IrisCTF 2024 Write-ups
Foreword
These solutions are not the best, this is the first time I’ve participated in a CTF challenge, so I’m trying my best :sob: This Write-Up consists of all the challenges I’ve solved. I think I’ve used OSINT a bit too much in solving the Networks challenge. But, hey, I had fun, will come again 10/10.
OSINT: Away On Vacation
Public accounts are sitting ducks.
Provided Clues
The challenge provided you with an E-mail to Iris Stein’s Assistant, Michelangelo Corning at [email protected].
Chasing the Goose
The E-mail
By sending the E-mail address anything, you will receive an automated, away on vacation message.
Dear,
Thank you for the email, I’m currently away on vacation to celebrate New Years!
If you would like a quicker response, feel free to reach out to my social media. I mostly talk about birds on it.
Have a great start to the year, and take care!
This Email would reveal what Michelangelo talks about on his public social media account, birds.
| Michelangelo’s | Social media account | With Bird content |
Search Engine
Simply, search up “Michelangelo Corning” on a search engine, if you are lucky, you will be able to find his Instagram account.
Results
On his Instagram account, just go through a few posts, and you will find the flag: irisctf{pub1ic_4cc0unt5_4r3_51tt1ng_duck5}.
OSINT: Personal Breach
Social media is an infection.
Provided Clues
The challenge provided you with a web page. Opening the webpage reveals 3 security questions. We will need to find Iris’ Age, Birthing Hospital and Workplace. The challenge also specified “The weakest link in security could be the people around you.” meaning we should start looking for people around Iris and they could reveal the answers.
Chasing the Goose
Iris’ Instagram
We’ve found Michelangelo’s Instagram, now we just need to find Iris’. Easy enough, going to the Tagged section of his public Instagram account, you’ll spot a post from Iris. Simply open the post, and you’ve hit Iris’ Instagram account.
Iris’ Workplace
In order to find the workplace of a person, you will need to find a platform where people post about their jobs. The closest platform might’ve been… Linkedin. Now, we just need to find Iris Stein’s public Linkedin profile.
Iris’ Mother
Going through some of Iris Stein’s personal posts, you will find this post:
In this post, she revealed the name of her mother, Elania Stein. This is crucial to this challenge and the few coming up.
What we are looking for
| Iris Stein’s | Linkedin account |
| Elania Stein’s | Social media account |
Searching
Using the search engine, it is very difficult to find Elania Stein’s social media accounts. However, based on her advanced age, it might be easy to assume that she’s on some old, boring platform like… Facebook. Using a quick search on Facebook, we can reveal her Facebook account.
Iris Stein’s Linkedin account is easy to find, however, we simply need to search on Linkedin, and we can find it.
Iris’ Security Questions
On her Linkedin account, we can easily find that she worked at the Mountain Peak Hiring Agency. In San Francisco, CA.
On Elania’s Facebook account, if we scroll all the way to the bottom, we can find a post about Iris’ birthday, with an image of a hospital room.
The birthday revealed would be 27th April, 1996. Put that in a calculator and we can find out that Iris is 27.
To find her birthing hospital would be a bit tricky, however, she revealed that, “…To think they got ranked to be the best maternity hospital in Manhattan is astounding…” Using a common ranking tool like Yelp, we can find her birthing hospital to be the Lenox Hill Hospital. (This is also doable with a Google Image search but this is how I did it)
Results
Putting all the answers to her security questions reveals the flag: irisctf{s0c1al_m3d1a_1s_an_1nf3cti0n}.
OSINT: A Harsh Reality of Passwords
🅱️Crypted! (sorry)
Provided Clues
This challenge uses ALL of the clues, results and accounts we’ve found so far. However, the challenge also provided a BCrypt hash of $2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC. And later, Lychi, being the good person that she is, revealed 3 extra clues. We can summarise everything we have so far.
| Iris Stein | Linkedin, Instagram |
| Elania Stein | |
| Password Clues | Hash: $2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC |
| Lychi’s Clues | Something Iris Stein finds important. There are 3 words and some numbers. Proper capitalisations. If you are in the Discord server, there (might) have been an implication that there is a date involved in the final password. |
Chasing the Goose
Through a hole in society
To find her plaintext password, our best chance at it would be brute forcing it, since we have the hash. We’ll need to create a wordlist, including content that Iris Stein finds important.
The Letters
Through Elania and Iris’ posts, we can find some words that are interesting.
- Locations: Portofino (x2), Italy, Amsterdam, Netherlands, Swarovski, Milan,
Starbucks,Al Conte Ugolino, Berlin. - Food: Mimosa, Mimosas, Tiramisu.
- Possible Important / Generic Things: Mother, Mom, Love, Family, Travel, Traveling, Travelling, Iris, Stein, Elania, Forever, Fun, Life.
The Numbers
Based on their advanced age, it would be safe to assume that they had put their birthdays in their passwords. But how, and whose? We’ll have to try all of them. This would also include situations where they failed to put a 0 where it should have one.
Iris Stein’s Birthdays
- “4271996”, (M/D/4Y)
- “04271996” (MM/DD/4Y)
- “2741996”, (DD/M/4Y)
- “27041996” (DD/MM/4Y)
- “1996427”, (4Y/M/DD)
- “19960427” (4Y/MM/DD)
Elania Stein’s Birthdays
- “196548”, (4Y/M/D)
- “19650408” (4Y/MM/DD)
- “1965048”, (4Y/MM/D)
- “1965408” (4Y/M/DD)
- “481965”, (M/D/4Y)
- “04081965”, (MM/DD/4Y)
- “0481965”, (MM/D/4Y)
- “4081965”, (M/DD/4Y)
- “841965”, (D/M/4Y)
- “08041965”, (DD/MM/4Y)
- “0841965”, (DD/M/4Y)
- “8041965” (D/MM/4Y)
Making the Nuke
Shockingly, it would be very difficult to get this done one by one, as there are millions of combinations.
Using python (haters can hate), we can create an inefficient but effective solution, like so:
Note: you will need the bcrypt package for this.
import bcrypt
passhash = "$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC"
a = [
"Tiramisu",
"Elania",
"Iris",
"Stein",
"Forever",
"Travels",
"Travel",
"Fun",
"Life",
"Mom",
"Mother",
"Travelling",
"Traveling",
"Family",
"Love",
"Swarovski",
"Portofino",
"Mimosas",
"Mimosa",
"Italy",
"Netherlands",
"Berlin",
]
formats = [
"4271996",
"04271996"
"2741996",
"27041996"
"1996427",
"19960427"
"196548",
"19650408"
"1965048",
"1965408"
"481965",
"04081965",
"0481965",
"4081965",
"841965",
"08041965",
"0841965",
"8041965"
]
cnt = 0
for i in a:
for j in a:
for k in a:
for m in formats:
if i == j or i == k or j == k:
continue
cnt += 1
s = ""
s += i
s += j
s += k
s += m
if bcrypt.checkpw(s.encode("utf-8"), passhash.encode("utf-8")):
print(str(cnt) + " | MATCH! | " + s)
exit(0)
else:
print(str(cnt) + " | NO MATCH | " + s)
Running this code, you will eventually receive the final password at attempt 92,048.
Results
The code revealed her password to be “PortofinoItalyTiramisu0481965”. Wrapping that around the fancy irisctf tag, we will have the final flag, irisctf{PortofinoItalyTiramisu0481965}.
OSINT: Czech Where?
Geo-geo-geo-guesssss!?!?
Provided Clues
The challenge provided you with a picture. This challenge requires no prior clues.
Note: the challenge only asked for the street name.
Chasing the Goose
Pixel Analysis
On the image, you can spot a few things, highlighted in the picture on the next page:
Putting these clues on Google, simply search “Czech wooden products”, and we can find, in Images, we can see a maps.me website, showing a store with the (almost) exact same font, and writings, we can safely assume this is the same store. Telling us that the store is in Prague.
We can then use Google maps, and search “Prague, czech wooden products”
Revealing the street, Zlatá ulička u Daliborky.
Results
With the street name, the challenge asked us to keep it only in lowercase alphabetical letters only, and replace spaces with an underscore. Giving us the final flag: irisctf{zlata_ulicka_u_daliborky}.
🏆 NET: Where’s Skat?
3.7 crocodiles away from the flag
Provided Clues
The challenge provided us with a .pcap file of Skat’s network history. The challenge also said that Skat was “wardriving”. This means we will need to look at the Network SSIDs near him to find out where he is.
Chasing the Goose
Baby-Sharking
Opening the .pcap file with Wireshark, and filtering out the local IPs by using:
!(ip.src in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} && ip.dst in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})
We can get a slightly better view of where Skat is.
Looking through the SSIDs, you will notice that they change quite dramatically as time goes on, this suggests that Skat was on a moving vehicle, but what kind? And where to? Let’s summarise some of the SSIDs we can see at the end of the log (because we are looking for the destination, after all).
- Amtrak_WiFi
- Metrolink
- LAUS Events
Amtrak suggests that Skat was on a train, and trains can only stop at train stations, this means our destination would be near a train station in America.
It also has to have a Metrolink station. Using the power of search engines, we can find out that Metrolink is a Southern California transportation agency. This means, Skat’s in LA.
If you live in Los Angeles, you’ll probably see all of these, including the “LAUS” SSID, and go, “Oh my god! It’s Union Station!”, and if you did, congrats, move on.
Unfortunately, I don’t, and I do not use crocodiles as a measuring unit. This means we will have to use the search engine again. If you scroll up a bit in the logs, you’ll find a SSID that reads “Cilantro Union”, putting this in Google Maps, reveals the destination to be the Union Station.
Results
Putting Union Station in the irisctf wrappers, and we can get the final flag of irisctf{Los_Angeles_Union_Station}.
RE: Rune? What’s that?
Golang? What’s that?
Provided Clues
The **challenge** provided you with a Golang script, **main.go** and a file with a **runed** string named “the”.
Chasing the Goose
Reversing the reverse
To reverse engineer this code, we will need to see what it does first. The script, effectively, **picks the letters from "irisctf{this\_is\_not\_the\_real\_flag}", one by one**, then, transferring them into **a number** (ASCII table), and adding the **previous character’s number** together, to get a new character. Putting that in a new string, and outputting it.
To get the flag, we’ll need to flip it over, by changing the code on **Line 16** from **v+z** to **v-z**, same goes with **Line 17**, when we need to make z the value of v-z instead, as that is now the previous character.
Reversed Code
package main
import (
"fmt"
"os"
"strings"
)
var flag \= "iÛÛÜÖ×ÚáäÈÑ¥gebªØÔÍãâ£i¥§²ËÅÒÍÈä"
func init() {
runed := \[\]string{}
z := rune(0)
for \_, v := range flag {
runed \= append(runed, string(v-z))
z \= v \- z
}
flag \= strings.Join(runed, "")
}
func main() {
file, err := os.OpenFile("the", os.O\_RDWR|os.O\_CREATE, 0644)
if err \!= nil {
fmt.Println(err)
return
}
defer file.Close()
if \_, err := file.Write(\[\]byte(flag)); err \!= nil {
fmt.Println(err)
return
}
}
Results
Running that script, we will get the final flag in “the” file (pun not intentional), being: irisctf{i\_r3411y\_1ik3\_num63r5}.
Conclusion
The first few flags captured, this was a very fun and sometimes frustrating adventure. I’ve had my regrets, should’ve spent some more time on Web Exploitation > Skat’s password, maybe I could’ve solved it. See you next year.
back to home