Forensics
tukang-ketik ๐ฅ
46
takjil-atin ๐ฅ
23
sawt safiri ๐ฅ
15
Mr Black
14
Baby Foren
7
mie AYAM BAKSO
6
tukang-ketik
Description
Author: k.eii
ngetik sambil minum es teh manis selagi ngabuburit
Initial Analysis
We are given a packet.pcapng
file open it with Wireshark:

This looks like a captured USB traffic. But there are no signs of either of it is a keyboard or a mouse.
Exfiltration
I just guessed that it is a keyboard based on the title of the challenge, and i used a keyboard parser from here:
I used the script and got the flag.

Flag: RAMADAN{easy_K3yb0ard_HID_us4Ge}
takjil-atin
Description
Author: b4r
aku punya teman, dia jago ctf, terutama forensic, mungkin karna jago, dia memiliki nama panggilan yang aneh di komunitas ctf nya, panggilan nya yaitu "mata diam", karna dia diam diam bisa solve semua chall! ๐ฅถ๐ฅถ
Initial Analysis
We are given a file called chall.zip, when we try to extract it, we prompted to input a password:

Exfiltration
First we need to crack the zip password, i used john
here with the wordlist rockyou.txt
. We need to extract the hash using zip2john
first.

We found that the password is: ramadankareem
We then try to extract it and found a file called scouttie.wav
.
When i googled scouttie.wav
. I found that there is a writeup mentioning hiding a picture within an audio file using SSTV protocol.
I then followed the steps on the writeup, and recovered an image:


If we scan the QR Code, we will be given a link https://mega.nz/file/OzBxVBJQ#jviDcis3ri782etRv5wJt8PX8yKQ55B9zLssPzRge8E. We access it and we are given yet another picture:

At this point, i am clueless and tried talking to the author of the challenge. He said it is a steganography tools. And there's a suspicious mata diam
in the description. Apparently the tool was SilentEye
And by using this tool on the mamahakutakut.jpg
picture, we can get the flag!

Flag: RAMADAN{_m4grh1b_=_l4m4_}
sawt safiri
Description
Author: amek
Temenku tadi ngechat, katanya akhir-akhir ini dia kebanyakan scroll TikTok. Terus, tiba-tiba dia ngirimin aku lagu yang katanya lagi sering muncul di sana. Nggak tau kenapa, tapi rasanya kayak dia mau nyampein sesuatu, cuma nggak secara langsung.
Selain itu, dia juga ngirimin foto kucing.. kucingnya sih lucu banget, tapi aku ngerasa ada yang aneh. Kayak ada sesuatu yang diselipin di tempat yang nggak terlalu mencolok. Aku coba otak-atik, siapa tau ada sesuatu yang kecil tapi sebenarnya penting. Soalnya, kadang hal-hal yang kelihatan biasa aja justru nyimpan sesuatu di dalamnya.
Mungkin perlu lebih jeli buat nemuin apa yang dia sembunyikan. Bantuin gue cari tahu, yuk?"
Initial Analysis
We are given two files:
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/sawt safiri]
โโโโผ $tree .
.
โโโ sawt safiri.mp3
โโโ tolong gw.docx
1 directory, 2 files
If we try to open the tolong gw.docx
. We only get a picture of tobtobitob cat.

Because sawt safiri.mp3
serves no purpose on the way to get the flag. I will ignore it completely.
Exfiltration
I runned binwalk on the tolong gw.docx
to extract embedded files within the document.
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/sawt safiri/_tolong gw.docx.extracted]
โโโโผ $tree -a .
.
โโโ 0.zip
โโโ [Content_Types].xml
โโโ docProps
โย ย โโโ app.xml
โย ย โโโ core.xml
โโโ _relsd
โย ย โโโ .rels
โโโ word
โโโ document.xml
โโโ fontTable.xml
โโโ media
โย ย โโโ image1.png
โย ย โโโ .kucinggpuasa.jpg
โโโ _rels
โย ย โโโ document.xml.rels
โโโ settings.xml
โโโ styles.xml
โโโ theme
โย ย โโโ theme1.xml
โโโ webSettings.xml
7 directories, 14 files
There's an interesting file called .kucingpuasa.jpg. We can extract it. And there is a flag in the picture.

But when i tried to submit it, the flag was wrong. So i tried to run stegseek --seed .kucinggpuasa.jpg
to know if the picture may have a hidden file or flag. This was a trick told by my mentor daffainfo (sasuga mentorzzz)
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/sawt safiri/_tolong gw.docx.extracted/word/media]
โโโโผ $stegseek --seed .kucinggpuasa.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found (possible) seed: "40a6537c"
Plain size: 85.0 Byte(s) (compressed)
Encryption Algorithm: rijndael-128
Encryption Mode: cbc
It does returns a seed, at this point, i am exhausted so i tried to asked the author of the challenge:

So i runned steghide to extract the flag using this password:
RAMADAN{tobtobitobtobali}

And we get the flag.
Flag: RAMADAN{t0b_t0b1_t0b_t0b4l1}
Mr Black
Description
Author: unknown
Hei lihat saya mendapat permintaan tolong dari Mr Black. Dia adalah teman ayahku. Ia memintaku untuk memperbaiki fotonya yang telah rusak. Fotonya tiba-tiba berubah ukuran(ukuran awal 1000x614) dan jadi tidak dapat dibuka. Entah kenapa ia mengirimkan file zip dengan keamanan berlapis. Kata Mr Black password keamanannya juga tersembunyi pada file zip tersebut.
Initial Analysis
We are given a file called dist.zip
. But when i tried to extract it, i am prompted to input a password:

There's an interesting hash at the comment, so i tried to pass it to CrackStation and it actually a cracked hash.

We successfully extracts the zip with the given password, but there is still another zip file:

When we try to extract it, it is yet encrypted with password, this time it hints to wordlist rockyou.txt
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โโโโผ $7z e wall2.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 446000 bytes (436 KiB)
Extracting archive: wall2.zip
--
Path = wall2.zip
Type = zip
Physical Size = 446000
Comment = rockyou.txt
Enter password (will not be echoed):
This time i used fcrackzip
to crack the password of wall2.zip
. I found the password was greenday
(Just trust me on this one, my VM can't handle another cracking session ๐ญ)
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/Mr Black]
โโโโผ $7z e wall2.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 446000 bytes (436 KiB)
Extracting archive: wall2.zip
--
Path = wall2.zip
Type = zip
Physical Size = 446000
Comment = rockyou.txt
Enter password (will not be echoed):
Everything is Ok
Folders: 1
Files: 1
Size: 445635
Compressed: 446000
When we tried to extract wall3.zip
we are yet prompted to input a password:
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โโโโผ $7z e wall3.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 445635 bytes (436 KiB)
Extracting archive: wall3.zip
--
Path = wall3.zip
Type = zip
Physical Size = 445635
Comment = cGFzc3dvcmQ= : mengcetef
Enter password (will not be echoed):
There's a base64 encoded string, when we pass this to CyberChef:

So i just assumed that the password to the zip file is the string mengcetef
encoded to Base64.

And when i tried to extract the flag using that password it successfully extracted.
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โโโโผ $7z e wall3.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 445635 bytes (436 KiB)
Extracting archive: wall3.zip
--
Path = wall3.zip
Type = zip
Physical Size = 445635
Comment = cGFzc3dvcmQ= : mengcetef
Enter password (will not be echoed):
Everything is Ok
Size: 447736
Compressed: 445635
Now we are given a file called dist.png
. But we cannot open it just yet. When we examine the header of the file:

It is intentionally broken. So i asked ChatGPT how to fix the header with the size 1000 * 614.

And i did just that, and it came back with this:

We then dump the string on the picture. Put it into CyberChef and let it cook:

We fix the flag a little and we get the real flag!
Flag: flag{mr_bl4ck_y0ur_1m4g3_h@5_b33n_r3c0v3r3d}
Baby Foren
Description
Author: Karev
My student submitted his homework but I can't open it? Can you help me?
Initial Analysis
We are given a file called homework.txt
.

I suspected that this file is a PNG file. Because the 17 - 32 bytes is looks extremely similar to an ordinary PNG file.

Exfiltration
I am a little clueless here, so i asked the author. What should i do, the author gave a hint like this:

Here i deduced not only the first 8 byte header got corrupted but also the Chunk Identifier / Chunk Type (red square) got corrupted as well, so i tried to recover the Chunk Type using hexed.it:

And surprisingly, i got the flag!

Flag: RAMADAN{h3y_y0u_fix3d_th3_h3ad3r2!c0ngrats}
mie AYAM BAKSO
Description
Author: b4r
1 porsi mie ayam bakso saat buka puasa
Initial Analysis
We are given a file called mieAYAMBAKSO.jpg
. We first try to open it:

Next i run exiftool and i found something interesting:

Exfiltration
First i runned stegseek, and found a fake flag, but also another information:
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/mie AYAM BAKSO]
โโโโผ $stegseek mieAYAMBAKSO.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
Corrupt JPEG data: 68 extraneous bytes before marker 0xda
[i] Found passphrase: "mieayamsayasuka"
[i] Original filename: "mieayamenak.txt".
[i] Extracting to "mieAYAMBAKSO.jpg.out".
โโ[mirai@parrot]โ[~/ctf/TCP1P Ramadhan 2025/mie AYAM BAKSO]
โโโโผ $cat mieAYAMBAKSO.jpg.out
RAMADAN{4ku_5uk4_m13_4yam_t4p1_s4y4n9ny4_1ni_f4k3_fl4g_xixixixixixixi}
The same 68 bytes warning. Then i tried to hexdump the file, and found some aaab pattern on the picture that is coincidentally have a length of 68 bytes:

Python 3.11.2 (main, Nov 30 2024, 21:22:50) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> a = bytes.fromhex("aaaaabaaabbaabaaaaaaabbaaaaabbaababa0bbabbaaaaaaaaababbaaaaaaababbaaaabbaaabbaabaaaaaaabbaaaaabbaabababbabbaaaaaaaabaaaaaabaabbaaababbab")
>>> len(a)
68
>>>
At this point i already tried everything, so i asked the author (again) and he said that it is a cipher.

So i put it into dcode.fr Cipher Identifier. And it came back with a flag. We just need to wrap it with the flag format now.

Flag: RAMADAN{ASTANDFORAYAMBSTANDFORBAKSO}
Last updated