The Magnet Forensics CTF is upon us again and this year it was a little bit different (for me at least). I had the pleasure of helping Jessica Hyde and the Champlain students on the other side of the computer this year. I assisted with answer verification and backend support. While I did miss playing this year I did get some great experience still. I few people asked if I was still going to do a writeup and after contemplating for a short while, it was time to dust off the keyboard and get after it.
Here we'll start with the Ciphers, let's go!
VIGorous ENcrypting? Embrace the Riddle's Essence, it's "essential"!
QshprMzepw
Based off the interesting title, and from past experience, I had a feeling it was a vigenere cipher. With "essential" in quotes, I knew that that was likely the key too. Plugging it into CyberChef we see the answer was MapleTrees.
Figure 1: CyberChef vigenere decode
Why did the steganography expert wear a 'cloak'? To keep their hidden messages undercover.
We hope you are having a great day!
After answering question 1 unlocks this one so I knew that the previous question had to be part of it. Cloak appears to be hinted at here so I search for "steganography cloak" and came across StegCloak. It requires a password and a message. I tried out previous answer "MapleTrees" as the password along side the question as the message to reveal the answer as Magic_isnt_it.
Figure 2: StegCloak
EXIF data is like the memory foam of photography - it always remembers the shot you took!
We are provided a simple image file of a pug.
Figure 3: nicedog.jpg
The hint here is EXIF so we can dump it into your favorite metadata reader. I found a simple online one that will do. After uploading and viewing what it could extract, one small item stuck out, the serial number of the lens.
Figure 4: Exif.tools EXIF data
I stuck it back into CyberChef and it recognized it as hexidecimal and then Base64. The flag was found_flag.
Figure 5: CyberChef hex > Base64 decode
Surfing sound waves in California searching for hidden messages
We are provided an audio clip so from past experience I knew right away to dump it into Audacity. A common way to hide a message is in the spectrogram. If we flip it over to that view we can see the message pretty clearly was HotelCalifornia.
Figure 6: Spectrogram in Audacity
Have you ever tried reading the alphabet in reverse?
Ru lmob dv xlfow gfim yzxp grnv
My second favorite cipher identifier is Decode.fr. It made quick work of this figuring out it was Atbash. The answer was If only we could turn back time
Figure 7: Atbash decoder on Decode.fr
ROTten people hiding their secrets!
We are provided an RTF file that was found inside a 7zip compressed folder. When we open the RTF we don't get much.
Figure 8: Steganography.rtf file
Sometimes they might hide things in the whitespace or in the header or footer but nothing on this one. My next step was to open it in a hex editor to see if anything else was placed. At the very end of the file we see some interesting ascii.
Figure 9: RTF opened in HxD
Given the hint in the title, I assumed ROT13 so I dumped it back into CyberChef and ran the brute force to see that ROT9 revealed the answer as Hiding_out.
Figure 10: ROT13 brute force in CyberChef
Why did the bicycle fall over? It was tired of all the ROTation!
rfgq ayl lmr zc rfgq qgknjc
Another ROT13 solve? Back to CyberChef we go to see the answer is this can not be this simple
Figure 11: ROT13 brute force again in CyberChef
I tried to write a joke about trains, but it didn't gain any traction. It just went off the RAIL
MO OFRSIB ECSNIENI ULSF
CyberChef didn't help on this one nor did Decode.fr right away. Given the hint of RAIL I did a search on Google and came across Rail Fence (Zig-Zag) cipher. We do need to include spaces so after checking the box we see that the answer was MOBILE FORENSICS IS FUN.
Figure 12: Rail Fence cipher in Decode.fr
What is your favorite SHAKESPEARE play?
lv bo sj cst ks tl, trel xw tyi ibecxadr
I tried searching for a cipher related to Shakespeare and found a Bacon cipher but I couldn't get it to work properly. Since I knew previously used vigenere used a key, that SHAKESPEARE was probably a password so I tried that again and it actually miraculously worked. The answer was to be or not to be, that is the question.
Figure 13: Vigenere decode in CyberChef
BASH these ROTten criminals
rj vuzcj n mncczza
Based off the question, I had a feeling both Atbash and ROT13 were involved here. I tried both in CyberChef and found the answer was we stole a balloon.
Figure 14: ROT13 > Atbash decode in CyberChef
Why did the balloon go to therapy? It needed to OPEN PUFF about its inflated emotions!
Figure 15: puffr.bmp
I did a search for OPEN PUFF and came across some software of the same name. Running the software it looks to require a file and then some passwords to unhide.
Figure 16: OpenPuff
Since this question was unlocked I used the previous answer of HotelCalifornia as the (A) password here. Since the password was too short I unchecked (B) and (C) and hit unhide and it worked like a charm. The exported file is a text file containing some text, if you're familiar with it you would know it's Base64.
Figure 17: carry.txt output
Back to CyberChef shows the answer as https://www.youtube.com/watch?v=dQw4w9WgXcQ.
Figure 18: Base64 decode in CyberChef
The link continues to our favorite meme song.
Figure 19: Rick Roll'd
Giovan Battista Bellaso probably LOVED pigs
I had seen this cipher in passing before so a quick image search showed it was a Pigpen cipher. Back to Decode.fr to input the characters.
Figure 20: Pigpen cipher in Decode.fr
Nothing was in plain text or readable so we have at least another step to go. Loved was capitalized so back to Vigenere to see if that works and lo and behold it did. The flag was PIGSARETRULYAMAZINGANIMALS.
Figure 21: Vigenere decode in CyberChef
And that marks the end of this cipher section of the Magnet Virtual Summit 2024 CTF.