_7h3_d4rkn355}
Task 17: A sounding QR
What does the bot said?
Let's decode the QRCTF.png file using Zxing.
We are given a Soundcloud link as the result.
Let's visit the link.
The audio tells us that the flag is soundingqr.
Answer
THM{SOUNDINGQR}
Task 18: Dig up the past
Did you found my past?
For this one we have to use the Wayback Machine.
Let's look at the snapshot created on January 2, 2020.
Answer
THM{ch3ck_th3_h4ckb4ck}
Task 19: Uncrackable!
The deciphered text
In this task, we have to use the # Vigenère cipher.
The key is THM.
Answer
TRYHACKME{YOU_FOUND_THE_KEY}
Task 20: Small bases
What is the flag?
We simply have to convert it from Decimal to Hexadecimal to ASCIII.
Hexadecimal
54484D7B31375F6A7535375F346E5F307264316E3472795F62343533357D
Answer
THM{17_ju57_4n_0rd1n4ry_b4535}
Task 21: Read the packet
Did you captured my neighbor's flag?
We have to open the PCAP using Wireshark and set the following filter:
tcp.stream == 42
That filters for the HTTP packets.
We can find the flag in packet 1827.
Answer
THM{d0_n07_574lk_m3}