Recently I participated in an entry level CTF and solved few forensics challenges in it.

Somepang (Forensics 50 points)

A pcap file was given : <link to file>

Upon opening the file in Wireshark, you could see that it has ICMP packets. And the interesting fact is that two bytes are unique in each echo-reply packets but repeats several times within the same.


I wrote a python script to extract last two bytes from the pcap.



My Lil Droid (Forensics 100 Points)

This is one among the easiest task in the forensics section. A Youtube.apk files was given.

I used strings and searched with RC3 and then with 2016. I was able to find base64 encoded strings which looks like a flag (RC3-2016-SOMESTRING)

Flag: RC3-2016-GOTEM21

Graphic Design (Forensics 200)

A blender object file was given. Upon loading the object file in blender application, a 3D model was dinosaur was opened. I was able to see various layers and disabled all of them except the layer named def_not_the_flag_Text.002


Flag: RC3-2016-St3GG3rz

Breaking News (Forensics 300)

A zipfile was given and it contained 20 zip files. Usually, zip file end with a signature PK followed by bunch of 0x00s. But while inspecting the tail of certain zip (4, 9, 10, 12, 15) files, I could see base64 encoded strings.

Flag: RC3-2016-DUKYFBLS

DTrump (Forensics 400 )

File: dtrump.img.zip was given and it contains a ISO 9660 CD-ROM filesystem data ‘CDROM’.

I mounted the ISO into my machine.

I was able to find a folder called secretfiles, which is a git repository. As the ISO is always mounted as read-only, I was not able to checkout the deleted private.key file. There is an excel file called Workbook1.xlsx.gpg which is encrypted using this private key. Hence I copied the secretfiles directory into my filesystem where I can read/write. I used the private key to decrypt the XLSX file.

The LibreOffice opened up with a password prompt and I provided password123 which was determined by examining the document.txt file. The flag was present in the sheet 2.


Flag: RC3-2016-SNEAKY21



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s