Happy CyberSecurity Awareness Month!
I wasn’t able to partake in Huntress’ CTF event last year, but I’m pretty committed to trying it out this year. I have pretty busy work days but I’ll do my best to document each day I work on this. In saying that, there’s no guarantee that I’ll be completing every single challenge. This is just me pretexting why this series of posts will stop after a few days when I get too confused to continue (That’s a joke, I hope).
👶 Cover All Your Bases
The prompt we get given for today’s challenge is as follows:
Can you make sense of all the different data below? Each one has a different representation!
Uncover the appropriate plaintext and submit the flags below! Do you know what all these ones and zeros mean?
Let’s take a look at the first question!
Question One
01000111 01110010 01100101 01100001 01110100 00100000 01110111 01101111 01110010 01101011 00100001
00100000 01010100 01101000 01100001 01110100 00100000 01110111 01100001 01110011 00100000 01000010
01100001 01110011 01100101 00100000 00110010 00101100 00100000 01100010 01100101 01110100 01110100
01100101 01110010 00100000 01101011 01101110 01101111 01110111 01101110 00100000 01100001 01110011
00100000 01100010 01101001 01101110 01100001 01110010 01111001 00101110 00100000 01001001 01110100
00100000 01101111 01101110 01101100 01111001 00100000 01110101 01110011 01100101 01110011 00100000
01110100 01110111 01101111 00100000 01110011 01111001 01101101 01100010 01101111 01101100 01110011
00111010 00100000 00110000 00100000 01100001 01101110 01100100 00100000 00110001 00101100 00100000
01110111 01101000 01101001 01100011 01101000 00100000 01101101 01100001 01101011 01100101 01110011
00100000 01101001 01110100 00100000 01100101 01100001 01110011 01111001 00100000 01110100 01101111
00100000 01110011 01110000 01101111 01110100 00101110 00100000 01000001 01101110 01111001 01110111
01100001 01111001 00101100 00100000 01101000 01100101 01110010 01100101 00100111 01110011 00100000
01111001 01101111 01110101 01110010 00100000 01100110 01101100 01100001 01100111 00111010 00100000
01100110 01101100 01100001 01100111 01111011 00110110 00110111 00111000 01100001 01100011 00110100
00110101 00110100 00111000 00110111 01100011 00111001 00111000 00110110 00110010 01100001 00110110
01100011 00110010 01100011 00110000 00110000 01100001 00110001 01100001 01100110 01100110 01100101
01100100 00111001 01100100 01100011 01111101
This is clearly Binary (Or base 2, as we’ll be told very soon). We can use tools like Cyberchef to decode this into a human readable format.
We just need to paste the above binary into the Input field in CyberChef, then add the ‘From Binary’ operation to the ‘Recipe’. See the below screenshot for an example:
There’s our first flag. One down, nine to go!
Question Two
Hmmm, a group of triplets, it looks like. Can you find out what they are trying to say?
116 151 143 145 154 171 040 144 157 156 145 041 040 124 150 141 164 040 167 141 163 040 102 141 163
145 040 070 054 040 157 162 040 157 143 164 141 154 056 040 111 164 040 165 163 145 163 040 144 151
147 151 164 163 040 060 055 067 054 040 141 156 144 040 157 146 164 145 156 040 163 150 157 167 163
040 165 160 040 151 156 040 146 151 154 145 040 160 145 162 155 151 163 163 151 157 156 163 040 157
156 040 114 151 156 165 170 056 040 123 160 157 164 040 151 164 040 167 150 145 156 040 156 165 155
142 145 162 163 040 150 141 166 145 040 154 145 141 144 151 156 147 040 060 163 056 040 110 145 162
145 047 163 040 171 157 165 162 040 146 154 141 147 072 040 146 154 141 147 173 146 145 065 070 060
145 060 065 145 065 062 067 146 062 060 064 062 061 062 071 060 066 060 065 070 060 071 143 141 145
143 071 175
I was a little confused by this, but after putting the text input through CyberChef I saw that we have ‘From Octal’ as an option. The output that we get after decoding is:
Nicely done! That was Base8, or octal. It uses digits 0-7, and often shows up in file permissions on Linux. Spot it when numbers have leading 0s. Here's your flag: flag{*************************}
Nice little note there about a giveaway of Base8 being that it will often have leading 0s. This was also the moment where I realized, thanks to the note in the decoded text, that Linux permissions use Base8. chmod 777 ./{filename} is a command I’ve used a few times. So I should’ve noticed this (If I actually knew what the numbers meant, I do now though!)
Question Three
These numbers look familiar… but how could they be represented as text?
089 111 117 032 099 114 097 099 107 101 100 032 105 116 033 032 084 104 097 116 032 119 097 115 032
066 097 115 101 032 049 048 044 032 111 117 114 032 101 118 101 114 121 100 097 121 032 100 101 099
105 109 097 108 032 115 121 115 116 101 109 046 032 073 116 032 114 117 110 115 032 102 114 111 109
032 048 045 057 032 097 110 100 032 108 111 111 107 115 032 108 105 107 101 032 110 111 114 109 097
108 032 110 117 109 098 101 114 115 046 032 069 097 115 121 032 116 111 032 105 100 101 110 116 105
102 121 033 032 089 111 117 114 032 102 108 097 103 058 032 102 108 097 103 123 055 100 049 101 098
050 101 048 055 055 054 099 100 055 099 053 099 055 056 100 102 048 049 048 049 048 102 051 048 101
053 048 125
Initially I thought that this was just Base8 again, but that doesn’t make much sense. If you put the above string through CyberChef you’ll get the below output:
IOLGA@ENDN M6MA$IOLA ALQ@Q@AEMQMNA&;NLOHMBLI%/H@IIGMEGAHILHOALM&MQNIE@AHNEBQIOLBCBCS-@A(A--,@-+-.@BB)A+U
There are some readable characters in there. They don’t make any sense though. So this isn’t Base8. We can even see this if we look at the string. The numbers go from 0-9. We learned in the previous question that Base8 goes from 0 - 7.
So what’s next on the list? Base10. If we decode this from Base10 we can see the below output:
You cracked it! That was Base10, our everyday decimal system. It runs from 0-9 and looks like normal numbers. Easy to identify! Your flag: flag{**************************}
This took me longer than I thought it would, and I actually completed the next question before this one, but enough of that for now, let’s move on to the next question!
Question Four
These look like pairs! But these have weird letters in them?
41 77 65 73 6f 6d 65 20 6a 6f 62 21 20 54 68 61 74 20 77 61 73 20 42 61 73 65 20 31 36 2c 20 6f 72
20 68 65 78 61 64 65 63 69 6d 61 6c 2e 20 49 74 20 75 73 65 73 20 30 2d 39 20 61 6e 64 20 41 2d 46
2c 20 6f 66 74 65 6e 20 77 69 74 68 20 70 72 65 66 69 78 65 73 20 6c 69 6b 65 20 30 78 2e 20 43 6f
6d 6d 6f 6e 20 69 6e 20 6d 65 6d 6f 72 79 20 64 75 6d 70 73 20 61 6e 64 20 63 6f 6c 6f 72 20 63 6f
64 65 73 2e 20 48 65 72 65 20 69 73 20 79 6f 75 72 20 66 6c 61 67 3a 20 66 6c 61 67 7b 64 33 63 62
32 62 65 33 65 34 65 34 61 38 66 35 31 37 64 39 63 35 63 65 34 33 37 32 62 30 62 37 7d
I know this one! That’s Hexidecimal, or Base16. We’re slowly going up the list of Bases here. So I have a feeling I’ll know how to solve these next few questions.
I’ve seen Hex code quite often. Once you know what to look for it’s pretty easy to spot. Here’s the output once we ‘From Hex’ it in CyberChef:
Awesome job! That was Base16, or hexadecimal. It uses 0-9 and A-F, often with prefixes like 0x. Common in memory dumps and color codes. Here is your flag: flag{************************}
Another nice bit of information from the team there in that Hex is common in memory dumps and color codes.
Question Five
Uppercase letters and digits in a long stream…. notice anything about the padding?
I5XW6ZBAO5XXE2ZBEBKGQYLUEB3WC4ZAIJQXGZJAGMZCYIDPMZ2GK3RAOVZWKZBA
NFXCAR3PN5TWYZJAIF2XI2DFNZ2GSY3BORXXEIDLMV4XGLRAJF2CA5LTMVZSAQJN
LIQGC3TEEAZC2NZOEBEWMIDZN52SA43FMUQGY33UOMQG6ZRAOVYHAZLSMNQXGZJA
NRSXI5DFOJZSAYLOMQQGI2LHNF2HGLBAORUGS3TLEBBGC43FGMZC4ICHMV2CA5DI
MF2CAZTMMFTSCIDGNRQWO6ZZMJRDKYTCHBSWCNJQHBRGGZTCMM2TCYTEGVSTCMLF
MZRDEOLDMN6Q====
Nice little note about the padding. It was another thing that jumped out at me right away and letme know that this is Base32 (Again, we’re going up in Bases).
Like before, here’s the output (edited slightly to remove the flag) that we get:
Good work! That was Base32, often used in Google Authenticator keys. It uses A-Z and 2-7. If you see lots of uppercase letters and digits, think Base32. Get that flag! flag{9bb5bb8ea508bcfbc51bd5e11efb29cc}
Interesting note there about Google Authenticator keys using Base32. I appreciate that the flags all include an interesting little tidbit about common use-cases of the encoding rather than just being the flag by itself.
Question Six
A mixed alphabet with symbols. What is this one supposed to be?
K19X CSUEWQE24EBWE3/DK848UAIECV44HECN34HECDZC0R61Q57%E CH44M-DSCAB44V3E6$CE4404
EQ34CYA8T8D3D3WE5UD-M8*+APR8IN85LEREDOEDIEC6$CI$5*C9T44LQE.OEOCCJ$DH8FX3EK447$C7
WE4LE1Q5AVCD3DLWE1Q5CECRTC-QEC$D*3EBPEU34SUE*VD%3E.OEKFE*EDIQDA448%EC44Z CV3E6$C
B44TVDCEC4WDI$5Y69O/E944E44PVDV1DE44PVDV3DVICYJCI-C4:6846:/6A46YICJOCGM64ECYJCKA
7YJC2R6J-CZ2
Let’s continue going up the list. The previous flag was encoded in Base32. After a little bit of trial and error I found out that this was Base45 encoded:
Great spotting! That was Base45, used in QR codes for EU Digital COVID Certificates. It uses a mix of letters, digits, and symbols. It looks quirky but decodes cleanly. Have a flag! flag{*********************}
Perfectly done, and we’re over halfway done with these warmups. Let’s take a look at the next one!
Question Seven
Compact and common on the wire… does the ending give you a clue?
V2VsbCBkb25lISBUaGF0IHdhcyBCYXNlIDY0LCBzdXBlciBjb21tb24gZm9yIGVuY29kaW5nIGRh
dGEgaW4gZW1haWwgYW5kIHdlYiB0cmFmZmljLiBMb29rIGZvciBBLVosIGEteiwgMC05LCBwbHVz
ICsgYW5kIC8sIGFuZCBzb21ldGltZXMgdGhlIHBhZGRpbmcgPSBzaWducyBhdCB0aGUgZW5kLiBG
bGFnOiBmbGFne2NkMDE2NGZmNjQ3MjZmMjk3MmIyZDhmMmFjMDExOWRifQ==
… Again.
The padding gave this one away pretty quickly for me. I didn’t even bother with CyberChef on this one - Just echo $encodedstring | base64 -d in my terminal did the trick:
Well done! That was Base64, super common for encoding data in email and web traffic. Look for A-Z, a-z, 0-9, plus + and /, and sometimes the padding = signs at the end. Flag: flag{***********************}
Question Eight
This variant often shows special markers. See anything bracketing the data?
<~:2+3L+EqaECEXg"BOQ!*G@>P86=FqH+?250+EqL5@qZupDf'',+DG^9A8,XfATD@"F<Ga8EbSs"FE9
&W<+ohc6"FnCAM6>j@qfX:2'@'NEbSs"F<G^IF^]*&Gp%0M@<-I2+EqOABHTEd+CT.u+D#G$F!,[@FD)
eG4t[sWBOr;a7RJ:Q3ANE6G%#E*@;^00F`V,8+CQC%Ec5AsATAo%CiF&r@V'X(.!]`R+DkP4+EM+*+Cf
(nEa`I"ATDi7Ch[Zr+FYja?n<FI/0JkO+FP[k+A$/fH#IhG+Co%nDe*F"+Cf>,E,8rsDK?q/@W-C2+DG
_:@;KXg+EMgF@W-((/0K"XBlmiu+EV:.+@9LXAN2OiG%#E*@;^0>+@^0UB0%/ICggt'@5K\q@:_,Q2D[
<IA2uM-1h/C&AN)S+@P_LS2.U<.I/~>
Interesting. I can’t say that I remember seeing any encoding like this before.
But we’re on a streak here. Let’s go up to Base85 and see what this decodes as:
Nice work! That was Base 85, which comes in different variants. The Adobe/Ascii85 variant usually starts with <~ and ends with ~>. The RFC 1924 variant uses a broader alphabet (you may see characters like ~, `, {, or }). If your decoder complains about invalid symbols, switch the Base85 variant. Flag: flag{*****************}
Interesting note that this has a different variant of it, ascii85. Either way, there’s our flag. Onto the next one!
Question Nine
This noisy alphabet is picky about whitespace… formatting might matter!
@D_<sB5GVmj-;A[GD:PIptd9#KgRoG![3\gx4mcIUAiYA8M=E_=UOU5S$HqE$p<KHnvkV66}Q?tqB]P)
Dy\4O\cT$^qE;BG\LX&pVXaZ$Tq0,'1:I3jzOY4Rs}8iY(1.GjE2RDb#yuj-*n10I1S\d:W-#pm0',!e
D:H4sK'c@^jAiC%1K}1^V65i/Upa*U(mEU'(Va'b/nt_*vgYH.^_V_Td5AgNoIWlD9jvOZ3oKhm/WwX+
-GHriuce$TlHB+#)E]kGisTc:ehwoA<RF;gx-ld->om0iC&$I3SXV_'bF.gOk[#-H,1kv93JUpCu&I-r
4c^^pu+!?9iXkKdk6,1cPeWN.@E?CO
Initially I thought this would be Base92 based on how the previous eight questions have gone. After trying to decode this a few times I wasn’t able to get anywhere with this.