How I solved the De1CTF 2020 Misc. Chowder Challenge
Hi everyone! So, I started doing Capture The Flags (CTFs) around a month ago and I am obviously very new to this scene. I found De1CTF on CTFtime and decided to give it a try. I found this particular challenge very interesting, though I took more than 7 hours to solve it. XD. Okay, lets dive right in.
First, there is a Google Drive link that has a Wireshark capture file (.pcap).
Opening it in Wireshark,
I filtered it to show only http traffic. I quickly looked around for the requests and saw that there is a POST request for a JPEG image. Right clicking on it and selecting Follow -> TCP Stream,
I got the POST request containing the JPG file in ASCII format. I changed the display and save format as Raw and saved the file.
Opening the file in Notepad++, I removed everything except the file contents from the POST request and saved it with a filename and .jpg extension. I got an image file that looked rather uninteresting.
Similarly, I found multiple TCP streams. Doing the same drill with the remaining streams, I found a couple of other uninteresting images. But then on the seventh stream I followed, there was this interesting file.
There’s a Google Drive link in the image. Opening that link, there was a zip file called “readme.zip”. Extracting it, there is a Word document (.docx) named “readme.docx”. Opening it with great enthusiasm,
OMG! Guess it wouldn’t be so easy to get it. I did a quick research on the ‘.docx’ file format and found that its structure is like an archive. So I unzipped it and found a zip file inside named ‘You_found_me_Orz.zip’.
I got excited and tried to open it but alas… It was password protected. I researched online for how to open password-protected zip files without password. I saw that the password can be brute-forced using a tool called John the Ripper, which is installed by default on OSes like Kali Linux and Parrot Security OS. So I transferred the zip file to a Parrot OS virtual machine.
Then I used the following command to convert the zip file to a john format.
zip2john You_found_me_Orz.zip > output.txt
Then I tried to crack the password using the default settings of John the Ripper.
john --format=zip output.txt
It kept running for more than an hour without any effect. Then I saw that the challenge had a clue saying the password has 6 characters and the first two characters are ‘D’ and ‘E’. So I had to build a word-list for brute-forcing. Again, I didn’t know how to do it and searched the Internet. I found that there’s a built-in tool called crunch in Parrot OS to build wordlists.
Since the first two characters are same and the remaining 4 characters are the ones that should vary, I used crunch to build wordlists containing 4 letter password combinations and saved it in a file.
crunch 4 4 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 > wordlist.txt
Then I used a command to add DE in front of all the words in the wordlist.
sed ‘s/^/DE’ wordlist.txt > wordlist1.txt
I used this wordlist I created now to try and brute-force the password with john.
john --format=zip --wordlist=wordlist1.txt output.txt
After a while, the password was cracked as ‘DE34Q1’. Extracting the ‘You_found_me_Orz.zip’ using the password found, I got the ‘You_found_me_Orz.jpg’. file.
Again nothing to be found easily. I had a feeling that other files could have been hidden inside this one. So, I renamed the file with a .zip extension and used WinRAR to extract it.
We see that there are 3 files inside. I open the ‘flag.txt’ and see a suspicious flag inside.
De1CTF{jaivy say that you almost get me!!! }
I submited the flag and saw that it was a false flag. Then I saw another image that says “I AM FLAG”. I tried using the same technique and renamed it as a zip file and tried extracting the contents to no avail. I kept trying various methods but none of them worked. I left it alone for a while.
Again research time! I searched for methods online on steganography. After a while, I found a method for hiding files in the ADS stream of another file.I tried to see if there was any hidden ADS stream using the following command in Command Prompt.
dir /r
There is a hidden ADS stream as highlighted above. I open it in Notepad using the command
notepad 666.png:fffffffflllll.txt:$DATA
Wow! The file has a flag.
"De1CTF{E4Sy_M1sc_By_Jaivy_31b229908cb9bb}"
I submit the flag and Voila! It is the correct one.
Thank you for reading. If you liked it, please drop a clap and let me know how the write-up is.
My Social Media links :
LinkedIn: https://www.linkedin.com/in/ksv-naveen-prakaasham-262252183/
Twitter: https://twitter.com/NPrakaasham