RESTCON{} CTF Writeup
Hey folkes! I am m3ta_c1ph4r a.k.a Ashutosh Gupta. This is my third writeup on medium. This is the writeup of Restcon CTF hosted ResetHacker. I am playing this CTF with my team name CSFNinjas . So now I am just jumping to the CTF. Flag format is RESTCON{}. Lets start with the basic .
BASIC:
Basic:1
So this is the cipher text :
}GALF_NOCTSER{NOCTSER
So as you can see the words are misplaced . So I tried for reverse cipher. This is the link I used to sove this .
https://cryptii.com/pipes/reverse-text
FLAG: RESTCON{RESTCON_FLAG}
Basic:2
This is the cipher we got in this.
UkVTVENPTntSRVNUQ09OXzJORF9CQVNJQ19GTEFHfQ==
So if you have played some CTF and if you know some basic knowledge of encoding so you can clearly see that this is Base64. I used this website to decode https://gchq.github.io/CyberChef/
Flag : RESTCON{RESTCON_2ND_BASIC_FLAG}
Basic:3
In this challenge they have just given us another base as Base 85. And used cyberchef webiste to decode this.
;FOM`6VgI(;FOM`6VgHa5u(3T84?E`6:"OA6XN;V5t?>
Flag : RESTCON{RESTCON_ANOTHER_BASIC_FLAG}
Basic:4
This question is quite tricky. In this they have used two encoding.
EN2CIJLSPZ6UYI3UEQSXE7T5GBYH27RFO52CGMDROASHQ4RQOV5XA5SQJY
Base 32 ->ROT 47
Flag : RESTCON{RESTCON_ANOTHER_BASIC_FLAG!}
Broken:
In this when you open the challenge there you see one broken icon.
So when you right click on it and then go to inspect element to see if something is hidden. Then there you see a flag.
Flag: RESTCON{H1DD3N}
Garbage :
In this you have to download a file. Lets see what is there in that.
As when you open that you will see something weird will come. So simply I thought to do strings on that file in cmd.
strings file.txt
Strings command is used to see the file content in human readable. In this last you will see the flag.
Flag: RESTCON{GR3P_7HE_FL4G}
In plane sight:
This is quite difficult. This challenge took time to solve. Lets come to question.
When you see the challenge it says this
bum bum, tam tam tam.Flag is in Leet Speak languageFlag Formate : RESTCON{< Leet Converted Flag >}
So if you will see it just says as a normal plain text. If you google this as you will see a song name. But it is nothing related to the this question. So I directly to the solution. If you notice “bum bum, tam tam tam.” the last ‘.’ if you click on that it is a hyperlink. It will download one file. When you open it you will see some strange sentences. So to solve this I made a python script.
st = """ah, ah(¡wuh!)
y que griten los que están presentes
hoY va a bailar sin precedentes (wooh)
estoy tan pegao' que no salgo de tu mente (salgo de tu mente)
quieren apagarme y yO no tengo fuente
pa' bailar no existen prueba' (prueba')
este funky si es candela (wooh)
de aquí nadie va pa' fuera (aye)
esto lo bailan en la favela(ooh)
izqUierda, derecha
pa' arriba, pa' abajo
izquierda, derecha
rompiendo (wooh)é a flauta envolvente que mexe com a mente
de quem tá presente
as novinha saliente
fica loucona e se joGa pra gente
aí, eu falei assim pra ela, ó
(aí, eu falei assim pra ela)
vai, vai com O bum bum, tam tam
mueve ese bum bum, tam tam
mueve ese bum bum, tam tam tam
mueve ese bum bum, tam tam
mueve ese bum bum, Tam tam Tam
mueve ese bum bum, ese bum bum
ese bum bum bum bum bum bum bum bum bum
(bum bum bum bum bum bum bum bum)don
back it up me man cock it and rev it (and rev it)
and not just any man can get it (can get it)
mi naH care if you have good credit
you betta can handle the ting whEn mi send it (wooh)
man a drop off (wooh), mama pop off (wooh)
gyal walk off (wooh), 'til it bruk off (wooh)
don't stop oFf (wooh), 'til it slop off (wooh)
good pussy make the whole dance Lack off
(woooooh)
boy, turn it, see me ting turn up
turn up the ting 'til the ting burn up ('til it burn up)
whine pon the gyal 'til the gyal mash up ('til it mash up)
back up the ting like a dumper truck
Ayo, my ting good (ting good) and my ting shocks (ting shock)
and the ting set (ting set), and it sittin' loud (sit loud)
and the gyal Good (gyal good), but my face bad
'cah me ting ting real, and it can't stop
doné a Flauta envolvente que mexe com a mente
de quem tá pResente
as novinha saliente
fica loucona e se jOga pra gente
aí, eu falei assim pra ela, ó
(aí, eu falei assiM pra ela)vai, vai com o bum bum, tam tam
vem com o bum bum, tam tam tam
vai, mexe o Bum bum, tam tam
vem, desce o bUm bum, tam tam tam
vai, mexe o buM bum, tam tam
vem, desce o bum bum
vai com o bum bum (e aê, fioti?)
rompiendoi know that thing that you like
i know the way that you move
we makin' love the first night, bum bum pac pac bum
yeah, hey, big up my jeweler, big up my .45, big up my ruger
hey, big up the bad bih, call that chimmie like king of the bunda
yeah, i'm a savage, summon 21, summon the cougars
hey, automatic spazzin', jumping in the crowd just like uzi
yeah, black stallion, i'ma go flex and fly out to cuba
yeah, if you got good pussy, let me hear you say hallelujah
yeah
é a flauta envolvente que mexe com a mente
de quem tá presente
as novinha saliente
fica loucona e se joga pra gente
aí, eu falei assim pra ela, ó
(aí, eu falei assim pra ela)vai, treme o bum bum, tam tam tam tam (vem)
tam tam tam tam tam tam tam tam (vai)
tam tam tam Tam tam tam tam tam (vem)
tam tam tam tam tam tam tam tam (vai)
tam tam tam tAm tam tam tam tam (vem)
tam tam tam (tipo vavazinho)(vai, vai com o buM bum, Tam tam)
le toco la flauta y se pone pa' mi
(vai, mexe o bum bum)
yo prendo el Ambiente
yo tengo la malla, déjamela ahí
(vai, mexe o bum bum, tam tam)
y yo la toco así, y yo la toco así
y después de un Momento
ella se olvida de tí (bum bum, tam tam tam tam tam)
se olvida porque solo le hablan de joya, botella y dinero
nosotros le damos lo que a ella le gusta
por eso es que estamos primero
y yo la toco así, y yo la toco así
y después de un momento
ella se olvida de tí"""
for i in st:
if ord(i) >= 65 and ord(i) <= 91:
print(i, end="")
So in this script it will print those characters which are CAPITAL. Thanks to Neel Adwani for the solution. So when you execute this script you will see this output “YOUGOTTHEFLAGFROMBUMTAMTAM”. So in the question you will see that they said “Flag is in Leet Speak language”. So I just google this and I found this on dcode.fr https://www.dcode.fr/leet-speak-1337 . And when you tap on the encode .
So firstly I tried that leet code but that didn’t work so I tried that above. And it worked.
Flag: RESTCON{Y0U6077H3F146Fr0M8UM74M74M}
Weirdo :
So in this when you download that you see some weird text like Base 85. No this not Base 85 any more guess!. So this is malbolge language.
'&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?UZYXWVUTMRQPIm0/.-,+*)('&%$#"!~}|{927654321*/(Lmlkjihgfedcba`_^]\rwvutsrqjong-ed*KJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[wvutsrqpoQgfe+LKaf_dcba`_X|?UZYXWVOs6LQJONGk.-,+*)E'=BA@?>=<5Yzy76/43,10/(Lmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876LQPONGLKDCHG@d'CBA:^!~}|{z8765u-210/(Lmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876LQPONGLKDCHG@dDCBA@?!7[|{927654321*N.n,+*)('~Dedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210LK-IHGFEDCBA:^>=<54X87w5.32+*Nonmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:98TSRQ3IHGLEJIBf)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRnPlkdibgfedc\"!_AWVUy<;:9876543210/.-,+*)('&%A#?>=<5:9810TA
I used online interpreter to compile that http://malbolge.doleczek.pl/
Flag: RESTCON{Malb0lg3_is_cool}
Now lets come to the Crypto challenges .
Argon:
So in this we got some hash.
$argon2id$v=19$m=64,t=16,p=8$Q3liZXJLbmlnaHQwMA$3ZodOqWeWZ0a41c3HQrLY4nawron7LNWajWIyztZkds
So I tried to google Argon and after some google dorking I got that after salt is stored in p and p is having Base64 encoding after $ .
And then after decoding this ”Q3liZXJLbmlnaHQwMA$3ZodOqWeWZ0a41c3HQrLY4nawron7LNWajWIyztZkds” I got “CyberKnight00” as name. So I google this and got one tool for decoding Aron in the github directory of CyberKnight00
“https://github.com/CyberKnight00/Argon2_Cracker”
So I downlaoded it and install as it told me in the Readme.md and then used rockyou.txt wordlist for bruteforcing.
python3 crack_argon2.py -c '$argon2id$v=19$m=64,t=16,p=8$Q3liZXJLbmlnaHQwMA$3ZodOqWeWZ0a41c3HQrLY4nawron7LNWajWIyztZkds' -w /usr/share/wordlists/rockyou.txt
And got decoded text “godlovesme”
Flag: RESTCON{godlovesme}
I love symbols :
So this is a tricky question. In this we got symbols and some character so my team Rohan Sharma solved this challenge. So this is the hash we got
%@$%%#%$$#$f$e_&b_%(#0%%%f$$#!$$%f%$$*#!%#&d
Don’t search this on google. Just see your keyboard and you will get the answer.
Did you get that?
Lets solve this. See on upper part of your keyboard where numbers and symbols are written on same key.
So he thought to change all those symbols to numbers associated with them. So for this I made python script to solve this. But only symbols not ‘_’ and ‘alphabets’
s="%@$%%#%$$#$f$e_&b_%(#0%%%f$$#!$$%f%$$*#!%#&d"
l=len(s)
i=0
while(i<l):
if(s[i]=='!'):
print('1', end="")
elif(s[i]=='@'):
print('2', end="")
elif(s[i]=='#'):
print('3', end="")
elif(s[i]=='$'):
print('4', end="")
elif(s[i]=='%'):
print('5', end="")
elif(s[i]=='^'):
print('6', end="")
elif(s[i]=='&'):
print('7', end="")
elif(s[i]=='*'):
print('8', end="")
elif(s[i]=='('):
print('9', end="")
elif(s[i]==')'):
print('0', end="")
else:
print(s[i], end="")
i=i+1
If you do manually you might do mistake . When you execute this you will see some numbers these are hexadecimal.
52455354434f4e_7b_5930555f4431445f544831537d
So now hexadecimal to text. I used cyber chef for this.
Flag : RESTCON{Y0U_D1D_TH1S}
OSINT Time :-
The Discover :
So the question is :
Hey Agent, We are looking after a person who is the owner and CEO of some hotel group, After doing some OSINT we found that the person had uploaded a picture of some hotel room, your task is to find out who this person is. Goodluck Agent! We have high expectations from you, do not disappoint us!
So after doing reverse searching i.e google image search and upload your photo and then you will see a hotel name. “The Venetian Macao”
There you see owner as “Las Vegas Sands” but it is not the flag. Then click on that there you see another owner “Sheldon Adelson”. Are you thinking is this a right flag? Yes it is .
Flag : RESTCON{Sheldon Adelson}
Are you bored with OSINT lets try forensics:
Magic:
In this you will get a qr code. when you will scan you will see a text there “RESTCON{29a9df89e2858e5a25c83b6a00352d19}” . So lets see how to decode it . So there is a website name crackstation which is used to crack the hash https://crackstation.net/
After decoding this you will get the flag.
Flag : RESTCON{mirr0r}
Dance Monkey:
When you open a challenge you see
FIND THE HIDDEN FLAG
And gif is attached. If you try to do inspect element and more nothing will be found. So another thing we can do is we can downlaod the gif and then do some stegnography techniques.
So I have download it and do
exiftool filname
then there you see a some encoded text.
KJCVGVCDJ5HHWU2NJFGDGX2MEFFTGXZUL5GTATSLGNMX2===
So it is Base 32.
Flag : RESTCON{SMIL3_L!K3_4_M0NK3Y}
Bad cat :
In this I got one png file.
As it says cat has eaten the flag it means it is hidden somewhere and is in the file. So for png the most precise tool is zsteg.
https://github.com/zed-0xff/zsteg
zsteg filename
And boom we got the flag.
Flag : RESTCON{1_eaten_Y0ur_Fl4g}