Intigriti CTF- Writeup

Hello there! , Hope you are doing great and learning loads of stuff from the community like I am.

What is this post about ?

Capture the Flag or more commonly known as CTF is a sort of firing range for hackers where they can test their skills and pick up a few new tricks , I personally believe that its a great way to keep you sharp and intrigued to learn new stuff.This post is a writeup ( soution ) to a CTF hosted by Intigriti.
I’ll try to pour out / write my thought process while solving the CTF.

The First Hint

The CTF starts off with this link

My first thoughts “Weird there is nothing in the tweet besides a image” . 
If you’ve been doing any sort of CTF’s you’ll instantly think that there is most likely something hidden in the image which didn’t instantly come in to my mind since I thought “well its twitter they are probably removing bogus data from the image”.
Since I had nothing else to move forward with so I went on to downloading the image.
Always check file type.
Often time in CTF’s you will come across files that have a different nature then its file extension, but in the world of linux file extensions don’t really matter . You Should know how to identify file types regardless of its extension.

$binwalk <file>

Renaming the file to <file>.zip and unzipping

Renaming and unzipping

So we have now obtained a pdf file . Opening it we see the following

The first line is clearly a base64 encoded string (this just comes with experience you’ll get there if you new to this you might want to try this site. Just paste the encoded/hashed string in the search bar and you’ll get what the encoding/hashing mechanism was )and the second one is a link to some tweet.
Decoding the string we get.

Opening the decoded string /url we get another zip file

Now that we have the zip file, Same drill all over binwalk it and check its type.

I found out that its a zip archive file . When I tried to unzip it I got prompted for a password

At first I thought it can’t be that hard must be a simple brute force with the classic ‘rockyou.txt’ file . I quickly tired fcrackzip(tool to brute force password for zip files) but no seed .
Further went on to use $Strings (command to see if there is any readable material in the zip file ), got all the readable stuff and turned that in to a dictionary list but didn’t work either.
*)Hexediting 
*)Strings
*)frackzip

None of the above worked and I had already wasted several hours on trying to crack the password , after I had ran out of options I began to realize that it can’t be brute force there must be another way else they wouldn’t make it this hard . I began to experiment [spoiler] none of these things worked skip to the next paragraph for the actual solution if you aren’t interested .
So firstly what I did was listed all the files in side the locked zip , got a listing of the names as shown $unzip -l <zip file name>

Now my first guess was to take the numebrs just before the .jpg extension convert them to ASCII and concat the result to form a password . Unfortunately it did not work . Tried to take all the numbers concat it to form a hex string ( included a bit of manipulation) didn’t work, tried to add the numbers and use that as a password . 
After wasting 2 more hours trying silly stuff like this I went ahead and took a break So that I could come back with a fresh mind.

The Second Hint

After I came back from the break I went ahead and took another hint . According to Intigriti they would tweet a hint for every 100 likes . So till now there were about 300 likes and 3 hints had been tweeted

Looking at the 2 hints it doesn’t make a whole lot of sense at first but I went ahead and followed the instructions as is.
I clicked reply on the Post and there I noticed that the tweet was originally posted form another account.

Ok so that was clever .Time for another round of brute forcing . Made a list of every important word in this twitter profile but again no seed. 
wasted a bit more time trying to modify the list reversing words breaking them uppercase lowercase and pretty much tried every thing I could but did not work.

The Third Hint

Look for cover . Well Made no sense at first but then it hit me “they are definitely talking about the cover photo on the twitter profile” . Quickly went on to the newly found twitter profile page but there was no cover 😣.’

The heck 👊.Well it wasn’t going to be that obvious I then began to look for the keyword cover in the DOM yet found nothing.

I then tried to look for the keyword “banner” since the cover photo is mostly referred to as a banner cover and finally found following link
https://pbs.twimg.com/profile_banners/855398308302520322/1546517083/1500x500

Found the password and unzipped the file got some tea thinking all my problems are over I’ve finally made it , but the Intigriti had other plans.

The unzipped file contained some 442 jpg files ( yes binwalk all the way)

Started off with the usual $Strings did not find anything worth mentioning tried to look at the metadata with exiftool nothing there either, well at this point I was completely stuck since I had previously experimented with the names. Intigriti had tweeted that the flag will have a keyword flag at the start of it so atleast I knew what I was looking for.
After many failed attempts like trying mores code etc.. I viewed the files in Explorer

And something hit me “Black and white tiny images what if I could combine and make it a single image but how and in what pattern”

After a big of googling I came across a tool Named montage what montage does is ,it uses “Imagemagic” to combine different images in to one.
Lets take an example .

I have 2 images here Lets concatenate them in to a single image.

montage -mode concatenate <img1> <img2> <outputImg>

and vola!

Then I quickly did a ls -v which sorts the files by name piped that in to montage and ended up with a QR code.

Went ahead scanned it and finally finally got the Flag

Lessons Learned

Try absolutely every crazy thing that comes to your mind while doing a CTF -ya never know . 
Keep Learning , Keep Growing — See ya’ll in the next post.