Picoctf2022 Forensics Writeups

P4ul Jeremi4h
4 min readApr 3, 2022

Hello Friends , Lets Have a look at some forensics Challenges #5 from picoctf2022

1.File Types

PicoCTF@pj>> file flag.pdf 
flag.pdf: shell archive text

Middle of the file contains uudecode command , that means code is uuencoded

  • To decode the file,we just have to use uudecode tool
To install : $yay -S sharutils

btw i use manjaro so yay package manager , same sharutils in apt (debian)

Whole Script to Get the flag :

#yay -S sharutils cpio bzip2 lzip lzop lz4 xz xxd-standalone --noconfirm#!/bin/bash
uudecode flag.pdf
mv flag fromdecode
7z x fromdecode
mv flag flagfrom7z.cpio
cpio -idv < flagfrom7z.cpio
mv flag flagfromcpio.bz
bunzip2 flagfromcpio.bz
mv flagfromcpio flagfromcpio.gz
gunzip flagfromcpio.gz
mv flagfromcpio flagfromgunandbun.lz
lzip -d flagfromgunandbun.lz
mv flagfromgunandbun flagoflziptolz4.lz4
lz4 -d flagoflziptolz4.lz4
mv flagoflziptolz4 flag-fromlz4.lzma
lzma -d flag-fromlz4.lzma
mv flag-fromlz4 flag-from-lzma.lzop
lzop -d flag-from-lzma.lzop
mv flag-from-lzma flag-from-lzop
lzip -d flag-from-lzop
mv flag-from-lzop.out flag-from-lzop.xz
xz -d flag-from-lzop.xz
mv flag-from-lzop final-flag.txt
cat final-flag.txt |xxd -r -p|tee flag.txt

| code might confusing

  1. after uudecode , do
  2. unzip or 7z
  3. Lot of archives.. !
  4. Do file command , note down the archive type
  5. install Corresponding tool to decompress
  6. repeat uh
Repeat the steps until its .txt file


[p4ul@j0ker eaves-drop]$ file capture.flag\(1\).pcap capture.flag(1).pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

1. Here I’m Using TCPFLOW tool

You can also do the same thing in wireshark btw

[p4ul@j0ker TEMP]$ ls 
[p4ul@j0ker TEMP]$ file capture.flag.pcap
capture.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
[p4ul@j0ker TEMP]$ tcpflow -r capture.flag.pcap
tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2)
[p4ul@j0ker TEMP]$ ls capture.flag.pcap report.xml
  • Use the file Command to Know which it is
[p4ul@j0ker TEMP]$ file * ASCII text ASCII text, with CRLF line terminators openssl enc'd data with salted password ASCII text ASCII text, with CRLF line terminators data
capture.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
report.xml: XML 1.0 document, ASCII text, with very long lines (667)

Here , We can see there is lot of text file and one openssl enc data file lets decode!

mv opensslfile.asc
  • one specific file contains some juicy data to retrieve flag
flag : picoCTF{nc_73115_411_91361db5}

3. Packet Primer

flag : picoCTF{p4ck37_5h4rk_2edd7e58}

1.String command is enough

[p4ul@j0ker packet_primer]$ file network-dump.flag.pcapnetwork-dump.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)[p4ul@j0ker packet_primer]$ strings network-dump.flag.pcap |grep p|head -1|sed  "s/ //g"picoCTF{p4ck37_5h4rk_2edd7e58}

2. Same Thing Using Scapy for fun

  • Just type scapy to Get Scapy prompt .

(make sure that you have already installed scapy)

>> pkt=rdpcap("network-dump.flag.pcap")

rdpcap() can be used to take the pcap file into a pkt object

Just Take our flag out of it
>>> pkt[3][Raw]
<Raw load='p i c o C T F { p 4 c k 3 7 _ 5 h 4 r k _ 2 e d d 7 e 5 8 }\n' |>

>>> pkt[3][Raw].load.decode().replace(" ","")

4. Enhance

Another easy chall

[p4ul@j0ker enhance]$ file drawing.flag.svgdrawing.flag.svg: SVG Scalable Vector Graphics image[p4ul@j0ker enhance]$ strings drawing.flag.svg |tail

id="tspan3764">F { 3 n h 4 n </tspan><tspan
id="tspan3752">c 3 d _ 6 a e 4 2 b b a }</tspan></text>
  • well flag , lets make one liner to get the flag
[p4ul@j0ker enhance]$ cat solve.sh cat drawing.flag.svg|grep id|cut -d ">" -f2|cut -d "<" -f1|grep -v st|tail|tr '\n' ' '|cut -d '"' -f3|sed "s/ //g"|tee flag.txt[p4ul@j0ker enhance]$ cat flag.txt picoCTF{3nh4nc3d_6ae42bba}
Meanwhile , How image looks like ,


[p4ul@j0ker st3go]$ file pico.flag.png 
pico.flag.png: PNG image data, 585 x 172, 8-bit/color RGBA, non-interlaced
[p4ul@j0ker st3go]$ zsteg pico.flag.png |head -1b1,rgb,lsb,xy .. text: "picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0"

Note : The given file is PNG , then why not zsteg ?


“OK “

Thanks for Reading .