From recon to flag capture: a breakdown of my solutions.
Press enter or click to view image in full size
First of all, i start with flag format: SecLeaf{flag}
Challenge-1: military_grade_encryption (98 points)
Given a file named “encrypted.txt”. At first i thought of big encryption technique. But it ended up in simple solution.
We intercepted an encrypted military transmission during routine monitoring.
Analysts were unable to identify the encryption scheme used.
Can you recover the hidden message?
U2VjTGVhZntiNDUzNjRfMXNfbjB0XzNuY3J5cHQxMG59It seems like base64 encrypted text. So i used Cyberchef.io with FROM BASE64 to decrypt the text. Then i found the flag.
SecLeaf{b45364_1s_n0t_3ncrypt10n}Challenge-2: important (100 points)
Given a image named “important.jpg”. I tried to open the image, it wasn’t opening. It says unsupported file format. Something wierd right?
Then i used file command in my linux machine to find what type of file it was. Then i came to know that it was a ZIP file, which is intentionally kept.
-$ file important.jpg
ZIP Archieve fileNow i unzipped the zip file and it extracted the flag.txt file.
SecLeaf{extensions_can_lie}Challenge-3: forgotten_snapshot (100 points)
Given a image named “snapshot.jpg”. It is a simple JPEG image file.
We recovered this image from a damaged backup archive.
Analysts believe the original owner attempted to conceal sensitive information before deletion. Some image data may have survived recovery.
First i decided to use strings to find, if the flag is hidden in the image.
-$ strings snapshot.jpgI was correct. The flag is hidden in the image file which was exposed when the attacker uses strings to find any strings present in the image data.
SecLeaf{metadata_never_lies}Challenge-4: vaultcore (100 points)
Given a file named “vaultcore”. We recovered a protected vault executable from an abandoned workstation.
Get Aashif’s stories in your inbox
Join Medium for free to get updates from this writer.
I need to find what file type it was.
ELF binary 64-bit, statically linked (no external library dependencies), no section headerThe secret trick i always use is strings command.
-$ strings vaultcore
SecLeaf{str1ngs_1s_4ll_y0u_n33d}Challenge-5: double-trouble (300 points)
Again given a file named “encrypted.txt”. I conformed that, it would one of the cyberchef solvable challenge.
We intercepted a suspicious encoded transmission during routine monitoring.
Analysts believe the message was processed through multiple transformation layers before being transmitted. Can you recover the original message?
526e4a7757584a756333737759544e66655452734d325666616a526d5957
64664d3245776148523166513d3d0aIt looks like Hex format. So i decoded it.
RnJwWXJuc3swYTNfeTRsM2VfajRmYWdfM2EwaHR1fQ==Now it looks like base64 format. Again decoded it.
FrpYrns{0a3_y4l3e_j4fag_3a0htu}Now it seems to be in order like ABC{xyz}. It might be rotation of characters, where there is popular method called ROT13, ROT47. I used ROT13 to decode it.
SecLeaf{0n3_l4y3r_w4snt_3n0ugh}Challenge-6: Almost_there (150 points)
Given a ZIP file in the name of “backup.zip”. I tried to unzip the zip file, but it wasn’t unzipping. The error here is bad offset.
file #1: bad zipfile offset (local header sig): 0So simply used strings command and got the output.
SecLeaf{repair_the_archive}Challenge-7: Backup_leak (150 points)
A web challenge which is more interesting. The developer accidently leaked the backup to public. We need to find the backup file and retrieve the flag.
i tried with /backup, /bak, /backup.zip. No flag found. Then i made curl command to find the flag in smart way.
for ext in .bak .backup .old .zip .tar.gz .sql; do
curl https://backup-leak.secleaf.tech/index.php$ext
curl https://backup-leak.secleaf.tech/backup$ext
doneThen i found the flag in https://backup-leak.secleaf.tech/index.php.bak
Challenge-8: Memory_bin (1000 points)
Given “memory.bin” file.
A memory dump file (
memory.bin) has been provided. Somewhere inside, the real flag is hidden. "NOTE: The flag you need is hidden in plain sight.
-$ file memory.bin
memory.bin: data-$ strings memory.bin | grep "SecLeaf"
# many and repeated fake flags
SecLeaf{alm0st_th3r3_just_k1dd1ng} ← FAKE
SecLeaf{y0u_f0und_m3_haha_n0pe} ← FAKE
SecLeaf{wr0ng_flag_ag41n} ← FAKE
SecLeaf{r3ally_th1s_t1me_nope} ← FAKE
Then the hint reveals “It was all about hashes”. When I saw the word ‘hash’, my first thought was the MD5 hash function. So I calculated the file’s MD5 hash using md5sum file.
The flag was simply the resulting hash enclosed in the flag format: SecLeaf{md5_hash}
SecLeaf{019fcb4b2f8de31aa74c62c1f5566f48}Support my work guys.
Clap, Comment, Do follow.