Forensics
{"authors": ["ret2basic", "y4y"]}

information (Exiftool)

Solved by: ret2basic

Challenge

Files can always be changed in a secret way. Can you find the flag? cat.jpg

Solution

Run exiftool:
ExifTool
The selected string is in Base64 encoding.

Flag

1
picoCTF{the_m3tadata_1s_modified}
Copied!

Weird File (Microsoft Word => View Macros)

Solved by: ret2basic

Challenge

What could go wrong if we let Word documents run programs? (aka "in-the-clear"). Download file.

Solution

Open the Word document and go to "View -> Macros -> runpython -> Edit":
Macro
The selected string is in Base64 encoding.

Flag

1
picoCTF{m4cr0s_r_d4ng3r0us}
Copied!

Matryoshka doll (Binwalk)

Solved by: ret2basic

Challenge

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this

Solution

Use binwalk -e <file> four times.

Flag

1
picoCTF{e3f378fe6c1ea7f6bc5ac2c3d6801c1f}
Copied!

tunn3l v1s10n (GIMP)

Solved by: y4y

Challenge

We found this file. Recover the flag.

Solution

This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.
After downloading this file, and do a file command on it, I found it's just data.
file
But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. Hacktricks does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.
If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:
GIMP

Flag

1
picoCTF{qu1t3_a_v13w_2020}
Copied!

Wireshark doo dooo do doo... (Wireshark => Follow TCP Stream)

Solved by: ret2basic

Challenge

Can you find the flag? shark1.pcapng.

Solution

Follow TCP stream:
TCP Stream
The highlighted string is ROT13 encoded.

Flag

1
picoCTF{p33kab00_1_s33_u_deadbeef}
Copied!

MacroHard WeakEdge (PowerPoint <=> Zip)

Solved by: ret2basic

Challenge

I've hidden a flag in this file. Can you find it? Forensics is fun.pptm

Solution

Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and base64 decode it.

Flag

1
picoCTF{D1d_u_kn0w_ppts_r_z1p5}
Copied!

Trivial Flag Transfer Protocol (Wireshark => Export TFTP Objects)

Solved by: ret2basic

Challenge

Figure out how they moved the flag.

Solution

Go to "Wireshark => Export Objects => TFTP...":
Export Object
Then click Save All:
Save All
Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives:
    1.
    Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.
    2.
    Plan: I used the programm and hide it with - DUEDILIGENCE. Check out the photos.
Extract program.deb:
1
$ mkdir tmp
2
$ dpkg-deb -R program.deb tmp
Copied!
Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:
steghide extract

Flag

1
picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}
Copied!

Wireshark twoo twooo two twoo... ()

Solved by:

Challenge

Can you find the flag? shark2.pcapng.

Solution

Flag

1
Copied!

Disk, disk, sleuth! (strings)

Solved by: ret2basic

Challenge

Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image: dds1-alpine.flag.img.gz

Solution

1
$ gunzip dds1-alpine.flag.img.gz
2
$ strings dds1-alpine.flag.img | grep pico
Copied!

Flag

1
picoCTF{f0r3ns1c4t0r_n30phyt3_ad5c96c0}
Copied!

Disk, disk, sleuth! II (Autopsy)

Solved by: ret2basic

Challenge

All we know is the file with the flag is named down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz

Solution

Open the image in Autopsy and search for down-at-the-bottom.txt:
down-at-the-bottom.txt

Flag

1
picoCTF{f0r3ns1c4t0r_n0v1c3_69ab1dc8}
Copied!

Surfing the Waves ()

Solved by:

Challenge

While you're going through the FBI's servers, you stumble across their incredible taste in music. One main.wav you found is particularly interesting, see if you can find the flag!

Solution

Todo!

Flag

1
Copied!

Milkslap (Zsteg)

Solved by: ret2basic

Challenge

🥛

Solution

Download the image:
1
$ wget http://mercury.picoctf.net:7585/concat_v.png
Copied!
Run zsteg:
1
$ zsteg concat_v.png
Copied!

Flag

1
picoCTF{imag3_m4n1pul4t10n_sl4p5}
Copied!

Very very very Hidden ()

Solved by:

Challenge

Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. try_me.pcap

Solution

Todo!

Flag

1
Copied!
Last modified 6mo ago