Auke Zwaan

There is an .rtf file. Considering that the title of this challenge is RTFspy, there must be something in this file. First, of course, I tried to open it in the regular way, but none of the programs I tried could open the file.

Just like I did with Canada – 1n51d3r’5 j0b and Germany – ch17ch47, I started grep’ing. As there was only one file, which was a pcap, I chose to first look for ASCII strings and then pipe the output to my grep command that looked for the string all flags started with, ‘h4ck’.

The ZIP archive attached to the challenge contains a ./Docs directory that held several files and directories. First, I looked at all the files to get some idea of what was interesting and what was not:

The attached ZIP archive contained an image called planet.png. It was a regular-looking image, so let’s look for any hidden stuff inside.

First, I looked for EXIF data using the exif command, which it did not contain. Then, I looked at any hidden message using the strings command, which did not show any useful ASCII strings.

Attached was a .pcap file. An easy approach of getting any interesting files from the pcap is using the tool foremost. It carves the file by searching through the input file for any bytes that can be headers and footers of specific filetypes. Let’s try it out:

Germany appeared to be another challenge that seems to contain an unintended way to solve it.

Just like I did when solving Canada – 1n51d3r’5 j0b, I started with the easy approach:

The solution on this one is quite simple, probably due to a mistake made by the developer. Still, a simple solution is also a solution.

First, I extracted the ZIP archive that contained the files. First thing I always do is a simple grep. I knew that all flags in this CTF, as usual, have the same syntax, namely h4ckit{flag}. Let’s try to find some stuff:

The target was a normal looking website. It did not have too much interesting user interaction etc., except for three pages (which I believe were home, about and contact). The pages were accessible on URLs that looked like this:

The challenge file consisted of only one file of unknown type. First thing to try is to run the file command to see what we are dealing with.

As it seems, the script created the image pixel by pixel using the putpixel function from the PIL module for Python. This means that, for each pixel, an X and Y coordinate for the pixel must be given, as well as a RGB value for its color.