Open in app

Sign in

Write

Sign in

DeconstruCTF 2021 Write-ups

Nisarg Suthar
4 min readOct 2, 2021

This will be my write-up for some random challenges from DeconstruCTF 2021!

We finished 54th, top 18%!

Forensics

1. The Missing Journalist

We had this GIF to begin with.

Using binwalk -e filename we can extract a message.pdf

…which is password protected.
As always, running exiftool gave a base64 string.
Which gives us the password to the pdf.
dsc{1_f0und_h1m_4nd_h35_my_fr13nd}

2. Teg Rads

We’re given a PDF with some redacted info, so I open it up in Google Docs;

4 fake flags… Huh, cool…

So, I after looking at the pdf tree, streams and objects I open it up in sublime text to see if some parts decode the encoded data properly, and it did.

Unescaping this encoded string gives dsc{publ1c_ which is the first part of the flag.
Evaluating this expression we get the 2nd part of the flag, d15pl4y_
We have this binary string which decodes to 0f_ which is the 3rd part.

Now for the last part, we need to extract a p4.txt using binwalk.

This 4th part doesn’t seem intelligible…

We can decrypt it using Vigenère Cipher with the key alexa, the challenge creator, as seen inside the raw PDF data.

The 4th part of our flag is ff3ct10n_
This base64 decodes to b4nn3d} which seems to be the last part of the flag.

So our flag becomes, dsc{publ1c_d15pl4y_0f_fq3gq10n_b4nn3d}

3. Mike

We are given this image to begin with, the prompt said something about how the time on this machine froze.

Using stegsolve, we can filter out a channel to see the hidden data, which looked like Spotify song codes we can scan.

After scanning the only valid code, it lead me to the song Level of Concern by Twenty One Pilots.
The album cover had this peculiar USB drive which I thought was another steganography challenge but nope.

So, I decided to take a look at the official music video at that frozen time on the machine;

And the caption had a code, which was the flag, dsc{LOC-888–481–90TO?}

4. Detective Telephone

We’re given a flag.wav file which has some keypad tones in it. That can be some encoded message, so I tried extracting the DTMF tones from it using an online extractor, and after trying many different cryptic operations on it, no intelligible message was found. Then I tried this tool, and noticed that it extracted more tones than the online one.

We can remove the #’s and the D’s here.
I used this python snippet to decode the data from long to bytes.
dsc{b33p_b00p_r3c0rd5_3v3ryth1n9}

Cryptography

1. Stars and Shapes

!!! Flash Warning !!!

We have another gif,

At first, seeing the flag braces I thought it was a mono-substitution cipher that had something to do with number of angles that each shape had. But later, some of the frames with different combination of shapes gave the same number, so due to collision that can not be it.

Then a teammate suggested to check out Braille Cipher, which solved it.

The placement of the shapes in each frame, minus the two with only the flag braces, represents a letter. Decrypting it gives dsc{d0-y0u-th1nk-h3-s4w-us7132}

2. RSA - 3

As my teammate solved both RSA -1 & RSA -2, I’m including this one here to complete the crypto set.

We’re provided with a RSA public key .pub file, and we are asked to find the private key exponent d .

To retrieve the modulus value n and public key exponent e, we can use openssl rsa -pubin -in mykey.pub -text -noout

Both of these values are in hex so we’ll convert it in decimal before proceeding further.

I will use the python script from here, after entering the correct values in decimal for modulus and public key exponent.

And so our flag becomes dsc{6393313697836242618414301946448995659516429576261871356767102021920538052481829568588047189447471873340140537810769433878383029164089236876209147584435733}

Look into Wiener’s attack on RSA!

Capture The Flag
Ctf
Ctf Writeup
Cryptography
Forensics

--

--

Nisarg Suthar

Written by Nisarg Suthar

44 Followers

DFIR & CySec Aficionado.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams