The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I’ll be providing my solutions to the challenges. WARNING Will Robinson, spoilers ahead! Use the tag #HuntressCTF to see all related posts.

Technical Support

There wasn’t really a solve to this one, but I’m including here for consistency. If you head to the Discord server for the event and went to the support channel, the flag was provided.

String Cheese

Taking this literally - we’ll run STRINGS on cheese:

If we scroll down through the output…

Notepad

Right click on the notepad file, open with VS Code or text editor of choice.

CaesarMirror

When you examined the text file you got

I copied the text over to CyberChef and started running some recipes on it. I found an algorithm that would work on it, well, one half at a time.

I took the original file and edited it into 2 versions, caesar_left.text and caesar_right.txt. I converted each side of the file, screenshotted the output, and then aligned them next to each other to read the complete output.

Book By Its Cover

Use the FILE command to get the properties of book.rar.

Hmm. A png file. Let’s open that with an image viewer.

BaseFFFF+1

Examining the file contents yielded…

Back to CyberChef. There’s Base64 and Base85 but neither of those work. Looking closer at the title…. BaseFFFF+1… FFFF is the Hexadecimal for 65535. Add one and you have 65536. I googled Base65536, and while it’s not in CyberChef it does exist.

Read the Rules

Head over to the Rules page. While you’re there, be sure to read up on what tools are not allowed. CTFs are usually not the situation where you bring a tank to a knife fight. Once you’ve read everything, visible, three or four times if you’re me, right, click on the webpage and choose view source.

Query Code

Once again the FILE command gives us our first clue.

It’s a png image so open with an image viewer and you have a QR code. Scan that with a QR reader and…

Dialtone

The provided wav file is a recording of different telephone buttons being pushed. The first thing to do is identify what buttons/numbers are being pushed. Using the site DialABC I uploaded the wav file and then transcribed the DTMF Tone outputs.

13040004482820197714705083053746380382743933853520408575731743622366387462228661894777288573. That is on heck of a phone number!

A hint on Discord led me to the next step. It referenced that this was a BigInteger value. After several trips with Alice down various rabbit holes I found a PowerShell syntax to convert BigInt to strings.

Hmm. Looks closer to what an encoded flag might look like, but still not there yet. Back over to CyberChef and sprinkle a little Magic dust… and we see that the next and last decoding step is to From_Hex.

Layered Security

The file command indicates that it’s a GIMP image file. I recall that GIMP is an open-source application that’s comparable to Adobe Photoshop. I’d used it previously but not in a long time. I also can’t help but think of Pulp Fiction and “Bring out the Gimp.”

After a morbid chuckle and a quick installation, I launch GIMP and open the file. In the bottom right we see there are a number of faces that are part of this picture.

As we peel down the layers we find the flag in one of the images.

Comprezz

We’ve been pretty successful starting with the file command, so let’s start there.

As the challenge suggests, no I have not heard of this file type. A quick google for compress’d data 16 bits takes me to several posts on how to uncompress theses files. After a brief trial and error (it may have taken me 2 times), I cat’d the file and then piped it to uncompress.

That’s it for the challenges in the Warm Up category. There were also challenges in Forensics , Malware and Miscellaneous.

Use the tag #HuntressCTF to see all related posts. Now that October is over, I’ll be releasing as many of these as I can.