search

Forensics Challenges

hashtag
If You Don't, Remember Me

hashtag
Description

Here is a PDF file that seems to have some problems. I'm not sure what it used to be, but that's not important. I know it contains the flag, but I'm sure you can find it and drag it out of the file somehow. This is a two-step flag as you will find it partially encoded.

Download DF1.pdfarrow-up-right

hashtag
Solution

The downloaded pdf can't be viewed, the second thing I tried is running stringsarrow-up-right

└─$ strings -d -n 10 DF1.pdf 
9"h(@J#>\u
`h0Nf<kI*N
uB*Mm!qo~S
poctf(uwsp_77333163306D335F37305F3768335F39346D33}
circle-check

Flag: poctf(uwsp_77333163306D335F37305F3768335F39346D33}

hashtag
A Petty Wage in Regret

hashtag
Description

Here is a very interesting image. The flag has been broken up into several parts and embedded within it, so it will take a variety of skills to assemble it.

Download DF2.jpgarrow-up-right

hashtag
Solution

Part 1

First let's view the metadata of image using exiftoolarrow-up-right

Using xxdarrow-up-right convert hex to ascii

Part 2

If you open the image and look at it you'll notice some weird strokes, like writing on frozen glass. The strokes are clear and outside seems blurred. I wasnt sure what to use to reveal the strokes.

Using FotoForensicsarrow-up-right I was able uncover the strokes using ELA (Error Level Analysis)

a-petty-wage-in-regret-1.png
circle-check

Flag: poctf{uwsp_7h3_w0rld_h4d_17_f1257}

hashtag
Better to Burn in the Light

hashtag
Description

This is an image of a disk that once contained several files. They were deleted prior to imaging, unfortunately. To find the flag, we're going to need to bring some of them back from the dead. The flag is actually broken up between two of them. Carve the files out of the image and restore any missing file headers to find the pieces to reassemble.

Download DF3.001arrow-up-right

hashtag
Analysis

Basic file check:

Mount the device:

Let's see what we have

We have too much files, since I wasnt sure what I was looking for I tried to dig information from exifdata.

While browsing through the files I found interesting comment:

Since flag was broken up into 2 pieces I tried recursive grep:

hashtag
Solution

File 1: $R4K6JU8.doc

The file seems have doc extensions, but seems to be a JFIF (or jpeg) type.

Magic bytes: https://www.wikiwand.com/en/List_of_file_signaturesarrow-up-right

Looking into the magic bytes (or file signatures) we see that the file seems to be missing first 4 bytes, without these 4 bytes its invalid.

better-to-burn-in-the-light-1
better-to-burn-in-the-light-2

Im using VSCode Hex Editorarrow-up-right to edit the image. Since we can't copy the bytes as UTF8 I'll use Base64 to insert the bytes.

better-to-burn-in-the-light-3
better-to-burn-in-the-light-4

Change extension to jpg or jpeg

better-to-burn-in-the-light-5

File 2: $RN367L5.jpg

Oddly enough VSCode couldnt open it or ImageMagick. Using Ristretto Image Viewerarrow-up-right I was able to view the image normally.

better-to-burn-in-the-light-6
circle-check

Flag: poctf{uwsp_5h1v3r_m3_71mb3r5}

Dont forget to unmount the device

triangle-exclamation
PreviousCrypto ChallengesNextSteganography Challenges

Last updated