Forensics

For Series

​Forensics Writeups:
 
 
 
The source file link gives us a zip, which can be unlocked using password 1, which is a rot cipher.(password: tiktoktiktok)
Then on unzippping ull get a pcap file,deep analysing would u a link to a easyupload.io which has a zip, password for it is password2: hacsecurity(in question it was xored with 128).
The zip had flag: hsCTF{CAPTUR!NG_P4CKE7S_!S_CR!ME}
 
 
 
 
Downloading the file we get a zip, using john or fcrack we get the password to be memory.
Unzipping we get a pcapng, analysing would give 2 files namely fakeflag,flag.
Reading them would give the flag:hsCTF{CAP7UR!NG_C4N_B3_D0NE_4NYW4YS}
U can do it other ways just by using strings file | grep hsCTF
 
Game changer
 
Reading the source file and selecting the whole text gives a clue that some text is hidden or white text.(snow).
 
 
We are given in hint to use all known passwords, using pass123 on the source.txt we get a statement
Using steghide on image with the obtained password given we get a file.
 
Fixing its header and checking with steghide gives a file.
that has a pastebin link, going to link gives a bacon cipher text further gives another website in which in a .js script we have our flag in JsFuck text.
Decoding the Jsfuck we get our flag:
hsCTF{4LL_!N_0N3}