TryHackMe – CTF Collection vol 1
1 – Can you decode the following?
VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ==
echo VEhNe2p1NTdfZDNjMGQzXzdoM19iNDUzfQ== | base64 -d
THM{ju57_d3c0d3_7h3_b453}
2 – Meta meta.
Meta! meta! meta! meta……………………………..
I’m hungry, I need the flag.
Download attachment: findme.jpg
Steghide didn’t find anything with the passphrase meta – good first guess though
Try inspecting file metadta by running: file Findme.jpg
Nothing useful there. Moved on, and started googling image metadata analysis on linux and the recommendation was to use EXIF…
Installing EXIF and using it on findme.jpg reveals…
THM{3x1f_0r_3x17}
3 – Mon, are we going to be okay?
Something is hiding. That’s all you need to know.
It is sad. Feed me the flag.
Download attachment: extinction.jpg
First instinct is steghide and feed it the old flag as the passphrase. This didn’t work but using EXIF on the image reveals something is not right:
Tried poking around on a few things but didn’t get anywhere. Decided to google “exif corrupt data” and found this threat recommending use of exiftool: https://askubuntu.com/questions/1075308/corrupt-data-reported-by-exif
Running it did reveal more:
After messing around for a while poking around, I looked at the hint and it revealed we did need to use steghide…..so my initial suspicion was correct but it did not want to actually be fed the flag as a passphrase. After trying various passphrases (sad, the flag, flag, theflag, etc..) I finally just hit enter and provided no passphrase and, of course, that worked.
4 – Erm…Magick
Huh, where is the flag?
Did you find the flag?
Well this one worked out very quickly for me. When copying the question to paste here it grabbed the whole line and revealed “hidden” test in white font color:
THM{wh173_fl46}
Alternatively, inspecting page element would reveal the same:
5 – QRrrrr
Such technology is quite reliable
More flag please!
Download attachment: QR.jpg
THM{qr_m4k3_l1f3_345y}
6 – Reverse it or read it?
Both works, it’s all up to you.
Found the flag?
Download attachment: hello.hello
cat hello.hello
THM{345y_f1nd_345y_60}
7 – Another decoding stuff
Can you decode it?
3agrSy1CewF9v8ukcSkPSYm3oKUoByUpKG4L
Oh, Oh, Did you get it?
Tried base64 decode
Tried base32 decode
Tried some ROT ciphers
Tried Caesar cipher
Googled the string andf first result was base58 decode
Found a tool, copy/pasted, and:
THM{17_h45_l3553r_l3773r5}
8 – Left or Right
Left, right, left, right… Rot 13 is too mainstream. Solve this
MAF{atbe_max_vtxltk}
Reading into the prompt, it sounds like it will be a ROT cipher but not standard.
Left, right, left, right – makes me think it will be alternating rotation directions
We don’t know the ROT interval, but we do know how the flag string should begin:
THM{
Plotting this out quickly in excel we can see it’s ROT20 but not alternating directions
Complete for the rest of the letters:
THM{HAIL_THE_CAESAR}
9 – Make a comment
No downloadable file, no ciphered or encoded text. Huh …….
I’m hungry now… I need the flag
Inspect element and find a comment with the flag:
THM{4lw4y5_ch3ck_7h3_c0m3mn7}
10 – Can you fix it?
I accidentally messed up with this PNG file. Can you help me fix it? Thanks, ^^
What is the content?
Download attachment: spoil.png
Look up png magic number on Wikipedia:
hexedit spoil.png
first 4 values were wrong so edited that and save the file
THM{y35_w3_c4n}
11 -Read it
Some hidden flag inside Tryhackme social account.
Did you found the hidden flag?
After some googling of the username who created the room “DesKel” you find this post:
THM{50c14l_4cc0un7_15_p4r7_0f_051n7}
12 -Spin my head
What is this?
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.————.+++++.>+++++++++++++++++++++++.<<++++++++++++++++++.>>——————-.———.++++++++++++++.++++++++++++.<++++++++++++++++++.+++++++++.<+++.+.>—-.>++++.
Can you decode it?
Splitting the string at each period shows 15 lines:
This lines up with the fact that the flag is 15 characters long:
After researching quite a bit online and trying some things out I was still stumped. My theory was that line one contained intial information about how to process (up until the ] ) and then the first character began half way through that line. Later revelations lead me to believe that was correct but not something a human would understand how to decode.
Gave up and looked at the hint: binaryfuck
Googling this reveals Brainf**k is a minimalist programmation language that takes its name from two words that refer to a kind of cerebral masturbation.
Copy/pasting in didn’t reveal anything but then I noticed a different example put spaces before and after [ and ] respectively as well as after every period
This seems to line up with the first line in the screenshot below revealing how it should be processed and then each of the 15 characters follows ending in a period
Decoded result is: THM{0h_my_h34d}
13 – An exclusive!
Exclusive strings for everyone!
S1: 44585d6b2368737c65252166234f20626d
S2: 1010101010101010101010101010101010
Did you crack it? Feed me now!
Started to think that the 17 1’s lined up with the 17 characters in the answer but didn’t know where to go from there.
Hint was: S1 XOR S2
Cat > flag13.py
Vim flag13.py
python3 flag.py
THM{3xclu51v3_0r}
Need to spend more time on this one…I needed to reference a walkthrough on what to put in the script
14 – Binary walk
Please exfiltrate my file 🙂
Flag! Flag! Flag!
Download file: hell.jpg
Tried steghide with no password
Moved on to stegcracker with rockyou.txt:
While waiting for that, decided to google Binary Walk:
I think I’m going down the wrong path with stenography.
Looks like there is a hello_there.txt file embedded
Not sure how binwalk works so run: binwalk –help
See: 
THM{y0u_w4lk_m3_0u7}
15 – Darkness
There is something lurking in the dark.
What does the flag said?
Download: dark.png
Download and install GIMP and then open the image:
Adjust lightness up and it reveals the hidden flag:
THM{7h3r3_15_h0p3_1n_7h3_d4rkn355}
16 – A sounding QR
How good is your listening skill?
P/S: The flag formatted as THM{Listened Flag}, the flag should be in All CAPS
What does the bot said?
Download attachment: QRCTF.png
Scanning QR Code brings you to soundcloud page:
https://soundcloud.com/user-86667759/thm-ctf-vol1
Voice track speaks:
“The flag is s-o-u-n-d-i-n-g-q-r”
THM{soundingqr}
17 – Dig up the past
Sometimes we need a ‘machine’ to dig the past
Targetted website: https://www.embeddedhacker.com/
Targetted time: 2 January 2020
Did you found my past?
Waybackmachine:
Select Jan 02 archive:
THM{ch3ck_th3_h4ckb4ck}
18 – Uncrackable!
Can you solve the following? By the way, I lost the key. Sorry >.<
MYKAHODTQ{RVG_YVGGK_FAL_WXF}
Flag format: TRYHACKME{FLAG IN ALL CAP}
The deciphered text?
Tried looking at ROT ciphers but nothing seemd worthwhile
Put the initial part of the decoded and encoded side by side to compare in excel:
Pattern appears: -6, +6, ___, -6, +6, ___, -6, +6, ____
The ___ seems to be +11 for most circumstances and then -13 when +11 would cycle past the end of the alphabet
Continuing this pattern:
TRYHACKME{YOU_FOUND_THE_KEY}
After solving this way, I looked at some writups and discovered this is a vigenere cipher: https://shafdo.github.io/pages/blog/ctf/ctf_collection_Vol_1/
19 – Small bases
Decode the following text.
581695969015253365094191591547859387620042736036246486373595515576333693
What is the flag?
Had to look at the hint here:
THM{17_ju57_4n_0rd1n4ry_b4535}
20 -Read the packet
I just hacked my neighbor’s WiFi and try to capture some packet.
He must be up to no good. Help me find it.
Did you captured my neighbor’s flag?
Download: flag.pcapng
Open this file up in wireshark:
Search packet details for string “thm}”
THM{d0_n07_574lk_m3}
Completed 9:17 PM on 10/17/2020
