Forensics
Last updated
Last updated
46
23
15
Mr Black
14
Baby Foren
7
mie AYAM BAKSO
6
Author: k.eii
ngetik sambil minum es teh manis selagi ngabuburit
We are given a packet.pcapng file open it with Wireshark:
This looks like a captured USB traffic. But there are no signs of either of it is a keyboard or a mouse.
I just guessed that it is a keyboard based on the title of the challenge, and i used a keyboard parser from here:
I used the script and got the flag.
Flag: RAMADAN{easy_K3yb0ard_HID_us4Ge}
Author: b4r
aku punya teman, dia jago ctf, terutama forensic, mungkin karna jago, dia memiliki nama panggilan yang aneh di komunitas ctf nya, panggilan nya yaitu "mata diam", karna dia diam diam bisa solve semua chall! 🥶🥶
We are given a file called chall.zip, when we try to extract it, we prompted to input a password:
First we need to crack the zip password, i used john here with the wordlist rockyou.txt . We need to extract the hash using zip2john first.
We found that the password is: ramadankareem We then try to extract it and found a file called scouttie.wav.
When i googled scouttie.wav . I found that there is a writeup mentioning hiding a picture within an audio file using SSTV protocol.
I then followed the steps on the writeup, and recovered an image:
At this point, i am clueless and tried talking to the author of the challenge. He said it is a steganography tools. And there's a suspicious mata diam in the description. Apparently the tool was SilentEye
And by using this tool on the mamahakutakut.jpg picture, we can get the flag!
Author: amek
Temenku tadi ngechat, katanya akhir-akhir ini dia kebanyakan scroll TikTok. Terus, tiba-tiba dia ngirimin aku lagu yang katanya lagi sering muncul di sana. Nggak tau kenapa, tapi rasanya kayak dia mau nyampein sesuatu, cuma nggak secara langsung.
Selain itu, dia juga ngirimin foto kucing.. kucingnya sih lucu banget, tapi aku ngerasa ada yang aneh. Kayak ada sesuatu yang diselipin di tempat yang nggak terlalu mencolok. Aku coba otak-atik, siapa tau ada sesuatu yang kecil tapi sebenarnya penting. Soalnya, kadang hal-hal yang kelihatan biasa aja justru nyimpan sesuatu di dalamnya.
Mungkin perlu lebih jeli buat nemuin apa yang dia sembunyikan. Bantuin gue cari tahu, yuk?"
We are given two files:
If we try to open the tolong gw.docx . We only get a picture of tobtobitob cat.
Because sawt safiri.mp3 serves no purpose on the way to get the flag. I will ignore it completely.
I runned binwalk on the tolong gw.docx to extract embedded files within the document.
There's an interesting file called .kucingpuasa.jpg. We can extract it. And there is a flag in the picture.
It does returns a seed, at this point, i am exhausted so i tried to asked the author of the challenge:
So i runned steghide to extract the flag using this password:
And we get the flag.
Flag: RAMADAN{t0b_t0b1_t0b_t0b4l1}
Author: unknown
Hei lihat saya mendapat permintaan tolong dari Mr Black. Dia adalah teman ayahku. Ia memintaku untuk memperbaiki fotonya yang telah rusak. Fotonya tiba-tiba berubah ukuran(ukuran awal 1000x614) dan jadi tidak dapat dibuka. Entah kenapa ia mengirimkan file zip dengan keamanan berlapis. Kata Mr Black password keamanannya juga tersembunyi pada file zip tersebut.
We are given a file called dist.zip . But when i tried to extract it, i am prompted to input a password:
We successfully extracts the zip with the given password, but there is still another zip file:
When we try to extract it, it is yet encrypted with password, this time it hints to wordlist rockyou.txt
When we tried to extract wall3.zip we are yet prompted to input a password:
There's a base64 encoded string, when we pass this to CyberChef:
So i just assumed that the password to the zip file is the string mengcetef encoded to Base64.
And when i tried to extract the flag using that password it successfully extracted.
Now we are given a file called dist.png . But we cannot open it just yet. When we examine the header of the file:
It is intentionally broken. So i asked ChatGPT how to fix the header with the size 1000 * 614.
And i did just that, and it came back with this:
We then dump the string on the picture. Put it into CyberChef and let it cook:
We fix the flag a little and we get the real flag!
Flag: flag{mr_bl4ck_y0ur_1m4g3_h@5_b33n_r3c0v3r3d}
Author: Karev
My student submitted his homework but I can't open it? Can you help me?
We are given a file called homework.txt .
I suspected that this file is a PNG file. Because the 17 - 32 bytes is looks extremely similar to an ordinary PNG file.
I am a little clueless here, so i asked the author. What should i do, the author gave a hint like this:
Here i deduced not only the first 8 byte header got corrupted but also the Chunk Identifier / Chunk Type (red square) got corrupted as well, so i tried to recover the Chunk Type using hexed.it:
And surprisingly, i got the flag!
Flag: RAMADAN{h3y_y0u_fix3d_th3_h3ad3r2!c0ngrats}
Author: b4r
1 porsi mie ayam bakso saat buka puasa
We are given a file called mieAYAMBAKSO.jpg . We first try to open it:
Next i run exiftool and i found something interesting:
First i runned stegseek, and found a fake flag, but also another information:
The same 68 bytes warning. Then i tried to hexdump the file, and found some aaab pattern on the picture that is coincidentally have a length of 68 bytes:
At this point i already tried everything, so i asked the author (again) and he said that it is a cipher.
Flag: RAMADAN{ASTANDFORAYAMBSTANDFORBAKSO}
tukang-ketik
takjil-atin
sawt safiri
If we scan the QR Code, we will be given a link . We access it and we are given yet another picture:
But when i tried to submit it, the flag was wrong. So i tried to run stegseek --seed .kucinggpuasa.jpg to know if the picture may have a hidden file or flag. This was a trick told by my mentor (sasuga mentorzzz)
There's an interesting hash at the comment, so i tried to pass it to and it actually a cracked hash.
This time i used fcrackzip to crack the password of wall2.zip . I found the password was greenday (Just trust me on this one, my VM can't handle another cracking session )
So i put it into . And it came back with a flag. We just need to wrap it with the flag format now.
