Hello 4n6 Geeks, This is Ahmed (OxAlpha), and here’s a write-up about some forensics challenges I’ve solved. Hope you find it useful!
Challenge 1 : Phantom Connection
- After extracting the ZIP file, I found a
Cache0000.binfile, which is an RDP file cache. So, I usedbcm-toolsto parse it.
- Then i checked the extracted images :
The parts of the flag will be in images numbered 271 to 278
Flag : apoorvctf{CAcH3_Wh4T_YoU_sE3}Challenge 2 : Samurai’s Code
- After extracting the ZIP file, I found an image named
sam.jpg. First, I checked its metadata usingexiftool, but I didn’t find anything useful.
- Then i used strings and get some hits :
The code above is an example of a Brainfuck program. Brainfuck is an esoteric programming language known for its minimalism and extreme simplicity. It consists of only eight simple commands and a tape of memory cells.
Here's a brief overview of the Brainfuck commands:
>: Move the data pointer to the right (next memory cell).
<: Move the data pointer to the left (previous memory cell).
+: Increment the byte at the data pointer by 1.
-: Decrement the byte at the data pointer by 1.
.: Output the byte at the data pointer as a character.
,: Input a character and store it in the byte at the data pointer.
[: If the byte at the data pointer is 0, jump forward to the corresponding ].
]: If the byte at the data pointer is not 0, jump back to the corresponding [.
- After decoding it got that link :
https://drive.google.com/file/d/1JWqdBJzgQhLUI-xLTwLCWwYi2Ydk4W6-/view?usp=sharing- now go to to the link and download the file :
- i tried to use strings, exiftool and foremost but got nothing .
- then i opened that file using a hex editor :
- Once I saw that, I knew it was a reversed JPEG image.
so i created a python script can fix that iamge :
def fix_reversed_image(input_file, output_file):
with open(input_file, "rb") as f:
data = f.read()
# Reverse every two-byte pair in the entire file
fixed_data = bytearray()
for i in range(0, len(data), 2):
fixed_data.extend(data[i:i+2][::-1])
with open(output_file, "wb") as f:
f.write(fixed_data)
# Example usage
input_file = "samurai"
output_file = "fixed.jpg"
fix_reversed_image(input_file, output_file)
print("Image has been fixed and saved as", output_file)
Flag : apoorvctf{ByT3s_OUT_OF_ORd3R}Challenge 3 : Ramen lockdown
- We were provided with an encrypted ZIP file, so I first tried to crack it using John and Fcrackzip, but I couldn’t.
- After some time, I tried using BCrack, a tool for cracking legacy ZIP encryption using a known-plaintext attack.
To use bcrack we need 3 things :
The ZIP file name (recipe.zip)
The name of the file inside the ZIP (secret_recipe.png)
At least 12 bytes of known plaintext from the file inside the ZIP
Since you’re cracking a PNG file and only have 9 bytes (8 from the header + 1 check byte), you need at least 3 more bytes of known plaintext.
PNG Structure
89 50 4E 47 0D 0A 1A 0A: PNG signature (8 bytes).
00 00 00 0D: Length of the IHDR chunk (4 bytes, representing 13 in decimal, standard for IHDR).
49 48 44 52: IHDR chunk type in ASCII (4 bytes).
So, there are a 16-byte plaintext :
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52- now create a text file for plaintext :
echo -ne '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52' > plain.txt- now let’s crack :
>bkcrack.exe -C recipe.zip -c secret_recipe.png -p plain.txt
the key : 7cfefd6a 4aedd214 970c7187bkcrack.exe -C recipe.zip -c secret_recipe.png -k 7cfefd6a 4aedd214 970c7187 -d output.png
- After opening the
output.pngfile, I got the flag :
Flag : apoorvctf{w0rst_r4m3n_3v3r_ong}Challenge 4 : ArchBTW
After extracting the zip file, i found 3 files :
- Once I opened the PCAP and saw the USB protocol, I knew it was about USB HID data, so I used Tshark to extract it :
└─$ tshark -r Capture.pcapng -Y "usbhid.data" -T fields -e usbhid.data > HID.txt
then i created a python script to decode HID to ASCII :
import os
import sys
def decode_hid_file(file_path):
charmap = {
'04': 'a', '05': 'b', '06': 'c', '07': 'd', '08': 'e', '09': 'f', '0a': 'g',
'0b': 'h', '0c': 'i', '0d': 'j', '0e': 'k', '0f': 'l', '10': 'm', '11': 'n',
'12': 'o', '13': 'p', '14': 'q', '15': 'r', '16': 's', '17': 't', '18': 'u',
'19': 'v', '1a': 'w', '1b': 'x', '1c': 'y', '1d': 'z', '1e': '1', '1f': '2',
'20': '3', '21': '4', '22': '5', '23': '6', '24': '7', '25': '8', '26': '9',
'27': '0', '28': '\n', '2c': ' ', '2d': '-', '2e': '=', '2f': '[', '30': ']',
'31': '\\', '33': ';', '34': "'", '35': '`', '36': ',', '37': '.', '38': '/'
}
shift_charmap = {
'04': 'A', '05': 'B', '06': 'C', '07': 'D', '08': 'E', '09': 'F', '0a': 'G',
'0b': 'H', '0c': 'I', '0d': 'J', '0e': 'K', '0f': 'L', '10': 'M', '11': 'N',
'12': 'O', '13': 'P', '14': 'Q', '15': 'R', '16': 'S', '17': 'T', '18': 'U',
'19': 'V', '1a': 'W', '1b': 'X', '1c': 'Y', '1d': 'Z', '1e': '!', '1f': '@',
'20': '#', '21': '$', '22': '%', '23': '^', '24': '&', '25': '*', '26': '(',
'27': ')', '2d': '_', '2e': '+', '2f': '{', '30': '}', '31': '|',
'33': ':', '34': '"', '35': '~', '36': '<', '37': '>', '38': '?'
}
if not os.path.isfile(file_path):
print(f"Error: File '{file_path}' not found.")
sys.exit(1)
decoded_output = ""
with open(file_path, 'r') as file:
for line in file:
hex_str = line.strip()
if len(hex_str) < 4:
continue
modifier = hex_str[:2] # First byte (shift key modifier)
key_code = hex_str[4:6] # Key press code
if key_code in (charmap if modifier == '00' else shift_charmap):
decoded_char = (shift_charmap if modifier != '00' else charmap).get(key_code, '')
decoded_output += decoded_char
return decoded_output
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python3 script.py <HID file>")
sys.exit(1)
file_path = sys.argv[1]
decoded_text = decode_hid_file(file_path)
print("Decoded Text:")
print(decoded_text)
nvim flag.txt
:%s/0/10101/g
:%s/1/10011/g
:%s/[01]/\=system("awk 'NR % 2 ==".(submatch(0) == "0" ? "0" : "1")."' synoonyms.txt | shuf -n1")/gUnderstanding the Encoding Scheme:
Each word in flag.txt corresponds to an entry in synonyms.txt.
If the word appears on an even line in synoonyms.txt, it represents 0.
If the word appears on an odd line in synoonyms.txt, it represents 1.
So i used chatgpt to create this script :
def restore_binary_replacements(text):
"""Restores encoded binary values back to 0s and 1s."""
return text.replace('10101', '0').replace('10011', '1')
def reverse_awk(words):
"""Converts slang words back to binary (0 or 1) based on a predefined mapping."""
slang_to_binary_map = {
"0": [
"huzz", "skibidi", "goofy", "npc", "cringe", "cheugy", "chad", "slay",
"bussin", "sus", "flex", "simp", "bozo", "seethe", "lit", "brokie",
"oop", "delulu", "ongod", "stan", "slaps", "sussy", "grindset", "overthink",
"bigmood", "drippedout", "highkey", "shook", "moots", "oop", "gaslight",
"girlboss", "smol", "thicc", "yikes", "lmao", "pov", "doomer", "oomf",
"sendit", "iykyk", "sussybaka", "clapback", "rizzler", "basedaf", "skrrt",
"deadass", "shmoney", "feelsbadman", "dank", "touchgrass", "realones", "cracked"
],
"1": [
"sigma", "bruzz", "rizz", "gyatt", "based", "drip", "mid", "goblinmode",
"yeet", "vibecheck", "nocap", "ratio", "malding", "cope", "bet", "fr",
"zesty", "sheesh", "feral", "pookie", "glowup", "dubs", "canceled",
"vibing", "fax", "goober", "lowkey", "woke", "fyp", "sksksk", "manifest",
"gatekeep", "gassed", "chonky", "bop", "tfw", "xd", "copium", "coomer",
"gyattdamn", "sendnudes", "frfr", "weirdchamp", "beef", "midass", "unhinged",
"straightvibes", "vibenomics", "hitsdifferent", "glowdown", "bruhmoment",
"outofpocket", "bigbrain", "nobitches"
]
}
binary_sequence = ""
unknown_words = [] # Track unknown words
for word in words:
word = word.strip()
if not word:
continue
if word in slang_to_binary_map["0"]:
binary_sequence += "0"
elif word in slang_to_binary_map["1"]:
binary_sequence += "1"
else:
unknown_words.append(word) # Collect unknown words
if unknown_words:
print(f"[Warning] {len(unknown_words)} unknown words found!")
for w in unknown_words[:5]: # Show only first 5 to avoid spamming
print(f" - {w}")
print("Skipping unknown words...")
return binary_sequence
# Load flag file
flag_file = "flag.txt"
try:
with open(flag_file, "r") as f:
flag_text = f.read().splitlines()
except FileNotFoundError:
print(f"[Error] '{flag_file}' not found! Make sure it's in the same directory.")
exit(1)
# Convert words to binary
binary_sequence = reverse_awk(flag_text)
if binary_sequence:
print(f"\n[+] Recovered Binary:\n{binary_sequence}\n")This script is designed to decode a text file (flag.txt) containing slang words by converting them into a binary sequence (0s and 1s). Here's a breakdown of its functionality:
Restore Encoded Binary (
restore_binary_replacements)
- Replaces encoded binary representations:
10101→010011→1
Convert Slang to binary (
reverse_awk)
- Uses a predefined dictionary mapping slang words to binary values:
- Words like
"goofy", "npc", "sus"are mapped to"0" - Words like
"sigma", "rizz", "yeet"are mapped to"1" - Reads words from the input, converts them to binary, and warns if any unknown words are found.
Process
flag.txt
- Reads the file line by line.
- Converts slang words to binary using
reverse_awk(). - Displays the recovered binary sequence
Error Handling
- If
flag.txtis missing, it prints an error and exits. - If unknown words appear, it prints a warning but continues processing
Then replace 10011 -> 1
Then replace 10101 -> 0Output :
011000010111000001101111011011110111001001110110011000110111010001100110011110110110111001100101001100000111011000110001011011010101111100110001011100110101111101100010001100110111010001110100001100110111001001111101
Flag : apoorvctf{ne0v1m_1s_b3tt3r}The End
Follow For More
