Shell CTF 2022 | Forensics writeup

Mohamed Elmasry
5 min readAug 14, 2022

--

Hi People :D

This is a writeup for all forensics challenges in Shell CTF 2022, it’s so beginner-friendly and forensics especially was somewhat easy.

so let’s get started :D

Logo

[*] Alien Communication

====================

Challenge Description

The attachment file is a WAV audio file (Alien_voice.wav), and from the challenge name you can expect that the solve is in the WAV Spectrum.

So I used This Website to show the spectrum, as you can see in fig, the flag appeared in the spectrum wave.

Flag: shell{y0u_g07_7h3_f1ag}

[*] Secret Document

=================

The attachment file is a DAT file (Secret-Document.dat).

You can see “xorry” word in the challenge description, and this makes it very clear that this dat file is XORRed.

Therefore, I searched for any XOR file decryption tool and found This Ones

I just clone this repo and run the script as written in Usage section, but change the input file name and change the key to “shell” as written in the challenge description.

The output file has the PNG magic bytes, so that it’s a PNG image

You just need to save the output with .png extension not .txt.

The output image contains the plain text flag.

Flag: shell{y0u_c4n_s33_th3_h1dd3n}

[*] Heaven

=========

The attachment file is a JPEG file (Seventh_Heaven_Image.jpeg), but if you use file command on it, you’ll see that’s a PNG file not a JPEG.

As challenge description, the flag is somehow related to the image RGB.

From this you can assume that the flag is hidden in LSB Data and you can extract this hidden data by manipulating the Bit Planes using StegSolve tool.

You can see from the following fig that the flag is hidden in the 7th RGB plane

Flag: SHELL{man1pul4t1ng_w1th_31ts_15_3A5y}

[*] GO Deep!

==========

The File Link redirects you to google drive link that contains a zip file (Agent.zip).

Download the file and unzip it, it contains only a WAV file (file.wav)

After this point, I have tried all the existing and famous techniques and tools like: WavSteg, Steghide, Binwalk, Audacity, etc… but I found nothing.

And I also tried a lot of online tools to extract any data like: This Website and other places but I ended up with nothing too :(.

So that, I ask a fellow to give me a small hint and he told me to focus and search about challenge name (“Go Deep”).

I did plentiful search until I accidentally came across this comment on Reddit:

He mentioned a program that I had never heard of before and it consists of the word “Deep”, it’s DeepSound !. You can download the program from Here (ONLY for Windows).

After downloading the program, import file.wav to it but the program will ask you to write a password

You can easily get the password with strings command

Write the password into DeepSound and it will show you that there is a secret file called (Deep Flag.txt) inside the WAV.

Click on “Extract secret files” to get the flag :)

Flag: SHELL{y0u_w3r3_7h1nk1ng_R3ally_D33p}

[*] Hidden File

============

The attachment file is a JPG file (Hidden.jpg).

From the file command, I got a password for something.

In a lot of forensics CTFs, when you find the password directly like this, this means that there is something hidden inside this file and it needs this password to extract it.

For extraction, I used Steghide tool with password “shell”, and we got a “Hidden Files.zip file

By unzipping, you’ll get a three files (flag.zip “needs password” , se3cretf1l3.pdf, something.jpg)

something.jpg is a QR code image, after I scanned this QR code, it gave me a youtube link for “Never Gonna Give You Up” song (yeah, I got rickrolled XD), so this file is nothing

Now move to se3cretf1l3.pdf, it’s an one page pdf file that does not contain any important information.

It’s very obvious that this pdf file contains hidden data so you have to extract this data.

For me, I love to pass the PDFs files to This Website first to extract any hidden data in images, text or fonts

Upload the PDF file and click on Text section, you’ll find the hidden key (shellctf)

Finally, use this key to unzip the flag.zip file and you’ll get the flag :)

Flag: shell{y0u_g07_th3_flag_N1c3!}

Thanks for reading and I hope you love this writeup ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry
Mohamed Elmasry

Written by Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter

No responses yet