ASCyberWargames2020 Qualifications | The-Impossible-Dream | Forensics Challenge Writeup
Welcome to my first Writeup ever!
In this post, I am going to walk you through a Forensics CTF challenge from Arab Security Cyber Wargames 2020 Qualifications, Hope you enjoy reading!
The-Impossible-Dream | 600 points
First of all, Let’s download the File and check the description of the challenge.
At the first look, nothing interesting in the description, So let’s play with the File, After running it with file command it gives me just data.
So tried to read the signature and seemed to be a WAF file, and seemed Corrupted, Good, let’s fix it!
Checking Wiki for WAV signature and I got it .
Using ghex tool we edit our file and added the new signature.
Now Let’s run file command again to check if we are in the right way!
Great!, After reading some resources about WAV files which are 16 bit and 44100Hz, With the help of my great teammate Amr Mosa, Got these Paper, We can see on page 8 the correct signature of our file, So let’s edit it again with ghex.
Here we go, We have the fixed file, changing the name to The-Impossible-Dream.wav .
Now let’s have some fun with Sonic-Visualiser, Seconds later, and after some analyzing, I realized this isn’t the right way.
Time to extracting hidden files, using DeepSound, I found a hidden file called challenge.img
let’s see what kind of file is it!
It’s a Linux filesystem data, Let’s mount it!
Great, From initial analysis, ju$t_an0th3r_f!l3.rar protected with a password and need to be cracked, and lost+found is an empty folder.
Cracked the password with JohnTheRipper tool for ju$t_an0th3r_f!l3.rar and it has some memes, All said go away from here! This is the wrong file to play with!
I really tried with These images but nothing interesting, Now let’s check Null file, By running file,xxd commands we noticed that we will do the same with the original file, But this time it is a RAR file!
Checking Wiki again !
let’s Fix it with ghex!
Now we have a RAR file BUT it is protected!
hmmmm let’s crack it with JohnTheRipper, But nothing!, Can’t be cracked with rockyou password list. But for sure Flag.txt contains our Flag!
Back to the files we extracted from challenge.img, There is a text file pastebin.txt, let’s take a look.
We tried decoding and decrypting this for a long time, But nothing!
Next tomorrow we decided to read the Description carefully, and there are really good hints,
RC second model !! Is it referring to RC2 encryption?? Yes, But we need a key!
Again, my teammate, Amr Mosa tried to decrypt it using CyberChef with the key “5” which mentioned in the first line!
Now we have a Pastebin link let’s visit, There is a base32 encoded text!
After decoding it, we have a Base64 encoded text!
Decoded it, We have an encoded type like ROT47 encoded text! let’s decode!
Decoded easily with decod.fr.
The result looks like an Instagram or Twitter account! after a search, we found a twitter account with this username
The first tweet looks interesting! it looks like a link but it encoded some way!
let’s try with ROT13
It’s a mega link with a text file, Downloading it gives us an MD5 hash!
It’s Crackstation time now!
Finally, We got The password for the Zip file, lets get my baby flag!
Great challenge!
Thanks to my awesome teammates Mohammad Mohey, Amr Mosa, Mohamed Ashraf, Abdalla Tarek!
Team: b3y0nd
Rank: 8 — Qualified to finals!
I’m Asem Eleraky, Known as Melotover!
Thanks For Reading,