Hydra (Misc)




Not so Ez :P


Just another chall from another CTF. A png (a big one) was given to start with.


So the first hunch was to look for the embedded data. I used foremost to extract the data. Got a png and a GIF. So I started analysing the GIF first. Looked for more embedded files in the GIF. hydra3

With Binwalk I extracted the files indside the GIF. But got nothing. Then I moved to PNG which looked pretty fishy .


Strings had some exif data. So I used exiftool to view the metadata. And Found this rotted string.



But this wasn’t our flag. So I unrotted it (ROT-13) using :

echo "frps{Fj0eqs15u_sy4t_u1qq3a_1a_z3g4}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'



That’s our Flag();

Memory_lane (Forensics)






Our team Dc1ph3R made into the TOP 3 Pwners of this chall. The file took too much time to download (Slooow Internet). Extracting the 7z gave a vmem image. So a forensics chall with a image. That certainly points to Volatility but this time volatility was not able to identify the profile of the image. So I decided to use foremost and dump all the files of the image. And got a whole bunch of files.


Now I checked each and every folder for some Juicy content until I reached to png folder. It had several icons and PNGs including two QR-Codes which were same btw.


. And there it was our flag lying inside a QR-code.





OSINT , Crypto , Web

That’s a lot of categories boy.


It was pretty difficult


DISCLAIMER : This is going to be super LONG…..

This chall looked interesting because of its three different categories. So I completed the three parts one by one.

First Phase: OSINT

The url http://darkboard-01.pwn.beer:5001


a cool one with a password form. So I viewed the source and found the string :

Dark Web Message Board DEVELOPED BY K1tsCr3w Open source at Kits-AB

which was commented out. Open Source gave a hint to github. So I searched in github for the user Kits-AB and got the source for the website. https://github.com/kits-ab/the-dark-message-board. Checking the directories, robots.txt caught my eye. It had an entry /boards/*.Getting to http://darkboard-01.pwn.beer:5001/boards/1 gave us a message board which contained lot of messages. The one which was of importance was :


It was encrypted with something. Getting back to git repo, the tests dir had a test_crypto.py (this file was of super importance). Since it was OSINT the repo had 3 commits. So I looked the commit history which had this fishy commit which was deleted.


So i viewed it and it had a PRIVATE_KEY (which was to be used later) and a description:

 removed the production key, luckily it was encrypted with a password …

…from some file that reminds me of the song 'here i am something like a hurricane'

The song in the description was Rock_You_Like_a_Hurricane , so with this I concluded that somehow rockyou.txt was involved in the chall. And this ends our OSINT phase.

Second Phase: Crypto

Now comes the file test_crypto.py. Understanding the file, the script carries out random generation of private keys on top of a password and a PADDING… (Boy oh Boy that much Security).So this was the script in a nutshell, with this we needed to find a password from rockyou.txt to decrypt the text obtained from /boards/1 . So i modified the test_crypto.py to accomplish this. Here’s my modified decryption function.

with open("rockyou.txt", errors='replace') as f:
    r = f.readlines()
    p_list = [i.strip() for i in r]
for l in p_list:
        private_key =      
                    password=bytes(l, 'utf-8'),
                    backend=default_backend() )
        plaintext = private_key.decrypt(

I looped thorugh all the pwds from rockyou to get a hit and replaced the PRIVATE_KEY with the one given in github deleted commit and waited for the decrypted text to appear. The heavy load nearly crashed my box. The decrypted text was a URL for our next phase.

Bank url:http://bankofsweden-01.pwn.beer

This marked the end for our Crypto Phase.

Third Phase: Web

Now the last and the longest phase. Opening the URL obtained got me nowhere. So the chall desription had this :

You will find a URL. If it says https://XXXXXXXXX/, change it to http://XXXXXXXXX:5000/

So our modified URL changed to http://bankofsweden-01.pwn.beer:5000

It directed us to the BANK website which the chall had in its description. It had a Login and Registration form. I registered with some creds but for some reason the account did’nt seem to activate. So while registering, I captured the request with Burp-Suite. It had an is_active param. Setting it to true did the trick to activate our account.


Logged in:


Exploring the site, it had two features IMPORT and EXPORT. I first used the export feature dark6

When I clicked the export btn It tried to open a file which wasn’t present in the dir. So It was a bit suspicious. So I called my frnd BURP again and captured the req. Param account had LFI. dark7

Hahah I got /etc/passwd. Now the real part came. looking for the flag….. It took some time to find the dir and the flag file. Using /proc/self/environ I looked through the env variables and found this:


This was the last lead which I found and it took me a while to figure out that the webapp was FLASKED…(based on flask). So I looked tried tha app.py inside ctf/

/home/bos/ctf/app.py dark8

and yeaaa….It worked and the flag was right there.


That was the longest chall I ever solved. Hats off to my team mates: nullpxl mrT4ntr4 for helping me with this chall.

Hope u like it. Team Dc1ph3R. We finished off at Rank: 50

The full script to the crypto part: darkcrypto.py