TryHackMe CTF Collection Vol. 1

A beginner-friendly CTF walkthrough (Part 1)

TryHack CTF Collection Vol 1

🏠 TryHackMe CTF Collection Vol. 1 (Official Website)

👉 TryHackMe CTF Collection Vol. 2 (My Write-up)

· First things first…
· Task 2: What does the base said?
· Task 3: Meta meta
· Task 4: Mon, are we going to be okay?
· Task 5: Erm……Magick
· Task 6: Qrrrr
· Task 7: Reverse it or read it?
· Task 8: Another decoding stuff
· Task 9: Left or right?
· Task 10: Make a comment
· Task 11: Can you fix it?
· Task 12: Read it
· Task 13: Spin my head
· Task 14: An exclusive
· Task 15: Binary walk
· Task 16: Darkness
· Task 17: A sounding QR
· Task 18: Dig up the past
· Task 19: Uncrackable!
· Task 20: Small bases
· Task 21: Read the packet
· Conclusion

TryHackMe is an exceptional online platform designed to provide individuals with hands-on cybersecurity learning experiences.
It offers an immersive environment where users can explore various topics, master essential tools, and enhance their practical skills.

One of the remarkable features of TryHackMe is the CTF Collection Vol 1, which serves as an excellent starting point for aspiring CTF enthusiasts. The CTF Collection Vol 1 consists of a curated set of easy challenges that cover some basic skills needed by any beginner CTF player.

Some of the topics covered include base number conversion, image steganography, decoding various encoding schemes, substitution ciphers, OSINT, and many more.

This first collection consists of 20 tasks and offers a progressive learning path, starting from extremely easy beginner-friendly challenges and gradually increasing in difficulty, allowing the players to sharpen their CTF skills at their own pace.

This collection (Vol. 1) as well as the follow-up CTF Collection (Vol. 2) were created by DesKel.

The main objective of this room is to test your CTF skills. Stay calm and Capture The Flag :)

— DesKel

With its intuitive interface, comprehensive resources, and vibrant community, TryHackMe’s CTF Collection Vol 1 serves as an invaluable resource for those seeking to gain practical experience and confidence in beginning their CTF journey without the pressure of a timed CTF competition.

First things first…

Pre-requisites:

• Your OS: A Linux (virtual) machine packed with your favorite hacking tools. I recommend Kali or Parrot OS as your go-to CTF platform.
• Good Music: CTFs are fun and meant to be enjoyed and not stressed about. Head to Spotify and fire up your favorite hacking music playlist!
• Caffeine Up: You need coffee when you code, hack, or play a CTF. Get some coffee and Caffeine Up!

If you are a free TryHackMe user, you only get 1 hour/day access to a Web-based Kali “AttackBox”.

If you are a paid subscriber you get unlimited access to the AttackBox which you can use for the CTF room in this article.

Task 2: What does the base said?

Challenge

Can you decode the following?

VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==

Solution

This looks like a Base64 encoded message. To identify this, you typically look for a string of characters consisting of a combination of uppercase and lowercase letters, numbers, the “+” or “/” and usually ends with or is passed with “=” character.

Let’s decode this by using ‘echo’ to pipe the string to the utility ‘base64’ with the parameter to decode (--decode or -d).

$ echo "VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==" | base64 -d
THM{ju57_d3c0d3_7h3_b453}

Task 3: Meta meta

Challenge

Meta! meta! meta! meta……………………………..
I’m hungry, I need the flag.

Download Task Files: Findme.jpg

Solution

Download the task file “Findme.jpg”.

To access the metadata of images, the best tool to start your analysis with is usually ExifTool. You may need to install it first if you don’t have it on your system.

$ sudo apt update
$ sudo apt install exiftool

Below is the screenshot of using ExifTool to extract the metadata and the flag for this challenge.

ExifTool extracting hidden data in image metadata

Task 4: Mon, are we going to be okay?

Challenge

Something is hiding. That’s all you need to know.
It is sad. Feed me the flag.

Download Task Files: Extinction.jpg

Solution

Let’s begin by downloading the task file Extinction.jpg.

We begin our usual analysis by first running the ExitTool again (see Task 3), but this revealed nothing hidden in the metadata of the image.

Next is another popular steganography (or stego for short) tool called steghide. If this is not installed by default in your Kali machine, you can install it by following the instructions below:

$ sudo apt update
$ sudo apt install steghide

Let’s analyze it for any hidden text with the “info” option:

$ steghide info Extinction.jpg
"Extinction.jpg":
  format: jpeg
  capacity: 1.3 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  embedded file "Final_message.txt":
    size: 79.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Bingo! There seems to be a hidden text file called “Final_message.txt”.
Now we extract the data with the command below. Note that you were not provided with a passphrase so you can hit “Enter” and leave it blank.

$ steghide extract -sf Extinction.jpg
Enter passphrase:
wrote extracted data to "Final_message.txt".

$ cat Final_message.txt
It going to be over soon. Sleep my child.

THM{500n3r_0r_l473r_17_15_0ur_7urn}

Task 5: Erm……Magick

Challenge

Huh, where is the flag?

Did you find the flag?

Solution

This one was a bit tricky at first. No downloadable files, nothing to analyze.
For this one, we have to use the hint provided:

“Highlight the text or check the html.”

Either by highlighting the text or inspecting the source code of the page, you will be able to uncover the text.

Highlight to uncover the hidden text

Use the browser’s “Inspect” or Developer Tools to uncover the hidden text

Task 6: Qrrrr

Challenge

Such technology is quite reliable.

More flag, please!

Download Task Files: QR.png

Solution

We begin with downloading the task file QR.png which contains a QR code.

Using your phone or tablet’s camera or QR reader app, point your camera at the image of the QR code once you have opened it up with any image viewer. Getting the flag is easy for this one. See my screenshot from my Android phone.

Getting the flag using a QR reader camera app

Task 7: Reverse it or read it?

Challenge

Both work, it’s all up to you.
Found the flag?

Download Task Files: hello.hello

Solution

Download the task file hello.hello which looks like a binary. Let’s verify that first.

$ file hello.hello
hello.hello: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=02900338a56c3c8296f8ef7a8cf5df8699b18696, for GNU/Linux 3.2.0, not stripped

Indeed it is a Linux executable file. The challenge description suggests we either try to “reverse engineer” it or read it. Reverse engineering involves using tools such as Ghidra, radare2, Cutter, OllyDBG, x64dbg and GNU’s gdb to analyze the binary.

For this exercise, we will go the easier route to suit a CTF beginner who isn’t familiar with reverse engineering yet. Reading the binary suggests that we could extract the strings within the binary using a tool such as … you guessed it! strings.

Note that we can either pipe the output to a file, to screen or to grep (find) the strings of interest. In this case, we are searching for THM{ and we will ignore the case-sensitivity so it can match either “thm{“ or “THM{“.

$ strings hello.hello  | grep -i thm{
THM{345y_f1nd_345y_60}

Task 8: Another decoding stuff

Challenge

Can you decode it?

3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L

Oh, Oh, Did you get it?

Solution

This string does not look like Base64 or Base32. We can certainly try and verify that to be sure, using the same process as Task 2.

$ echo "3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L" | base32 -d
base32: invalid input

$ echo "3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L" | base64 -d
ݨ+K-B{}�ˤq)I����(%)(n

Do we know of more possible Base encoding schemes?
with a little research (ehm… Googling!) we stumble upon Base58.

$ echo "3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L" | base58 -d
THM{17_h45_l3553r_l3773r5}

That seemed like a bit of brute-forcing, didn’t it?

If you are planning on doing more CTFs in the future, the more you automate and cut the number of manual attempts down the quicker and more efficient you will be.

Being a Maverick, this screams for a simple bash script to feed this string through as many encoding schemes as we can to save us time. Bash scripting was chosen to keep it simple.

#!/bin/bash

# Read input string from command prompt
read -p "Enter the encoded string: " encoded_string

# Display the original string
echo
echo "Original String: $encoded_string"
echo
# Decode using base32
decoded_base32=$(echo "$encoded_string" | base32 -d)
if [[ -n "$decoded_base32" ]]; then
    echo "Decoded (Base32): $decoded_base32"
fi

echo

# Decode using base58
decoded_base58=$(echo "$encoded_string" | base58 -d)
if [[ -n "$decoded_base58" ]]; then
    echo "Decoded (Base58): $decoded_base58"
fi

echo

# Decode using base64
decoded_base64=$(echo "$encoded_string" | base64 -d)
if [[ -n "$decoded_base64" ]]; then
    echo "Decoded (Base64): $decoded_base64"
fi

echo

See the output of the shell script base-decoder.sh below:

Base decoding bash script used to automate the “guessing”

Task 9: Left or right?

Challenge

Left, right, left, right… Rot 13 is too mainstream. Solve this

MAF{atbe_max_vtxltk}

What did you get?

Solution

This challenge suggests that the very common ROT13 is not the correct one. ROT13 is a simple letter substitution cipher also known as Caesar Cipher. Most likely the coded string used a variation of ROT-N where N is not 13.

ROT26 is not used for brute forcing ROT cipher because it’s like trying to unlock a door with the same key but turning it twice as much and wondering why it’s not opening.

Method 1:

Use an online decoder such as https://www.dcode.fr/rot-cipher.

Method 2:

If you want to be an efficient CTF player and a Cyber Maverick, you will need to get used to scripting in languages such as Python.

This task can be automated and you will be able to add that script to your bag of tools for future CTFs.

Below is a simple Python script to brute-force ROT1 all the way to ROT25 decryption for a given string. We saved this to rot1_25-bruteforce.py.

# This is a ROT1 to ROT25 brute-force rotation script.
# You enter the cipher text and the script will output all potential outputs in every ROT scheme

def rot_decode(cipher_text):
    # Loop over all possible ROT values (1 to 25)
    for rot in range(1, 26):
        decoded_text = ""
        # Loop over each character in the cipher text
        for c in cipher_text:
            # Check if the character is a letter
            if c.isalpha():
                # Determine the ASCII offset based on whether the letter is uppercase or lowercase
                if c.isupper():
                    ascii_offset = 65
                else:
                    ascii_offset = 97
                # Convert the character to its ASCII code
                c_code = ord(c)
                # Determine the new ASCII code by applying the ROT value
                new_c_code = (c_code - ascii_offset + rot) % 26 + ascii_offset
                # Convert the new ASCII code back to a character
                new_c = chr(new_c_code)
                decoded_text += new_c
            else:
                # If the character is not a letter, add it to the decoded text as is
                decoded_text += c
        # Print the decoded text for the current ROT value
        print(f"ROT{rot:02d}   : {decoded_text}")


# Prompt the user for input
cipher_text = input("Enter the cipher text: ")
rot_decode(cipher_text)

Running the script above should contain the flag in one of the rotations.

Brute-forcing ROT using a python script

Task 10: Make a comment

Challenge

No downloadable file, no ciphered or encoded text. Huh …….
I’m hungry now… I need the flag

Solution

Our initial suspicion was to check the HTML source code. It is a very common CTF challenge, especially the very easy challenges.

As it turns out, we were correct about our assumption. Checking the hint also gets you there quicker if you are stuck.

Task 11: Can you fix it?

Challenge

I accidentally messed up with this PNG file. Can you help me fix it?
Thanks, ^^

What is the content?

Download Task File: spoil.png

Solution

We downloaded the task file spoil.png which seems like a corrupted PNG image.

This challenge is one of the most common ones in beginner CTF challenges. The level of corruption depends on the complexity of the challenge.

When dealing with JPG or PNG images there are a few things to be checked.

If the image is not corrupted you can look straight away for any steganography using tools such as exiftool and steghide for starters.

However, if we are dealing with a corrupted image, one of the first tools to use is the Linux command “file”. This is a handy utility that helps in identifying the file types regardless of their extensions based on a few checks it runs. One of those checks is the Magic Byte which is a way of quickly identifying common file formats.

$ file spoil.png
spoil.png: data

For a PNG image, the header must always start with “.PNG….” or the hex values “0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A”.

We are spoiled for choice when it comes to using a Hex editor to inspect a binary file or image and verify the Magic. Some choices include:

• bvi or bview
• hexeditor
• Bless

Let’s verify the PNG header starts with “.PNG” or “89 50 4E 47”. Seems like our file has an incorrect header:

Using bmore or binary more to view the image

The file starts with “#3D_” which we should replace with “.PNG”.
Let’s replace that with the correct header values using the GUI Hex editor “bless”.

Using bless to edit the hex values in sploil.png

Using file command again we can verify if this has worked:

$ file spoil.png
spoil.png: PNG image data, 800 x 800, 8-bit/color RGBA, non-interlaced

Excellent! Seems like we have fixed it and di not need to continue our analysis of the file further. Opening the file now will reveal the flag:

The flag now revealed in the repaired PNG image

Task 12: Read it

Challenge

Some hidden flag inside the Tryhackme social account.
Did you find the hidden flag?

Solution

This task requires some social media OSINT.

We begin with a query such as the Google search below:

• “Task 12” + “flag”

This yields some pages with a CTF write-up or a walkthrough which is not what we want. That is just too easy and it’s kind of cheating!

A few results down the list we see a Reddit discussion which looked interesting. We also confirm this by checking the hint for the task.

Reddit discussion of the task

This does seem like a buried encoded string in the middle of a thread.

We would try a ROT or simple substitution cipher brute-force however, if you pay close attention to the string you would notice the mixing of upper and lowercase letters which could indicate a Base encoding (16, 32, 58, 64 etc..).

Remember our earlier bash script in Task 8? This is where re-use and automation come in handy!

$ ./scripts/base-decoder.sh
Enter the encoded string: SlVTVCBPTkUgTU9SRSBTVEVQICEhISEhISEhIApzaXRlOiJyZWRkaXQuY29tIiBpbnRleHQ6IlRITSIgaW50aXRsZToidHJ5aGFja21l

Original String: SlVTVCBPTkUgTU9SRSBTVEVQICEhISEhISEhIApzaXRlOiJyZWRkaXQuY29tIiBpbnRleHQ6IlRITSIgaW50aXRsZToidHJ5aGFja21l

base32: invalid input

subsection not found

Decoded (Base64): JUST ONE MORE STEP !!!!!!!!
site:"reddit.com" intext:"THM" intitle:"tryhackme

It was a Base64 encoding and we have a very encouraging result.

Let’s take to Google and try out that search:
site:”reddit.com” intext:”THM” intitle:”tryhackme

We had again a few results and the second result seems to have our flag.

Task 13: Spin my head

Challenge

What is this?

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++. — — — — — — .+++++.>+++++++++++++++++++++++.<<++++++++++++++++++.>> — — — — — — — — — -. — — — — -.++++++++++++++.++++++++++++.<++++++++++++++++++.+++++++++.<+++.+.> — — .>++++.

Can you decode it?

Solution

Now this looks like some interesting encoding. Certainly not the usual Base encoding scheme.

I have not come across this one before. I suspected a binary encoding but we seem to have 8 characters or more, not just two for a binary 1 and 0.
For full disclosure I had to use the hint for this challenge, which is fine and it’s all part of the learning process.

The hint indicated that this is an encoding known as “binaryfuck” or BrainFuck.
At this point, we head toward our favorite online decoder dCode.

Task 14: An exclusive

Challenge

Exclusive strings for everyone!

S1: 44585d6b2368737c65252166234f20626d
S2: 1010101010101010101010101010101010

Did you crack it? Feed me now!

Solution

We have two strings, one being Hex and the other in Binary. The challenge text suggests that they want us to go down the Exclusive OR (XOR) route.

Before investing a lot of energy you can always confirm this with the provided hint whenever available.

One way of solving this is by using an Online XOR Calculator.

String 1: 44585d6b2368737c65252166234f20626d
String 2: 1010101010101010101010101010101010

Result in:

Binary: 101010001001000010011010111101100110011011110000110001101101100011101010011010100110001011101100011001101011111001100000111001001111101

Hex:
54484D7B3378636C75353176335F30727D

ASCII: }r0_3v15ulcx3{MHT

Our ASCII output from the online calculator looks like a flag but seems reversed. Easy to take care of it in Linux by using a command to reverse the string. You guessed it, it’s called “rev”!

$ echo "}r0_3v15ulcx3{MHT" | rev
THM{3xclu51v3_0r}

We are Cyber Mavericks so let’s explore another way to solve it ourselves without using an online calculator:

$ python -c "s1 = bytes.fromhex('44585d6b2368737c65252166234f20626d'); s2 = bytes.fromhex('1010101010101010101010101010101010'); print(''.join(chr(a ^ b) for a, b in zip(s1, s2)))"

THM{3xclu51v3_0r} 

print(‘’.join(chr(a ^ b) for a, b in zip(s1, s2)))
Performs the XOR operation on the corresponding bytes of s1 and s2. It iterates over each pair of bytes using zip(s1, s2) and applies the XOR operation using the bitwise XOR operator ^.

‘’.join(chr(a ^ b) for a, b in zip(s1, s2))
Converts each XORed value back to its corresponding ASCII character using the chr()function. It then joins all the characters together to form a single string.

Again, let’s convert it into a re-usable script for any future CTFs, and let’s be more efficient by asking the script to prompt us for any changing strings instead of hard-coding those values:

# Prompt the user to enter the first string
s1_input = input("Enter the first string: ")

# Prompt the user to enter the second string
s2_input = input("Enter the second string: ")

# Convert the input strings to bytes
s1 = bytes.fromhex(s1_input)
s2 = bytes.fromhex(s2_input)

# Perform the XOR operation on the corresponding bytes
xor_result = bytes(a ^ b for a, b in zip(s1, s2))

# Convert the XOR result to ASCII and print
ascii_result = xor_result.decode('ascii')
print("XOR result (ASCII):", ascii_result)

Running xor-strings.py script

Task 15: Binary walk

Challenge

Please exfiltrate my file :)
Flag! Flag! Flag!

Download Task File: hell.jpg

Solution

As the name of the challenge suggests, we need to inspect the binary file or image hellp.jpg with a tool named “binwalk”. Binwalk is a popular tool used for analyzing, reverse engineering, and extracting not only firmware images but also hidden elements in binary files. It is frequently used during CTF forensics or steganography challenges to extract hidden text or files inside files such as images.

Let’s check if our image hell.jpg contains any sort of hidden data by running binwalk without additional options.

Binwalk of hell.jpg

We found evidence of information hiding (stego). The indication is that there is an archive containing the hello_there.txt file. Time for extraction.

$ binwalk -e hell.jpg
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.02
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
265845        0x40E75         Zip archive data, at least v2.0 to extract, uncompressed size: 69, name: hello_there.txt
266099        0x40F73         End of Zip archive, footer length: 22

We see above that by using binwalk’s extract option (-e) we have a new folder named _hell.jpg.extracted which we should inspect next.

$ cd _hell.jpg.extracted/

$ ls -la
total 16
drwxr-xr-x 2 cybersecmav cybersecmav 4096 Jun 17 11:41 .
drwxr-xr-x 4 cybersecmav cybersecmav 4096 Jun 19 22:35 ..
-rwxr-xr-x 1 cybersecmav cybersecmav  276 Jun 17 11:41 40E75.zip

$ unzip 40E75.zip
Archive:  40E75.zip
replace hello_there.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: hello_there.txt

$ ls
40E75.zip  hello_there.txt

$ rm hello_there.txt

$ unzip 40E75.zip
Archive:  40E75.zip
  inflating: hello_there.txt

$ cat hello_there.txt
Thank you for extracting me, you are the best!

THM{y0u_w4lk_m3_0u7}

That is how we uncovered the simple stego within a binwalk’s extract option.

Practice using binwalk a lot. It comes in handy very often in CTF challenges.
See the tutorial in the Resources section at the bottom of this article.

Task 16: Darkness

Challenge

There is something lurking in the dark.

What does the flag said?

Download Task File: dark.png

Solution

Once you have downloaded and inspected it with an image viewer you see nothing but….darkness!

We run through the usual checklist for analyzing the image file for hidden data and signs of steganography:

$ exiftool dark.png

$  steghide extract -sf dark.png

$ binwalk dark.png

$ strings dark.png | less

None of them yield any useful results.

If you recall the name of the challenge, there is a suspicion that we are dealing with an image that has been “darkened” and that the hidden text may be visible if we manipulate the colors, greyscale, opacity, etc.

I have opened the image in Greenshot which is a great screenshotting tool on Windows. I have tried the “Inversion” effect which didn’t do the trick.

At this point, we decided to take a different approach and explore the image using a powerful steganography tool called StegSolve.
StegSolve allows us to manipulate various color channels and bit planes of the image, potentially revealing hidden information.

After opening the image in StegSolve, we started experimenting with different color and bit plane combinations. Lo and behold, when we adjusted the color planes, specifically the blue channel, a faint pattern started to emerge. It seemed that the hidden text was cleverly embedded within the image, visible only through this manipulation.

Using stegsolve to analyze the color planes

This experience served as a powerful reminder of the importance of understanding image composition and employing specialized tools like StegSolve to uncover hidden secrets within visual content.

Task 17: A sounding QR

Challenge

How good is your listening skill?
P/S: The flag formatted as THM{Listened Flag}, the flag should be in All CAPS

Download Task File: QRCTF.png

Solution

I have downloaded the QRCTF.png image.

Task 17: QRCTF.png

This takes you to the following to the following URL:

The flag value is spoken at the start of the track. Easy peasy right?

Flag: THM{SOUNDINGQR}

Task 18: Dig up the past

Challenge

Sometimes we need a ‘machine’ to dig the past.
Targetted website: https://www.embeddedhacker.com/
Targetted time: 2 January 2020

Solution

The Internet Archive website WayBackMachine is a great resource for digging up previous versions of most websites.

We begin our search by browsing to it and inputting the URL we want to find a historic version for. URL: https://www.embeddedhacker.com/

We then select the date we are interested in, which is Jan 2nd, 2020.

Task 18: Wayback Machine

We open up that version and see the contents of the page as it was snapshotted and archived.

Flag: THM{ch3ck_th3_h4ckb4ck}

Task 19: Uncrackable!

Challenge

Can you solve the following? By the way, I lost the key. Sorry >.<

MYKAHODTQ{RVG_YVGGK_FAL_WXF}

Flag format: TRYHACKME{FLAG IN ALL CAP}

Solution

This encoded flag looks like it may have been encoded using a simple substitution cipher such as Caesar Cipher, which is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet.

The most common cipher is ROT13 (shift by 13 places). So it is a good first step to try the obvious first. For that, we can use several tools or websites to convert text to ROT13. Let’s head to CyberChef and test this out.

CyberChef

We had no luck with ROT after using the brute-forcer on CyberChef. 😞Let’s explore another great website called dcode.fr and identify the cipher

The code website was able to identify this as a Vigenere Cipher which is a common variation on Caesar’s substitution cipher.

dCode.fr — Vigenere Cipher

The Vigenere Cipher Decoder on dcode.fr was able to successfully decode the string as seen in the figure above. 😎

Flag: TRYHACKME{YOU_FOUND_THE_KEY}

Task 20: Small bases

Challenge

Decode the following text.

581695969015253365094191591547859387620042736036246486373595515576333693

Solution

The challenge name suggests that this is a Base-encoded message.
Base encoding is a scheme that translates ASCII text into a format that is transmission-friendly for binary data. This is particularly useful in processing by text-based systems like web and mail systems.

There exist many Base encoding systems such as Base16, Base32, and Base64. Base64 is the most popular scheme in use for web-based systems.

There is a common misconception among many technology enthusiasts and developers that Base encoding somehow encrypts, protects, or obfuscates data when sent in the clear.

This is a dangerous misunderstanding, as Base encoding, along with all forms of encoding, is reversible. Therefore, it does not protect any sensitive data or credentials that are converted and transmitted using Base-xx.

Back to the challenge at hand, I have first attempted a Base64 decoding due to its popularity and wide use. I have also tried a few different Base conversions and none of them seemed to work. Time to use the Hint provided by TryHackMe (no shame in that!).

Hint: dec -> hex -> ascii

Alright, I was going down a rabbit hole and this tip saved my effort of brute forcing a few more obscure BaseXX encoding schemes.

Let’s use a web-based converter first.

A) From Decimal to Hex

Decimal to Hex

B) From Hex to Text

Hex to ASCII Text

And there you have the flag!

But wait, We are Mavericks aren’t we? We aspire to be as fast, efficient and as leet as possible while we learn and solve challenges.

We have to attempt a command-line conversion and rely less on external tools or websites. It is quicker and much more efficient.

There are a dozen ways of doing this on Linux including using Python.
I will leave you with one method and let you discover the alternative ways to do this on your own 😄

Please ensure you have installed the xxd and bc tools beforehand with:
sudo apt install xxd

echo "ibase=10;obase=16;581695969015253365094191591547859387620042736036246486373595515576333693" | bc | xxd -r -p

In this example above we take a decimal number, convert it to hexadecimal using bc, and then convert the hexadecimal to ASCII using xxd.

bc: a calculator utility that interprets the mathematical expression in Hex.

• ibase=10: sets the input base to decimal.
• obase=16: sets the output base to hexadecimal.

xxd: is a utility that converts data in hexadecimal representation to binary and vice versa.

• -r: Reverse operation. Converts Hex to Binary
• -p: Plain hexdump style without line number display.

Note: originally I opted to use printf function. However, the Bash printf was unable to directly handle large decimal numbers that exceed a certain range

Flag: THM{17_ju57_4n_0rd1n4ry_b4535}

Task 21: Read the packet

Challenge

I just hacked my neighbor’s WiFi and tried to capture some packets.
He must be up to no good. Help me find it.

Download Task Files: flag.pcapng

Solution

Packet Analysis is one of my favorite tasks during CTFs. I like the rawness of the data and being closer to the wire during investigations and analysis.

For the sake of brevity, I will not get into my usual process of handling a packet capture file and the initial analysis I do to gain an understanding of the protocol statistics, conversations, and protocol hierarchy in a packet capture. I will keep the solution simple.

In this scenario, we look for the common protocols that contain data.
An assumption is made that our neighbor will be doing some web browsing so we start our analysis by zooming in on HTTP protocol communications.

We have found a total of 12 HTTP packets (6 requests and 6 responses).

Ignoring the OCSP packets (Online Certificate Status Protocol), we are left with a single HTTP request for /flag.txt and a response that contains our flag. Easy day at the office 😉

Wireshark HTTP filter

Alternatively, you can click the first HTTP request and use the following option to follow the packet in an easier format:

Analyze → Follow → HTTP Stream

Follow HTTP Stream

Conclusion

This was a quick and fun introduction to solving mini-challenges, meant to boost your skills for tackling some common CTF tasks.

I have added a bit more details in places without assuming you’re already a pro at CTF or Linux.

I hope you were able to follow along. More importantly, I hope you have found them fun and educational.

I hope you followed along and, more importantly, had fun and learned something. Now, take that new interest in CTF challenges and keep going with your journey. There’s a lot more to learn!

I’ve listed some resources below that might be useful as you start your journey into CTFs.

What’s next?

• TryHackMe: CTF Collection Vol. 2 (Official Website)
• TryHackMe CTF Collection Vol. 2 (My Write-up)
• Tips & CTFs for beginners by HTB
• Introduction to CTFs by HTB

Thank you for your support and for visiting my blog.

Please follow me for more future content around CTFs, Ethical Hacking, Certifications, and much more. I would appreciate any comments, feedback, or queries you may have.

Happy Hacking!

CyberSecMaverick