The Nope Sleds : CTF Write-Ups

Stage 1: Alien Message Author:  5k33tz Description:  We found this  suspicous image  online and it looked like it had been planted there by an alien life form. Can you see if you can figure out what they’re trying to tell us? Going to the image we see: Admittedly this puzzle took me about 30 minutes to figure it out and find the key. I should have went off my first hunch when I thought to myself that the background looked extremely similar to the background in Futurama. After some searching I found a key on Google for a language called Alienese…made by the creators of Futurama. With this new-found key, we can start decoding the message. This can either be done by hand, or with a nifty little site:  http://cs.oswego.edu/~dreichel/alienese_decoder/ The only caveat is being careful with the symbols as the same symbol can be different sizes, signifying upper and lower-case letters. Flag = IceCTF{gOOd_n3wZ_3vERyoN3_1_L1k3_fU7ur4Ma_4nd_tH3iR_4maZ1nG_3As7eR_39G5}

Stage 1: Scavenger Hunt Author:  5k33tz Description:  There is a flag hidden somewhere on our website, do you think you can find it? Good luck!   The easiest way to get the content of a site it to pull it back with wget, recursively: Once we have all the relevant files, we can use grep to search in all of the files we pulled back. cd into icec.tf directory in your Linux box, and run the following command: This will recursively grep through all of the files in your current directory (and sub-directories), looking for icectf{ (-i is for case-insensitive, -r is for recursively). Doing the grep will give us one hit in a file called sponsors: Flag = IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}

Stage 1: Time Traveler Author:  5k33tz Description:  I can assure you that the flag was on  this website  at some point in time. Going to the web page provided gives you this: Viewing source doesn’t provide anything interesting. The description gives me a hint to look at how the webpage may have been in the past. There are two good tools/sites for this: http://cachedview.com/ and http://archive.org/web/ Plugging the URL into Wayback Machine shows one saved/cache on June 1st, 2016: Clicking on the entry gives me exactly what I was expecting; a view of the page in the past: Flag = IceCTF{Th3y’11_n3v4r_f1|\|d_m4h_fl3g_1n_th3_p45t}

Stage 1: Substituted Author:  5k33tz Description:  We got a substitute flag, I hear they are pretty lax on the rules…  crypted.txt Clicking on the link brings us to the substituted flag, with much other text: I’d like to give a shout out to my co-worker (you know who you are) for making an amazing find:  http://quipqiup.com/index.php quipqiup is a cryptogram solver that allows the input for “clues” or seed type values. Here is the list of clues that we’ve deduced from the puzzle. These we likely guesses, that turned out to be correct: Lw!  = Hi! Gyzvecy ke WvyVKT!  = Welcome to IceCTF! The former clue is confirmed at the bottom, where we can see a string that is taking shape of a flag – WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd} This will allow us to enter the clues to let the solver do its magic: The top hit gives us something that is in English, and what appears to be a flag: Flag = IceCTF{always_listen_to_your_substitute_flags}

Stage 1: Rotated! Author:  5k33tz Description:  They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?} The ROT in the description should be a dead give-away that the flag is being encrypted with a rotation cipher. The only question is, which one? When dealing with ROT, I always like to start off by trying different substitutions on:  http://rot13.com/ Using ROT13, which is the default on the site, give us the flag: Flag = IceCTF{wait_one_plus_1_is_3?}

Stage 1: Move Along Author:  5k33tz Description:   This site  seems awfully suspicious, do you think you can figure out what they’re hiding? Clicking the link brings you to the webpage: The page didn’t have anything interesting; nothing to click on or highlight, just the image. My next step was to view the source: Decided to click on the img src link to the jpg, which didn’t give me anything I wasn’t expecting, just the image from the main page. I did notice that the jpg was was nested in a directory named “move_along”: So my next instinct is to see if I can traverse to the move_along directory, and I can: Doing so reveals another directory with 32 hex characters, presumably the MD5 of something. Clicking into the directory shows that there is another jpg, named secret.jpg: Clicking on the link reveals a new image, with the flag: Flag = IceCTF{tH3_c4t_15_Ou7_oF_THe_b49}

Stage 1: All your Base are belong to us Author:  5k33tz Description:  What a mess… we got a raw flag but now what do we do…  flag.txt Clicking on the flag.txt link brings us to the webpage: I needed to convert the binary to its ASCII representation, so I Googled for a Binary to ASCII converter, and found:  http://www.binaryhexconverter.com/binary-to-ascii-text-converter Converting the binary to ASCII gives the flag: Flag = IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

Stage 1: Spotlight Author: 5k33tz Description:  Someone turned out the lights and now we can’t find anything. Send halp!  spotlight Clicking on the link brings you to a site with a flash light that you can move around the screen; simulating being in the dark: Searching around reveals nothing. Next I decided to view the source code for the page. Decided to click on the spotlight.js link to view the source for the JavaScript. Looking through the source code for the JS, the flag is present. Flag = IceCTF{5tup1d_d3v5_w1th_th31r_l095}