We are given a hard drive image of a Linux Alpine system.

Searching for recent files, we find 3 interesting ones. A PGP keypair, and a PGP encrypted file (/root and /home).

gpg --import 257-PRIVATE.PGP

gpg --output test.html --decrypt 197-NOTHINGH.ASC

Opening test.html gives us a moasai thing made out of coloured hexidecimal text.

I then decoded with Cyberchef, which revealed it to be raw png data.

ractf{b4s1c_d1sk_f0r3ns1cs}

We get what appears to be a broken png file.

If we open it up in ghex, we can see a weird IEND chunk, which, after comparing it with another png, turns out to be not normal.

So, I just removed the chunk, and then using the fixed png as a guide, I patched the hex to reveal the image.

Flag: ractf{1m4ge_t4mp3r1ng_ftw}

We're given a PNG with the width and height fields set to 0.

However, the original CRC is intact.

The CRC is a unique value used to check for the integrity of the preceeding chunk, similar to a hash funciton.

Because of this, we can 'crack' the original dimensions with this:

from zlib import crc32 
from pwn import p32 
target = 0x5b8af030 
header = "49 48 44 52 00 00 00 99 00 00 00 99 08 06 00 00 00".replace(' ', '').decode('hex') 
def check_size(w,h, header): 
    w = p32(w)[::-1] 
    h = p32(h)[::-1] header = header.replace("\x00\x00\x00\x99" + "\x00\x00\x00\x99", w+h) 
    if crc32(header) == target: 
        print(list(w),list(h)) for x in range(2000): 
            for y in range(2000): 
                check_size(x,y,header)

Sizes are: 0x00 0x00 0x05 0x62 0x00 0x00 0x01 0x6B

Adding this back to the image, we get the original image, containing the flag. [IMAGE HERE]

ractf{m1ss1ng_n0_1s_r34l!!}

We are given a PCAP of some WPA2 encrypted traffic, including a handshake.

We run aircrack-ng + rockyou.txt against it to retrieve the key: nighthawk.

We then add this to Wireshark's 802.11 protocol settings, and reload to get the decrypted traffic.

One things stands out, a HTTP 200. This has attached with it a PDF, containing the flag.

ractf{j4ck_ry4n}

So you get a .mp3 file.

Instincts suggest strings which shows a wav file in the mp3 therefore if I binwalk it I get a file called OwO.wav.

If you open it up in Sonic Visualizer and load it as a spectogram, it says Password (Shad0ws).

Therefore I binwalked the Owo.wav file and out came an empty flag.png and a .zip file.

The password for the zip is Shad0ws and once thats extracted the png will open and your flag will be:

ractf{M0nst3rcat_In5tin3t}

When opening the video file, we're greeted with a music video.

After running strings, we can see 'password{guitarmass}' and when using binwalk we can get an image that simply says 'password{guitarmass}'.

It's clear we need this password for something, but what and where?

My initial assumptions were using steghide on the files or the video's thumbnail - but of course, nothing.

I immediately got to researching MP4 steganography techniques and found many articles that covered hiding TrueCrypt volumes within an MP4.

While TrueCrypt is now outdated and has many security flaws, I tried mounting the MP4 file, using the password I had found - and again, nothing.

However, with more research I had found that a more secure alternative exists: VeraCrypt.

Now, there weren't any articles I could find about hiding VeraCrypt volumes within an MP4 but I was hopeful and still tried.

I installed VeraCrypt and attempted to mount the MP4, alongside using the password.

And there it was:

flag.png

Opening the .png will give us the flag.

Flag: ractf{Butt3rsn00k's_R3veng3}

So we get a file called flag.jpg but looking inside the hex shows png properties, Such as IHDR, IDAT, IEND etc etc.

So I overwrote the part of the file header that contained jpg with png.

After doing that I ran pngcheck on the file (after renaming it to flag.png) and it said thst the CRC of the image was 0 x 0, referring to the dimensions.

So I ran the script tony created for Dimensionless Loading and got (['\x00', '\x00', '\x01', '\xa4'], ['\x00', '\x00', '\x00', 'E']).

Here's the script:

from zlib import crc32
from pwn import p32

target = 0x5b8af030
header = "49 48 44 52 00 00 00 99 00 00 00 99 08 06 00 00 00".replace(' ', '').decode('hex')
def check_size(w,h, header):
        w = p32(w)[::-1]
        h = p32(h)[::-1]
        header = header.replace("\x00\x00\x00\x99" + "\x00\x00\x00\x99", w+h)
        if crc32(header) == target:
                print(list(w),list(h))

for x in range(2000):
        for y in range(2000):
                check_size(x,y,header)

Using this I overwrote the png bytes but again pngcheck said it was corrupt.

After this I didn't know what went wrong but it mentioned corruption errors.

Luckily I found a script that automatically fixes such errors though. This was called PCRT.py. After running this it opens the image and you get a flag of:

Flag: ractf{D0n't_judg3_4_f1le_6y_it5_h34d3r}

So like the .mid file is a file playing a piano cover of Where Is My Mind (which is a banger btw go listen).

But like strings or binwalk shows nothing so confusion hit hard.

I scoured the internet for tools related to .mid file steganography and found one that converts a .mid to a .csv file.

This was called midicsv and literally does what it says.

So I ran that and it outputted a csv file with characters which looked like ASCII characters to the naked eye.

However there were 2 different streams of different ASCII characters.

I just opened up a site which converts ASCII to text and tried both streams.

The first one was nonsense but the second one had distinguishable features to it.

I could see rac and f5soci3 which could be fsociety?

A Mr. Robot reference which ties into Where Is My Mind.

The track played on the .mid file. However not everything was readable.

So I used another ASCII conversion site and I could see the flag clearly this time.

Flag: ractf{f50c13ty_l3vel_5t3g!}