Open in app

Sign in

Write

Sign in

PicoCTF Forensics Challenges

Nourhanelyamany
CyberScribers
Published in
10 min readOct 9, 2023

Here is my writeup for forensics challenges on picoCTF website for practicing, all you need is a kali-Linux machine to start the easy challenges. You can follow the steps here to get more knowledge about how to analyze files and search for the flag.

Glory Of The Garden

The challenge is giving you an image to search in it

After i used the exiftool to see the metadata of image and didn’t find any thing hidden.

I used the strings tool for the image , Most commercial and open source forensic tools allow for string searches and will search the allocated, unallocated, and file slack spaces.

As we see the flag was hidden in the strings of the image.

flag: picoCTF{more_than_m33ts_the_3y3eBdBd2cc}

Information Challenge

The challenge is giving you an image and stating that there may be a hidden file in it

First thing I will use exiftool, this is a pre-installed tool on kali that provide you with the metadata of a file/image.

I found that there is a base64 code in the image’s metadata.

I will take the base64 code into a text file to decode it.

A you see we found the flag there.

flag : picoCTF{the_m3tadata_1s_modified}

MacroHard WeakEdge

The challenge is giving you powerpoint file to investigate it

First I used strings tool to see the content of the file.

I saw a very strange path that contains hidden file in it.

So I extracted the file to go to the following path ppt/masterSlides/hidden.

I used the cat command to mirror the content of this text file.

I found strange strings that seems unreadable, i think it needs to be decoded.

Let’s remove the spaces in the string using a simple python script :

hidden = "Z m x h Z z o g c G l j b 0 N U R n t E M W R f d V 9 r b j B 3 X 3 B w d H N f c l 9 6 M X A 1 f Q"
hidden = hidden.split(" ")
print("".join(hidden))

The output returned is :

ZmxhZzogcGljb0NURntEMWRfdV9rbjB3X3BwdHNfcl96MXA1fQ

Let’s decode it using cyber chef.

flag: picoCTF{D1d_u_kn0w_ppts_r_z1p5}

Matryoshka doll

The challenge is giving you an image and stating that there may be a hidden files in it

I used the binwalk command to see if there are any files hidden inside this image.

I found compressed files inside it so I extracted using the binwalk -e command.

The extracted files gave me a folder called base images that contain another image of the matroyshka doll, so repeat the same command of
binwalk to extract if there are hidden files inside the second image.

Repeat this until you found image number 4 you will find inside it a flag.txt, use the cat command to show you the content of the file.

Congratulations! you found it.

flag: picoCTF{96fac089316e094d41ea046900197662}

Trivial Flag Transfer Protocol

The challenge is giving a pcap file to search in it for the flag

The pcap file has a lot of packets so I will export only the files of the TFTP packets.

I found those files: instruction.txt, plan, program.deb, picture1.bmp, picture2.bmp, and picture3.bmp. Let’s analyze each of them individually.

By reading the instruction.txt file, I think it contains encrypted values :

GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA

So let’s try to decode it using cyberchef.

Okay they are decrypted with ROT13.

The value is :

TFTP DOESNT ENCRYPT OUR TRAFFIC SO WE MUST DISGUISE OUR FLAG TRANSFER. FIGURE OUT A WAY TO HIDE THE FLAG AND I WILL CHECK BACK FOR THE PLAN.

I think it is a hint to check the plan file.

That was the content of the plan file:

VHFRQGURCEBTENZNAQUVQVGJVGUQHRQVYVTRAPR.PURPXBHGGURCUBGBF

Let’s use cyberchef to decode it:

The value is :

I USED THE PROGRAM AND HID IT WITH — DUEDILIGENCE . CHECK OUT THE PHOTOS

It is another hint to check the program and the photos.

When I opened the program I found many files that point to steghide. So I think that he used steghide to hide data inside the images.

I discovered the three images, and I found that picture3.bmp has the largest size so he may be hiding the data inside it.

Let’s try to use steghide to extract data from it.

Hmmm It requires password to open it.

When I read the content of the plan file I didn’t get WITH — DUEDILIGENCE . So let’s try to use DUEDILIGENCE as our password.

Great! It worked!

Let’s read flag.txt

Congratulations!

flag: picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}

Wireshark doo dooo do doo…

The challenge is giving a pcap file to search in it for the flag

Use wireshark to investigate in this file.

I will follow all the tcp streams until I found a strange thing.

I found a suspicious line in stream number 5 that looks like the same format of the flag.

using cyber chef, I decoded this line using ROT13.

and here’s the flag.

flag: picoCTF{p33kab00_1_s33_u_deadbeef}

tunn3l v1s10n

The challenge is giving you a file with no type and we can not open it

First I tried to open the file but it seemed that it has no extension, so i used exiftool to find his type.

We can see that the file is bmp.

Now we can check if the file header is correct using any hex editor.

As we can see the file header is not bmp so we can change it to bmp file header.

The number of bytes in the DIB header are wrong and the number of bits per pixel are also wrong we realize we need to edit the bytes at offset 0x0e and 0x1c.

So we will change the ba d0 of the DIB header num-bytes to 28 00 and changing the 32 01 of the number of bits per pixel to 40 03.

Renaming the tunn3lv1s10n file to tunn3lv1s10n.bmp we are able to open it and get the flag.

flag: picoCTF{qu1t3_a_v13w_2020}

Packets Primer

This challenge gives you a pcap file to find a flag in it.

That is is so easy challenge, we just want to investigate each packet.

I just checked the data sent on each packet.

I found the flag format in the data sent on the 4th packet.

flag: picoCTF{p4ck37_5h4rk_01b0a0d6}

Redaction gone wrong

The challenge is giving us a pdf which is redacted and we want to get the text in it.

The PDF report has black highlighted text.

I think we can change this color by opening it in word.

Here’s the flag!

flag: picoCTF{C4n_Y0u_S33_m3_fully}

Sleuthkit Intro

The challenge is giving us a disk image and we want to find the size of the Linux partition.

After I downloaded the file I extracted it to find the partitions of the disk.

I used mmls to get the partition details of the disk.

The challenge is asking about the linux partition size, as we can see it is :

0000202752

Then we have to give the remote access checker program this size.

Access checker program: nc saturn.picoctf.net 64605

flag: picoCTF{mm15_f7w!}

hideme

Here is an image that we want to investigate

Let’s check first if there are any archived files inside this image using the binwalk tool.

There are archived files inside the image so we have to extract them using the following command :

binwalk -e flag.png

I moved to the extracted folder and found that there is a secret folder inside it.

After investigating I found a flag.png file inside this folder.

By opening it, we can find the flag inside.

flag: picoCTF{Hiddinng_An_imag3_within_@n_ima9e_96539bea}

PcapPoisoning

The challenge gives us a pcap file to investigate it.

I tried to use strings tool to have a look on all the strings in this file.

I got a lot of strings, let’s try to search for any string that contains picoCTF in it using the grep tool.

Here it is!

flag: picoCTF{P64P_4N4L7S1S_SU55355FUL_f621fa37}

who is it

We have an email and we want to know who is the mail server originated from.

From the received from part we can have the ip of the sender.

Now I think the name of the challenge would help us, whois is used to get information about domains and ips.

Let’s try to know more about this ip address : 173.249.33.206

The sender’s full name is Wilhelm Zwalina.

flag: picoCTF{WilhelmZwalina}

Disk, disk, sleuth!

Here is a disk image and we have to find the flag inside it.

In the description of the challenge it is said that we may use the srch_strings command on the disk to search for the string flag.

First we have to unarchive the disk to work on it.

Now we can use this command :

srch_strings -a dds1-alpine.flag.img

We got a lot on strings, let’s use the grep tool to search for picoCTF flag.

flag: picoCTF{f0r3ns1c4t0r_n30phyt3_267e38f6}

Milkslap

Use your forensics skills to solve this challenge

I opened the milk cup link but I can’t find anything.

Let’s check the page source.

I didn’t find anything useful.

Let’s check the style.css link in the page source.

The is an image url inside.

Now we can download this image using the wget command as follows:

wget http://mercury.picoctf.net:29522/concat_v.png

Then I used a ruby tool called zsteg

you can install it with administrator permissions gem install zteg

Here is the flag!

flag: picoCTF{imag3_m4n1pul4t10n_sl4p5}

Disk, disk, sleuth! II

Given a disk and All we know is the file with the flag is named down-at-the-bottom.txt

We should unarchive the disk first.

Let’s see the partitions of the disk using mmls

We can see that the first 2 partitions doesn’t have any interesting thing.

Let’s check partition 002 the fls tool by specifying the start address of the partition which is 2048

At first let’s check the root directory at location 18290

I found the file there.

Now we will use icat as it opens the named image and copies the file with the specified node number to standard output. Starting from the next location inside the root directory. 18291

flag: picoCTF{f0r3ns1c4t0r_n0v1c3_69ab1dc8}

Digital Forensics
Ctf Writeup
Ctf Walkthrough
Picoctf
Dfir

--

--

Nourhanelyamany
CyberScribers

Written by Nourhanelyamany

61 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams