TryHackMe - c4ptur3-th3-fl4g - Write Up

Link to the THM room

Task 1

Task 1.1

» c4n y0u c4p7u23 7h3 f149?

Simple leet speak. Replacing similiar looking characters with numbers.

0 = o
1 = i / l
3 = e
4 = a
5 = s
6 = b
7 = t
9 = g
2 = ? - no clue

Task 1.2

» 01101100 01100101 [...]

Looks like binary. Using Cyberchef and the from Binary function to extract the answer.


Task 1.3

» MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM======

Had no clue. Tried my way through the Cyberchef ‘Data format’ section until I found something with a lot of equal signs at the end. In this case it is base32.


Task 1.4

» RWFjaCBCYXNlNjQgZGlnaXQgcmVwcmVzZW50cyBleGFjdGx5IDYgYml0cyBvZiBkYXRhLg==

I’ve read the day before that base64 has 0-3 equal signs at the end so I tried it and got lucky.


Task 1.5

» 68 65 78 61 64 65 63 69 6d 61 6c 20 6f 72 20 62 61 73 65 31 36 3f

Format and used characters look like hex. Used Cyberchef yet again and was successful.


Task 1.6

» Ebgngr zr 13 cynprf!

Again, no clue. Was lucky again. THM tends to hide tips in the answer. Looked for 13 in Cyberchef an found ROT13, that replaces a letter with the 13th letter after it in the latin alphabet. Cyberchef will do the trick.

Not really secure, but according to Wikipedia used for spoilers or sensible information in forums or mailing list.


Task 1.7

» *@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX

Had to look it up. ROT47 is the same as ROT13, but it includes numbers and special characters. Again, Cyberchef will do the trick.


Task 1.8

» - . .-.. . -.-. — […]

That one is easy again: simple morse code. Cyberchef will do the trick. (Copy/Paste the last phrase at this point.)


Task 1.9

» 85 110 112 97 99 107 32 116 104 105 115 32 66 67 68

Wild guess was correct. ASCII - as in decimal most lower case characters are in the 90-120 range.

Decoded via Cyberchef and reference can be found on Wikipedia in the ‘printable characters’ section.


Task 1.10

» LS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0g [...]

Well, I brute-forced my way through Cyberchef as I had no clue again. base64 decoded looked like morse code, decoded morse code looked like binary, binary decoded looked like… ROT47 (guess, but assumed as we had it in a previous task), decoded ROT47 looked like decimal numbers, and ‘From Decimal’ gave is the answer. Cyberchef will do the trick yet again - even tho it requires some more steps.


Task 2

Task 2.1

» Audio file

Well, I had to ask a friend as I have no clue about audio editing.

He recommended me Audacity.

The name of the Task Spectrograms is a big hint in itself.


Task 3

Task 3.1

» Picture file

Steganography is a technique to hide information in other information. For example text in an image file like in this example. I just steghide to extract the information.

$ steghide --extract --stegofile stegosteg.jpg
Enter passphrase:
wrote extracted data to "steganopayload2248.txt".
kuser@pleasejustwork:~/Downloads$ cat steganopayload2248.txt
***********        <<<< secret

Task 4

Task 4.1

» Download and get ‘inside’ the file. What is the first filename & extension?

I’ve learned to take THM literal so the get 'inside' the file got me interested.

Well, opening the file normally presents a normal meme. I tried to change the extension to .zip, .rar, .7, and a couple of other archive formats, but no success. I just opened the file with cat and even tho it looked bad in the beginning, at the end of the output I found the answer:

$ cat meme.jpg
[...]
��`��ۚ6�+5�ș��.8P/�WF���y�>X5_�m�_�'[SQP▒��f�����p�z�xK�U�u+�kk▒�����c�S~j@6h�\�da����vA}=�F͑+*s&__�^�3d�����e�P��y'���^(�&�
�P�.k��@9Xs�}d��        e����̤�ؤ��Qh=�{@84�:)�<6�x�AդpE������D�Ah�1�`��á�N� ��]RˁԒs�ȉhm�����zlw@��r��▒�
C��#��]ٗ�4*��o��f���}X�r�+*��I��IiZ�.��Á��L)�#�ˑ��,e��&��d�Ƈ�d����i��a�LӘ2$Es��Dn▒Ӛi▒S�i2Mc���y��j�qIEND�B`�"**************"
�\�?���QO��y3�+/���A*
�*********.***      �+�+ ���

There it is!


Task 4.2

» Get inside the archive and inspect the file carefully. Find the hidden text.

Well, not sure what archive they are talking about. cat meme.jpg shows this answer too! Like 1 or 2 lines before the answer of the previous question.

And we are done.



Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o