Magnet User Summit CTF 2023
Last updated
Last updated
Just a little bit of background, this was my second ever CTF attended, and it was really, really fulfilling to say the least. I managed to solve almost all the cryptography challenges (under Cipher) and also dabbled a bit in Android Forensics! Also, I'm glad to have achieved top 25%, especially since most of the other participants were seasoned professionals in DFIR :D
Ah, this is a pretty simple challenge, with tools online. "salad" is a cute hint for caesar cipher! This tool has come in handy many times (especially in these challenges) to decrypt the cipher text.
There we go! The flag was easily found :D "It's A-Me, Mario".
Well, "Shift" is a huge hint here, it refers to the shift cipher on the QWERTY keyboard (wonder how people with AZERTY based keyboards will fare here XD) by shifting each individual letter to the left (qwerty right shift). I did it manually during the CTF, but I also found that the dcode.fr tool above did have a keyboard shift cipher tool too.
We can see qwerty shift to the right gets "thisistheflag" as the flag.
Seems like "rotation" is a hint, so I went for the ROT ciphers. But there are several different ROT ciphers, and I had to use the dCode.fr cipher identifier tool, which identified the cipher as:
Hence, going to the ROT-47 Cipher brute force tool, I got "Wht_is_the_password" as the flag.
And now the fun begins! The challenge file can be downloaded here, but the jpg is shown below.
I used a tool called Aperi'Solve which uses tools like zsteg, steghide, outguess, exiftool, binwalk, foremost and strings... basically, tools for steganography analysis. So, input the image through the tool and Zsteg, Steghide, Outguess and the other tools didn't give much information.
I scrolled down to the strings and saw this:
My friend (shoutout to Bowen) did tell me before that Base64 encoding are known to end with "==" at the end, so I just looked for any Base64 decoders online.
And there, the flag was "This_is_not_an_endorsement_of the_movie_Puss_In_Boots_The_Last_Wish".
This is another steganography challenge, and the image file can be downloaded here.
Look at this cutie patootie! Anyway, I used Aperi'Solve for this as well. And the first tool at the top, Zsteg, was the solution! Although admittedly, I did scroll past it at the start :P
And yes, that is the flag. "You have made it mate!!!!!!!!!!!!!!!!!!! GOOD LUCK :)"
Scroll through (if needed) to the end of the code block, and you will see it again, the two equal signs, "==". So I just used the Base64 decoder.
The flag was ""If you only knew the power of the dark side." —(The Empire Strikes Back)"
This was a confusing challenge for me, and I had to use *ahem* ChatGPT to help me figure out how to solve this. I knew that there was some kind of hint going on with "Zer0" and "Width" but I couldn't figure it out (probably because the characters were zero width =.=)
In the end, I used a Zero Width Steganography Solver tool to get the flag.
Pretty cool challenge in my opinion. The flag was "This_!$theFullFLAG"
Another image steganography challenge! Image file can be downloaded here.
Similarly, I used Aperi'Solve for this challenge. Now that I realise, the question did hint at Steghide, a steganography tool.
Simply download the file and viewing message.txt showed this
Flag: "eleven_is_more_than_ten"
This challenge was an audio steganography challenge, and the challenge file can be downloaded here.
There is a free tool called Audacity which I used to solve this challenge. Opening the file in Audacity shows the waveform as shownw below, which didn't give much information. So I toggled to the spectrogram.
And there it was!
The flag was "Popcorn".
This is yet another audio steganography challenge, but I didn't manage to solve it during the CTF. I did eventually get around solving it afterwards though, by getting hints from the community.
The community pointed me towards searching up "whiterose.wav" on Google, and I got to the fandom page.
Scrolling through the page, I saw this:
Which hinted me to use the free software, Deepsound. Inputting the file into Deepsound showed that there was a secret file in it, and I just had to extract that file.
The file was just a text document file with the flag, "WOW! You found another flag! Keep up the great work!".
This was another challenge that I couldn't solve, and I had to approach the Magnet community for help :")
The challenge was a long chunk of gibberish text, ending with, yet again, "==".
This time, I used CyberChef instead, another useful tool for decoding ciphers.
I saw another chunk of encrypted text there ending with "==" but trying to decode it from Base64 was of no help. I tried to run that code on Visual Studio Code, but I was just met with errors.
Seeking help from the community, they prompted me to look closer into the script, which showed me
And there it was! -bxor is the Bitwise XOR (pronounced eks-or, learn more here)
I pasted the *second* encoded Base64 text and also added XOR to the recipe like this:
And there the flag is! "You_Found_The_C2". *Sweats* That was difficult. But we are done with the cipher challenges :D
Before attempting the challenges, the Logical Data files can be downloaded here.
I used a free trial of Magnet AXIOM during the CTF, but I will be using another useful tool, ALEAPP for this. You can view the README.md file for the instructions to download ALEAPP.
What username was used for Twitter?
Filtering into the Accounts_ce report of the processed data easily showed the twitter handle of the account.
Flag: LTina1900
What was the default browser used on this device?
During the CTF, I just made a guess on this question and got the flag, but you still can look for the answer from the processed data.
(Will add in the screencap soon)
Flag: Chrome
What is the IMSI of ths device?
Again, ALEAPP has a function for gatherin device information:
report home > device details
Flag: 272023204347291
What version of android was on the system?
From the device details (View image from Challenge 3), the Android version can be seen in the first line.
Flag: 12
What is the bluetooth mac address of this device?
As with the previous challenge, the MAC address can be found in the device details, under Bluetooth address.
Flag: 58:CB:52:4E:67:55
What is the build version of this device?
Yet again, it can be found in the device details of the ALEAPP processed data.
Flag: 8177914
This article will continue to be updated :D come back another time!
