Hello, Myself a cybersecurity student who is currently pursuing BCA in cloud computing, cybersecurity and Ethical hacking. and CEHv12.
- This is my first writeup ever made, i don’t usually like writing long writeups, but i thought this would be helpful for me and others.
I created this CTF so that i can get better in CTFs/huntings and can help others learn the stuffs i got from playing several CTFs.
Okay so lets get into the actual stuff!
Challenge URL : https://github.com/47hxl-53r/hekerCTF
hekerCTF 2024
This is an intermediate level Capture the flag challenge which goes through steganography, cryptography, Packet analysis and a basic level of Covert communication.
So to start with we have a file called challenge.jpg which shows a grocery store or something.
Steganography
So when i got this file i used exiftool to get any information about this image.
Here you can see the image file size was 9.0 mb, which was pretty suspicious. So now we are sure this must start with steganography as per the hints given.
So i ran steghide command to extract any embedded files inside this image and it asked for a password. So we are sure this has something in it. I tried guessing common passwords and none of them worked. So i did bruteforce it using a simple linux command which reads the rockyou.txt wordlist and feed each password into the steghide’s -p flag. Here is how it looked:
cat /usr/share/wordlists/rockyou.txt | xargs -I {} steghide extract -sf challenge.jpg -p {}
So now we have a file named heker.png.
I opened the file and i thought i was hacked! LOL
It was a meme based on the popular hacking show Mr robot, where he tries to solve “I’m not a robot”, but he is xD
So i did the main thing we all do when we get any file, STRINGS!!
So in the png file when we did strings, we have a google drive link. Lets visit that.
Now we have a pcapng file called capcap.pcapng!!
Packet analysis & Covert communication
So we open the pcapng file using wireshark. and we see tons of traffic in it.
There are 1728 total packets in this pcapng file and it’s impossible to go through each packet to get any information.
Whenever i get a pcap file, i first look at the protocol hierarchy to get an idea on whats going on the wire.
Go to statistics -> Protocol hierarchy
Here we can see there are tons of TCP and UDP packets which are SSL/TLS encrypted, some DNS packets, and some ICMP packets.
This part of the challenge is more hard/confusing for 90% of the players. Many of them tried to find any way to decrypt the SSL/TLS traffic to reveal the TCP packets, but failed.
Hours passed by, looking at the hint “Covert communication” lighted a bulb. Did some research on covert communication and stumbled upon an interesting finding.
Covert communication via ICMP: exploit-db.com
So i filtered the ICMP packets using the “icmp” filter in wireshark and found 17 packets (One of them is a failed one).
When i clicked on the first packet, In the packet data section, i can see some weird text in there:
First i thought it was some kind of rotation, tried rot13, rot47, nothing gave me a meaningful sentence. Then i tried caesar cipher, using www.dcode.fr
So it was caesar cipher with 4 shifts.
This was a chat between 2 people through ICMP type 8 (echo) requests.
There were data in the remaining packets too, but one of them had a big clue in it:
Interesting…. We need to send /g3t_audi0 to the username on telegram. So lets try it..
It requires a password to access the contents.
The hint : Famous taxi cab number ** 2…
So i searched it up on google and got the number 1729 which is a famous number introduced by an Indian mathematician named Srinivasa Ramanujan. So the password says the number ** 2. If you know basic programming, In most of the programming language ** means Exponentiation Operator. So something ** 2 means multiplying the number with the same number. So it implies 1729 x 1729 = 2989441
So i tried sending the command /g3t_audi0 2989441 and got something interesting.
We got an audio.wav archived by trojan.monkey…
I saved the file into my system and opened it using audacity.
DTMF tones
When you hear the audio, you can understand from it that it is a sequence of DTMF tones. Dual-tone multi-frequency (DTMF) produces touch tone sounds heard when pressing a number on a phone’s keypad.
I quickly searched up DTMF online decoders and found a site that does it very efficiently : https://dtmf.netlify.app/
Got a long string of numbers which i had no clue what to do with.
Then i did listen to the dtmf tones, arranged the numbers in the correct sequence with the correct spaces on.
Now it looks like some ASCII version of some long string
Used https://www.duplichecker.com/ascii-to-text.php to decode the string and here we are….
We now have the flag!!!
Conclusion
This was a simple intermediate level CTF just made for refreshment and learning. I hope you liked this CTF, i will be creating more CTFs in the future and will be posting on my Github.
You can follow me on these socials :
Github : https://github.com/47hxl-53r
Tryhackme : https://tryhackme.com/p/1.day
Telegram : https://t.me/p4in000
Hope you liked this article, Thankyou :)