Forensics

Name
Solves

tukang-ketik ๐Ÿฅ‡

46

takjil-atin ๐Ÿฅ‰

23

sawt safiri ๐Ÿฅˆ

15

Mr Black

14

Baby Foren

7

mie AYAM BAKSO

6

tukang-ketik

Description

Author: k.eii

ngetik sambil minum es teh manis selagi ngabuburit

Initial Analysis

We are given a packet.pcapng file open it with Wireshark:

This looks like a captured USB traffic. But there are no signs of either of it is a keyboard or a mouse.

Exfiltration

I just guessed that it is a keyboard based on the title of the challenge, and i used a keyboard parser from here:

LogoGitHub - 5h4rrk/CTF-Usb_Keyboard_Parser: USB Keyboard Parser Tool is an automated script that can extract HID data from.pcap or.pcapng files.GitHub
I am not really an expert at this so i just used the script LOL

I used the script and got the flag.

Flag: RAMADAN{easy_K3yb0ard_HID_us4Ge}

takjil-atin

Description

Author: b4r

aku punya teman, dia jago ctf, terutama forensic, mungkin karna jago, dia memiliki nama panggilan yang aneh di komunitas ctf nya, panggilan nya yaitu "mata diam", karna dia diam diam bisa solve semua chall! ๐Ÿฅถ๐Ÿฅถ

Initial Analysis

We are given a file called chall.zip, when we try to extract it, we prompted to input a password:

Exfiltration

First we need to crack the zip password, i used john here with the wordlist rockyou.txt . We need to extract the hash using zip2john first.

We found that the password is: ramadankareem We then try to extract it and found a file called scouttie.wav.

When i googled scouttie.wav . I found that there is a writeup mentioning hiding a picture within an audio file using SSTV protocol.

LogoSlow-scan televisionWikipedia
LogoCTFs/2019_picoCTF/m00nwalk.md at master ยท Dvd848/CTFsGitHub

I then followed the steps on the writeup, and recovered an image:

Recovered image

If we scan the QR Code, we will be given a link https://mega.nz/file/OzBxVBJQ#jviDcis3ri782etRv5wJt8PX8yKQ55B9zLssPzRge8E. We access it and we are given yet another picture:

At this point, i am clueless and tried talking to the author of the challenge. He said it is a steganography tools. And there's a suspicious mata diam in the description. Apparently the tool was SilentEye

LogoSilentEye - Steganography is yours

And by using this tool on the mamahakutakut.jpg picture, we can get the flag!

Flag: RAMADAN{_m4grh1b_=_l4m4_}

sawt safiri

Description

Author: amek

Temenku tadi ngechat, katanya akhir-akhir ini dia kebanyakan scroll TikTok. Terus, tiba-tiba dia ngirimin aku lagu yang katanya lagi sering muncul di sana. Nggak tau kenapa, tapi rasanya kayak dia mau nyampein sesuatu, cuma nggak secara langsung.

Selain itu, dia juga ngirimin foto kucing.. kucingnya sih lucu banget, tapi aku ngerasa ada yang aneh. Kayak ada sesuatu yang diselipin di tempat yang nggak terlalu mencolok. Aku coba otak-atik, siapa tau ada sesuatu yang kecil tapi sebenarnya penting. Soalnya, kadang hal-hal yang kelihatan biasa aja justru nyimpan sesuatu di dalamnya.

Mungkin perlu lebih jeli buat nemuin apa yang dia sembunyikan. Bantuin gue cari tahu, yuk?"

Initial Analysis

We are given two files:

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/sawt safiri]
โ””โ”€โ”€โ•ผ $tree .
.
โ”œโ”€โ”€ sawt safiri.mp3
โ””โ”€โ”€ tolong gw.docx

1 directory, 2 files

If we try to open the tolong gw.docx . We only get a picture of tobtobitob cat.

Because sawt safiri.mp3 serves no purpose on the way to get the flag. I will ignore it completely.

Exfiltration

I runned binwalk on the tolong gw.docx to extract embedded files within the document.

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/sawt safiri/_tolong gw.docx.extracted]
โ””โ”€โ”€โ•ผ $tree -a .
.
โ”œโ”€โ”€ 0.zip
โ”œโ”€โ”€ [Content_Types].xml
โ”œโ”€โ”€ docProps
โ”‚ย ย  โ”œโ”€โ”€ app.xml
โ”‚ย ย  โ””โ”€โ”€ core.xml
โ”œโ”€โ”€ _relsd
โ”‚ย ย  โ””โ”€โ”€ .rels
โ””โ”€โ”€ word
    โ”œโ”€โ”€ document.xml
    โ”œโ”€โ”€ fontTable.xml
    โ”œโ”€โ”€ media
    โ”‚ย ย  โ”œโ”€โ”€ image1.png
    โ”‚ย ย  โ””โ”€โ”€ .kucinggpuasa.jpg
    โ”œโ”€โ”€ _rels
    โ”‚ย ย  โ””โ”€โ”€ document.xml.rels
    โ”œโ”€โ”€ settings.xml
    โ”œโ”€โ”€ styles.xml
    โ”œโ”€โ”€ theme
    โ”‚ย ย  โ””โ”€โ”€ theme1.xml
    โ””โ”€โ”€ webSettings.xml

7 directories, 14 files

There's an interesting file called .kucingpuasa.jpg. We can extract it. And there is a flag in the picture.

But when i tried to submit it, the flag was wrong. So i tried to run stegseek --seed .kucinggpuasa.jpg to know if the picture may have a hidden file or flag. This was a trick told by my mentor daffainfo (sasuga mentorzzz)

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/sawt safiri/_tolong gw.docx.extracted/word/media]
โ””โ”€โ”€โ•ผ $stegseek --seed .kucinggpuasa.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found (possible) seed: "40a6537c"
        Plain size: 85.0 Byte(s) (compressed)
        Encryption Algorithm: rijndael-128
        Encryption Mode:      cbc

It does returns a seed, at this point, i am exhausted so i tried to asked the author of the challenge:

bruh

So i runned steghide to extract the flag using this password:

RAMADAN{tobtobitobtobali}

And we get the flag.

Flag: RAMADAN{t0b_t0b1_t0b_t0b4l1}

Mr Black

Description

Author: unknown

Hei lihat saya mendapat permintaan tolong dari Mr Black. Dia adalah teman ayahku. Ia memintaku untuk memperbaiki fotonya yang telah rusak. Fotonya tiba-tiba berubah ukuran(ukuran awal 1000x614) dan jadi tidak dapat dibuka. Entah kenapa ia mengirimkan file zip dengan keamanan berlapis. Kata Mr Black password keamanannya juga tersembunyi pada file zip tersebut.

Initial Analysis

We are given a file called dist.zip . But when i tried to extract it, i am prompted to input a password:

There's an interesting hash at the comment, so i tried to pass it to CrackStation and it actually a cracked hash.

We successfully extracts the zip with the given password, but there is still another zip file:

When we try to extract it, it is yet encrypted with password, this time it hints to wordlist rockyou.txt

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โ””โ”€โ”€โ•ผ $7z e wall2.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 446000 bytes (436 KiB)

Extracting archive: wall2.zip
--
Path = wall2.zip
Type = zip
Physical Size = 446000
Comment = rockyou.txt


Enter password (will not be echoed):

This time i used fcrackzip to crack the password of wall2.zip . I found the password was greenday (Just trust me on this one, my VM can't handle another cracking session ๐Ÿ˜ญ)

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/Mr Black]
โ””โ”€โ”€โ•ผ $7z e wall2.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 446000 bytes (436 KiB)

Extracting archive: wall2.zip
--
Path = wall2.zip
Type = zip
Physical Size = 446000
Comment = rockyou.txt


Enter password (will not be echoed):
Everything is Ok

Folders: 1
Files: 1
Size:       445635
Compressed: 446000

When we tried to extract wall3.zip we are yet prompted to input a password:

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โ””โ”€โ”€โ•ผ $7z e wall3.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 445635 bytes (436 KiB)

Extracting archive: wall3.zip
--
Path = wall3.zip
Type = zip
Physical Size = 445635
Comment = cGFzc3dvcmQ= : mengcetef


Enter password (will not be echoed):

There's a base64 encoded string, when we pass this to CyberChef:

So i just assumed that the password to the zip file is the string mengcetef encoded to Base64.

bWVuZ2NldGVm

And when i tried to extract the flag using that password it successfully extracted.

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/Mr Black/wu]
โ””โ”€โ”€โ•ผ $7z e wall3.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,128 CPUs 12th Gen Intel(R) Core(TM) i5-12500H (906A3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 445635 bytes (436 KiB)

Extracting archive: wall3.zip
--
Path = wall3.zip
Type = zip
Physical Size = 445635
Comment = cGFzc3dvcmQ= : mengcetef


Enter password (will not be echoed):
Everything is Ok

Size:       447736
Compressed: 445635

Now we are given a file called dist.png . But we cannot open it just yet. When we examine the header of the file:

It is intentionally broken. So i asked ChatGPT how to fix the header with the size 1000 * 614.

And i did just that, and it came back with this:

We then dump the string on the picture. Put it into CyberChef and let it cook:

We fix the flag a little and we get the real flag!

Flag: flag{mr_bl4ck_y0ur_1m4g3_h@5_b33n_r3c0v3r3d}

Baby Foren

Description

Author: Karev

My student submitted his homework but I can't open it? Can you help me?

Initial Analysis

We are given a file called homework.txt .

I suspected that this file is a PNG file. Because the 17 - 32 bytes is looks extremely similar to an ordinary PNG file.

Ordinary PNG file header

Exfiltration

I am a little clueless here, so i asked the author. What should i do, the author gave a hint like this:

Here i deduced not only the first 8 byte header got corrupted but also the Chunk Identifier / Chunk Type (red square) got corrupted as well, so i tried to recover the Chunk Type using hexed.it:

Bytes that i fixed

And surprisingly, i got the flag!

homework.png

Flag: RAMADAN{h3y_y0u_fix3d_th3_h3ad3r2!c0ngrats}

mie AYAM BAKSO

Description

Author: b4r

1 porsi mie ayam bakso saat buka puasa

Initial Analysis

We are given a file called mieAYAMBAKSO.jpg . We first try to open it:

Next i run exiftool and i found something interesting:

Exfiltration

First i runned stegseek, and found a fake flag, but also another information:

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/mie AYAM BAKSO]
โ””โ”€โ”€โ•ผ $stegseek mieAYAMBAKSO.jpg 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

Corrupt JPEG data: 68 extraneous bytes before marker 0xda
[i] Found passphrase: "mieayamsayasuka"   
[i] Original filename: "mieayamenak.txt".
[i] Extracting to "mieAYAMBAKSO.jpg.out".

โ”Œโ”€[mirai@parrot]โ”€[~/ctf/TCP1P Ramadhan 2025/mie AYAM BAKSO]
โ””โ”€โ”€โ•ผ $cat mieAYAMBAKSO.jpg.out 
RAMADAN{4ku_5uk4_m13_4yam_t4p1_s4y4n9ny4_1ni_f4k3_fl4g_xixixixixixixi}

The same 68 bytes warning. Then i tried to hexdump the file, and found some aaab pattern on the picture that is coincidentally have a length of 68 bytes:

Python 3.11.2 (main, Nov 30 2024, 21:22:50) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> a = bytes.fromhex("aaaaabaaabbaabaaaaaaabbaaaaabbaababa0bbabbaaaaaaaaababbaaaaaaababbaaaabbaaabbaabaaaaaaabbaaaaabbaabababbabbaaaaaaaabaaaaaabaabbaaababbab")
>>> len(a)
68
>>>

At this point i already tried everything, so i asked the author (again) and he said that it is a cipher.

So i put it into dcode.fr Cipher Identifier. And it came back with a flag. We just need to wrap it with the flag format now.

Bacon Cipher

Flag: RAMADAN{ASTANDFORAYAMBSTANDFORBAKSO}

PreviousWeb ExploitationNextCryptography

Last updated