Forensics


CybHer CTF.

This module teaches you some basic forensics tools and techniques! Digital forensics is the process of collecting, analyzing, and preserving digital evidence from electronic devices to investigate crimes or security incidents. It helps uncover what happened, how, and who was involved.

In this module, you'll be looking for hidden information - usually in the form of a temporary flag that looks like this: FLAG{...}. Remember , this is not your official flag! You'll need to run /challenge/verify, enter the temporary flag, and then you will find your official pwn.college{...} flag.


Challenges

Challenge Description

You have a huge text file, haystack.txt, with a needle (flag) hidden inside. Use grep to search for the temporary flag, which looks like FLAG{...}. (NOTE: This is not your real flag yet!)

For more information about grep, you can head over to the Linux module and do the "Find the password!" challenge. For a quick refresher, grep is used like this: grep {target_string} {file_to_search}.

Challenge Steps

  1. Start the challenge and open a terminal
  2. Navigate to the /challenge directory (use cd /challenge)
  3. Search through the haystack.txt file to find the temporary flag (FLAG{...})
  4. Once you've found the FLAG, run /challenge/verify, enter the temporary flag, and receive your official pwn.college{...} flag!

Challenge Description

You're a treasure hunter who found a locked vault! A file named vault.zip has been placed in your /challenge directory. Your goal is to unlock this vault and find the treasure (flag) inside!

Zip files

You may have noticed the .zip file extension. This file has been "zipped", or compressed. "Zipping" files together is a way to gather them all and squish them together so they take up less space. There could be just one file, or several that have been zipped together.

To unzip a .zip file, you can typically use this command: unzip filename.zip

This normally works with no problem. However, in our virtual machine, you will not have permission to unzip this file within the /challenge directory. You will need to add the -d destination flag to the unzip command. This tells the computer to place the extracted files into a different directory - you'll want to use your home directory /home/hacker. It will look something like this: unzip filename.zip -d /path/to/destination

This will open up that zipped file, and give you the full information that was compressed inside. If you run ls in your home directory after unzip, you should see some new files that weren't there before!

Unfortunately, this vault is also locked with a password - in order to unzip it, you will need to find that password (you'll get a prompt to enter the password when you run unzip).

Challenge Steps

  1. Navigate to the /challenge directory, run ls to view all of the challenge files
  2. Use grep to search the vault_clue.txt file for the password (For help with grep, check out the previous challenge, or go to the Linux Module -> "Find the password!")
  3. Use the password you found to unzip vault.zip into your home directory /home/hacker (note that it will not look like you are typing a password, but you are! Just type it and press Enter)
  4. You should now have a vault.txt file, in your home directory. This file contains a temporary flag: FLAG{...} (use cat to view the flag)
  5. Run /challenge/verify and enter the temporary flag from vault.txt, and you will receive your offical pwn.college flag!

Challenge Description

You found a digital treasure chest (digital_treasure.zip) that is hiding another zip file inside of it. The flag is contained within the metadata of this inner zipped file (treasure.zip).

Metadata

Metadata in ZIP files refers to information about the files inside the archive, rather than the file contents themselves. This includes things like:

  • File names
  • File sizes (compressed & uncompressed)
  • Compression method
  • Timestamps (modification date/time)
  • File permissions
  • File path (relative inside the archive)
  • Comments (added by whoever zipped the file, contains notes like version or author information)

This metadata helps systems know how to extract the files correctly and what to do with them.

You can view metadata with a tool like zipinfo. Try running zipinfo treasure.zip to see what default information it gives you. From there, run zipinfo -h (-h for help) to see what flags you can use with zipinfo to view more information. Play around with these flags until you find your temporary FLAG{...}

Challenge Steps

  1. Navigate to the /challenge directory
  2. Unzip digital_treasure.zip into your home directory (no password needed this time!)
  3. In your home directory, use the zipinfo tool on treasure.zip to find the temporary flag (FLAG{...}) (Do NOT unzip it! You'll lose the flag!)
  4. Run /challenge/verify and enter the temporary flag you found
  5. Submit your official pwn.college{...} flag!

Challenge Description

You’re a detective investigating a mysterious painting, art.jpg, created by a secretive artist. Rumor has it they hid a flag in the image’s metadata, the hidden details that describe a file. Use the exiftool command to inspect the metadata and uncover the temporary flag (FLAG{...})!

exiftool is a command-line tool to view, edit, and remove metadata from files like photos, videos, and PDFs. You can view the metadata like this: exiftool image.jpg

Challenge Steps

The challenge file is located in the /home/ubuntu/Artists-Clue directory.

  1. Navigate to /home/ubuntu/Artists-Clue
  2. Use exiftool to view the metadata in the art.jpg file - search through it to find your temporary FLAG{...}
  3. Run /challenge/verify, enter the temporary FLAG{...}, and receive your official pwn.college{...}` flag!

Challenge Description

You’re a hacker who discovered a strange binary file, secret.bin, that looks like a piece of computer code. It’s hiding a flag in hexadecimal text!

The .bin file extension tells us this file is a binary file - it's meant for computers to read! This challenge has two parts. The first involves using a tool called strings that looks for human-readable text in binary files. Use it like this: strings filename.bin

Unfortunately, you'll have to do a bit more work to find the temporary FLAG{...}. You'll need to scroll through the output from strings until you find this content: "Binary file FLAG starts here: ... Flag ends". Everything in between is your flag, but it is in hexadecimal format. You'll need to convert it back into English! The tools on this machine are limited, one good option is to copy the hex flag to the GUI clipboard, and use that to copy it to your laptop's web browser. Go to a tool like cyberchef.com, paste that hex in, and use the Hex Decoder to get the temporary `FLAG{...}

Challenge Steps

  1. Navigate to /home/ubuntu/Code-Cracker
  2. Use strings and a tool like cyberchef.com to extract the hex and translate it into the temporary FLAG{...}
  3. Run /challenge/verify and enter the temporary flag to get your official pwn.college{...} flag!

Challenge Description

You’re a cybersecurity analyst investigating a server’s activity logs in the server.log file. One user did something sneaky and left a flag behind! Your goal is to analyze the server.log file and find the temporary FLAG{...}. This user broke up the flag into 3 parts all contained within the same server.log file - you'll need all three pieces!

Server log files are automatically generated by a server (a big computer), and keep track of activity and events! Things like users logging in and out, uploading files, user navigation, etc.

In this challenge, you can simply browse through the log file until you find something useful, but it will take quite a while. Don't get fooled by the fake flags! (FLAG{FAKE FLAG}) Try using a tool like grep, and play around with different strings to search for! Maybe find the user who uploaded the real flag and search for their log entries. You will have to do some digging no matter what, but you can narrow down the entries to search through.

Users that have access to this server - users = ['alice', 'charlie', 'diana', 'bob', 'eve', 'frank', 'grace', 'heidi'].

Challenge Steps

  1. Navigate to the /home/ubuntu/Chatty-Server directory
  2. Search through the server.log file until you find the temporary FLAG{...} (three words separated by underscores)
  3. Run /challenge/verify, enter the temporary FLAG{...}, and receive your official pwn.college{...} flag!

Challenge Description

You’re a spy who found a picture of a suspicous dog, suspicious_doggo.jpg, but it’s hiding a secret message! You will need to use the steghide tool to find the flag hidden in this image file.

Step one is to find a passphrase hidden in the secret.txt file. When data is embedded in a file, it sometimes uses a password to protect that hidden data. You will need to search through secret.txt to find the password used to embed data in suspicious_doggo.jpg. (Hint: search for the filename!)

steghide

steghide is a command-line tool used for steganography, which means hiding data within other files. With this tool, you can embed or extract hidden data from a file. For our purposes, you will only need to extract secret data.

If you run steghide --help, you will see all of the different options available. Listed below are the most helpful options for this challenge:

  • --extract: used to extract secret information from a file - saves it to a file
  • -p {passphrase}: lets you enter the password needed to extract the data correctly (the password you found in secret.txt)
  • -sf {filename}: lets you choose the "stego file", the file with hidden data in it
  • -xf {filepath/filename}: lets you choose where the extracted file is saved to

All together, it will look something like:

steghide --extract -p {password} -sf {suspicious_file} -xf /home/hacker/temp_flag.txt

Important: use -xf to change the output file to /home/hacker/temp_flag.txt. Just trust us, it will make your life easier. This output file contains your temporary FLAG{...}!

Challenge Steps

  1. Navigate to the /home/ubuntu/Secret-Message-in-Photo directory
  2. Find the password in secret.txt
  3. Use steghide and the password you found to extract the hidden data from suspicious_doggo.jpg and save it to /home/hacker/temp_flag.txt
  4. Move back to your home directory (cd), and run cat temp_file.txt to find your temporary FLAG{..}
  5. Run /challenge/verify, enter your temp flag, and receive your official pwn.college{...} flag!

Challenge Description

You're a digital archaeologist exploring a mysterious image, treasure.jpg, rumored to hide a valuable flag. To keep it safe, this flag has been split into four separate pieces. Your goal is to find these four pieces and reunite them!

The pieces of the flag will look like this: Part 1: ..., Part 2: ..., Part 3: ..., Part 4: ... Keep track of each part as you find it, then put them all together like this: FLAG{part1+part2+part3+part4 You'll need to use this temporary flag to unlock your official pwn.college flag!

Challenge Steps

  1. Navigate to the /home/ubuntu/Hidden-Treasure-in-Picture directory
  2. Use the tools you've learned so far to find the 4 parts! (steghide, exiftool, binwalk, strings, and grep may come in handy) Note: Make sure to use -xf /home/hacker/extracted.txt when using steghide!
  3. Put the 4 parts together to find your temporary FLAG{...}
  4. Run /challenge/verify, enter your temporary flag, and receive your official pwn.college{...} flag!


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score