Post

CORe Winter CTF 2024 Writeup

Posted Updated
By Evan
9 min read
CORe Winter CTF 2024 Writeup

Winter CTF Write-Up

Recently, I had the pleasure of participating in my university’s Winter CTF challenge. It was an awesome experience that removed some rust from my cybersecurity skills, introduced me to new tools, and reignited my passion for problem-solving in this domain. Below is a detailed account of the challenges I encountered and how I approached them. I had no plan but to do what I knew I could solve without any hints or assistance throughout, each challenge was broken up into groups, this is close to the order I solved them in minus the password cracking challenges and story challenges which I swapped between as I got frustrated near the end.

Beginner Challenges

To access the main CTF challenges, I first needed to complete a set of beginner-level tasks:

  1. What is the letter “A” in the CIA triad acronym?
    Answer: Accessibility
  2. What port number is SSH?
    Answer: 22
  3. What is the acronym MFA in the context of cybersecurity?
    Answer: Multi-Factor Authentication

Once these were completed, I gained access to the full CTF.

Web Exploitation Challenges

I started with web exploitation because its what I most remember of cybersecurity and easiest:

  1. Inspect HTML:
    The flag was hidden in the HTML source code as a comment.
  2. Web Inspector Decode:
    Similar to the previous challenge, but the flag was a Base64-encoded comment on another page.
  3. Web Redirect:
    A consistent JavaScript redirection was present on the page. I solved it by capturing the network data with Burp Suite via a web crawl then downloading the HTML which properly redirected me to the flag page.
  4. Web GetaHead:
    This challenge specifically told me to change the request header from GET to HEAD which subsequently revealed the flag.

General Skills

Next, I moved on to challenges that required basic reconnaissance:

  1. Ports:
    Using Zenmap, I scanned the given IP address to find the number of open TCP ports which was the flag.

Encoding/Encryption Challenges

This category tested my ability to decode and analyze encoded or encrypted data:

  1. Decode 1:
    A Base64 string that required decoding.
  2. Hash Crack 1:
    This challenge wanted to know what hash type the provided hash was. I identified it as MD5 based on its byte length.
  3. Decode 2:
    A hexadecimal string needed identification and decoding for this flag.
  4. Decode 3:
    Given salad.jpg and the message “Et tu, Brute?” as a hint, I found a string within the image of a Caesar salad. Using a Caesar cipher with a shift of 13 (the length of “Et tu, Brute?”), the flag was revealed from that string of text. This is also just a ROT13 cipher.
  5. Decode 4:
    A sound file contained Morse code, which, when transcribed, provided the flag.
  6. Where Am I?:
    Metadata in an image file revealed latitude and longitude, leading to the flag.

Grep Challenges

These required text searching within files:

  1. Beginner Grep:
    The flag was easily found by opening a file in a text editor.
  2. Grep 2:
    A zip file contained nested folders and text files of absurd side. Using grep to search for “CTF” I was able to quickly locate the flag.

Network Recon Challenges

These challenges all involved looking for something in a PCAP file, I got Wireshark and learned how to use it to analyze all four which were all fairly straightforward to solve.

Digital Forensics

For these challenges, I utilized tools like Steghide which is for linux only as far as I am aware and ExifTool alternatively you can use aperisolve without needing either. I used aperisolve later in the challenge when I realized I couldn’t get Steghide to work:

  1. Image Analysis 1:
    Using Steghide, I extracted the flag from the image. For convenience, I used AperiSolve.
  2. Image Analysis 2:
    Opening the image in exiftool revealed metadata containing the flag.
  3. Image Analysis 3:
    First, I extracted another image (sly.jpg) using Steghide. Examining its metadata revealed the flag.

For the disk image analysis challenges, I used Autopsy, a wonderful disc forensics tool that’s also free! After thorough exploration of the provided images, all three challenges were easily solved.

Password Cracking Challenges

These were some of the most challenging tasks for me:

  1. Hash Crack 1.5:
    Given a hash and mask we needed to crack it for the flag. Thankfully the mask is given and a known flag format of CTF{...} I was able to run the mask via Hashcat, this has was cracked very quickly.
  2. PDF Crack:
    Given a password protected pdf I first extracted the hash of the password using John the Ripper, an alternative to Hashcat, I then took that hash and switched back to Hashcat to perform a dictionary attack with rockyou.txt, to unlocking the PDF which gave the flag.
  3. Password Crack 1:
    Given a hash of a user’s password and the format for those passwords which was {adjective}{noun}{two digits} (all lowercase). I just needed to crack the hash to get the flag, simple right? No. At first I used some random wordlists I found online to little success after several failures I used this list and its adjective counter part to make my own word list as it was the largest I could find. Moving on to making that word list I wrote a Python script to generate all possible combinations of {adjective}{noun} and then used Hashcat’s hybrid dictionary and mask attack to crack it.
  4. Password Crack 2:
    Similar to the first but with the format {noun}{adjective}{three digits}. This was a nightmare to solve and required further refinement of my Python script. While inefficient I modified my script to generate every single possible combination instead of using Hashcat’s hybrid attack like I did previously. This led to a massive 500GB dictionary file which after some time cracked the hash. I was extremely proud of myself for doing this as I was the only person in the CTF to get this challenge, I would later learn that I would need to refine my script to split the overall generation into smaller chunks but this method worked.

Story Challenges

The story-based challenges added a unique narrative element to the CTF. Each task built on the last:

  • 1.1:
    Asked to identify a hidden website’s IP that was attached to the Story website solved using Zenmap.
  • 1.2:
    Asked to find the backend developer’s username, which was clearly listed on the story website’s public page.
  • 2.1:
    Asked for the password of that same developer, after each page of the public website I was able to find HTML comments that listed a list of hashed passwords for each fake employee and their password policy of [adjective][noun][##]. This is where my blunder in Password Crack 2 came to haunt me, because I struggled so much during that challenge and generated so many files with poor naming schemes I didn’t remember which wordlist I generated had that format nor could I preview them because of how large they were. This was the time I spent refining my python script to where it is now. Here is the code:
import os

with open("Adjectives-All.txt", "r") as adj_file:
    adjectives = [line.strip() for line in adj_file]

with open("Nouns-All.txt", "r") as noun_file:
    nouns = [line.strip() for line in noun_file]

# Print some initial checks to ensure files are loaded correctly
print(f"Loaded {len(adjectives)} adjectives.")
print(f"Loaded {len(nouns)} nouns.")

def generate_combinations():
    for adj in adjectives:
        for noun in nouns:
            yield f"{adj}{noun}" #append {adj}{noun} then check digits in hashcat

MAX_FILE_SIZE = 10 * 1024 * 1024 * 1024  # 10 GB

def write_combinations_to_files():
    file_count = 1  
    current_file_size = 0
    output_filename = f"AdjNoun2_part{file_count}.txt"
   
    with open(output_filename, "w", encoding="utf-8") as outfile:
        for word in generate_combinations():
            # Write the current word combination to the file
            outfile.write(word + "\n")
           
            current_file_size += len(word) + 1  # +1 for the newline character
            
            if current_file_size >= MAX_FILE_SIZE:
                # Close current file and move to the next
                print(f"File {output_filename} reached 10GB. Splitting into a new file.")
                file_count += 1
                output_filename = f"AdjNoun2_part{file_count}.txt"
                outfile.close()
                current_file_size = 0
                outfile = open(output_filename, "w", encoding="utf-8")
        
        outfile.close()
        print(f"Combined word list split into multiple files, All finished.")

write_combinations_to_files()

These changes made it so much better. Basically this takes the wordlists in and combines them for every possible permutation of {adjective}{noun}. For example it will make happycat then happydog and so on until it has generated all happy{noun}’s possible then moves on to the next adjective. This code also now splits the generation into 10gb parts so I could run them in Hashcat while it was generating the next part. With this I found the flag saving tons of hard drive space and time.

  • 3.1:
    Located a PCAP file within the SSH-accessible server given our new credentials. The challenge required its name.
  • 3.2:
    Requested the login details we got in 2.1.
  • 4.1:
    Analyze the PCAP file from 3.1 to identify a transferred image file. The challenge wanted the image’s name.
  • 5.1:
    This challenge told us there was something hidden in that image file, requesting the page again and analyzing its metadata gave us a hint that said “Here is your hint, Lat, Long: 45.1589 -115.8413. The password to the image is the last name of the pilot of this flight, plus the number of souls on board.” the flag was the coordinates.
  • 5.2:
    The coordinates pointed to a plane crash that matched the image provided. By finding the pilot’s last name and the number of souls on board, the password for the image gave us the flag.
  • 6.1:
    Breaking the earlier image again using AperiSolve yielded a binwalk file that contained the final flag of the story challenges.

Bonus Challenge

This challenge asked us to recall if we saw anything more during the story challenges. I actually found this earlier when analyzing the PCAP file in 3.1 by filtering for DNS request while I was aimlessly looking for other solutions. This lead to a hidden website linked to the story, the name of, was the bonus flag.

Final Thoughts

Completing the CTF without hints placed me at the top of the leaderboard just barely along with being the only person to solve the 2nd Password Crack challenge. I didn’t get zero help but the help I did get was more about clarification on flag format for two challenges, neither of which disqualified my no hint run of this CTF per the Organizer. Overall this CTF was a fantastic way to relearn old skills, master new tools, and dive deeper into cybersecurity concepts. I was exposed to lots of new tools and learned lots from this!

Special thanks to the my university’s CORe program for hosting this event, @Austin N. and @Cameron (The Mechanic W) over the CORe discord for making and testing the challenges, and the folks part of the BSU IT Club. I’m already looking forward to the next CTF!

CTF Python
This post is licensed under CC BY 4.0 by the author.