> For the complete documentation index, see [llms.txt](https://strik3r.gitbook.io/strik3r-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strik3r.gitbook.io/strik3r-blog/ctfs-boxs-challenges/intro-to-cybersecurity-bootcamp-ctf-assessment.md).

# Intro to Cybersecurity Bootcamp CTF Assessment

## <mark style="color:yellow;">Overview</mark>&#x20;

A concerted effort between CyberTalents and Trend Micro to provide a free introductory cybersecurity training program to students and fresh graduates who are looking to enhance their technical skills and start their careers as cybersecurity professionals.

<figure><img src="/files/z0I8mJJEMZcQ4bP0me6H" alt=""><figcaption></figcaption></figure>

## <mark style="color:yellow;">Lessons</mark>

There were many lessons during the bootcamp that covered many areas of information security such as web security, network security and digital forensics and Cryptography.

<figure><img src="/files/qQREKjCMZk7gSDVAIVxQ" alt=""><figcaption></figcaption></figure>

Also [Me ](https://www.linkedin.com/in/eslam-kamal/)and [@sl4x0](https://www.facebook.com/sl4x0) with [@Mohamedkashik](https://www.facebook.com/profile.php?id=100008142576939) made a Notion note to summarize bootcamp Tools & Topics.&#x20;

* <https://www.notion.so/sl4x0/CyberTalents-ce9fa279ba5a4d40b28c4b31911b4b4b>

## <mark style="color:yellow;">CTF Assessment</mark>

### <mark style="color:orange;">**🌟**</mark><mark style="color:green;">**General Information**</mark>

### <mark style="color:yellow;">**THE MUMMY**</mark>

**Description:**&#x20;

A malicious program that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link.

**Flag:**

Emotet

> **Emotet** is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

### <mark style="color:orange;">**🌟**</mark><mark style="color:green;">Digital Forensics</mark>

### <mark style="color:yellow;">**on1ons**</mark>

**Description**&#x20;

Just like onion , flag in format flag{}

**Walkthrough:**

In this challenge we got a `secret_onions.xcf` file to download

first we gonna run `file` command to know what type file is this

<figure><img src="/files/x85jSiGbpIwiQf4Q1G6Q" alt=""><figcaption></figcaption></figure>

by using `exiftool` we got our first part of the flag&#x20;

```bash
exiftool secret_onions.xcf
```

<figure><img src="/files/osCNBxMFImy6nuTiy9pZ" alt=""><figcaption><p>first part r3lly_f1n_1337}</p></figcaption></figure>

from `file` command to notice that there is data inside this file, So we gonna extract it with `binwalk`&#x20;

```bash
binwalk -M --dd=".*" secret_onions.xcf --run-as=root
```

<figure><img src="/files/TPvhbPUNnZMJm15UneeI" alt=""><figcaption></figcaption></figure>

This file type was DATA, So let us read it with strings and `grep` some interesting words

```
strings 28C | grep -i "flag"
```

<figure><img src="/files/XfhGsBykopk2XhVqU4y5" alt=""><figcaption></figcaption></figure>

Now we got the two parts of the flag.

### <mark style="color:yellow;">Elliot Secrets</mark> <a href="#id-444e" id="id-444e"></a>

in this challenge we got a **bin** file and we need to dig in it to find Eliot Secrets.

**Walkthrough:**

after downloading bin file, we need to figure out what file-type is it. so running&#x20;

`file elliot_secrets.bin`

<figure><img src="/files/joWDZwnGfAaRQiHG1lC9" alt=""><figcaption></figcaption></figure>

it\`s an **ELF** file, So we may execute it in terminal.

<figure><img src="/files/gPQKdfJDRiEkVb4yQ82h" alt=""><figcaption></figcaption></figure>

Yup, That\`s for sure :)

Now, i tried to extract any data embedded in this file with [binwalk](https://github.com/ReFirmLabs/binwalk)

<figure><img src="/files/EZSYkMFrWMr0WRboHtaa" alt=""><figcaption></figcaption></figure>

sadly this folder contained the same bin file inside. So i thought about give it one more shot with another tool. i used [Foremost ](https://www.kali.org/tools/foremost/)at this time and i got some interesting output

<figure><img src="/files/ZwnaKvT0mX3ckW1ZPTbJ" alt=""><figcaption></figcaption></figure>

foremost extracted a **wav** file which immediately came to mind to pass it to something like  [Audacity](https://www.audacityteam.org/) or [Sonic Visualiser](https://www.sonicvisualiser.org/) to see if this file have hidden data but i got noting back :(

The last tool came into my mind which can be used with wav files is [Deep Sound](https://deepsound.soft112.com/)

> This a steganography tool and audio converter that hides secret data into audio files. The application also enables you to extract secret files directly from audio files or audio CD tracks.

so after passing the wav file to this tool it asked me for a password!!!

<figure><img src="/files/UlCs7SEIa3qDq4siXeIr" alt=""><figcaption></figcaption></figure>

At this point i was relived as i knew i was walking at the right path. after sometime of googling i found this Python script \[ [deepsound2john ](https://github.com/openwall/john/blob/bleeding-jumbo/run/deepsound2john.py)] which we can use it to convert wav file to hash, then crack this hash with [john](https://www.kali.org/tools/john/)

<figure><img src="/files/psx5Qn6zykszuJfGRz3t" alt=""><figcaption></figcaption></figure>

then crack this hash `$dynamic_1529$ea007a659e8e59ba2cb9d8fb5119413b718c5517`

```
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```

<figure><img src="/files/PuFjjKJyIvdaDgZlxIkU" alt=""><figcaption></figcaption></figure>

john successfully cracked our hash `ragerocks123`. go to deepsound to extract data from wav file.

We got a **pdf** file extracted with this image inside

<figure><img src="/files/BVJQ0wmcC0aMxN2sG93s" alt=""><figcaption></figcaption></figure>

Running strings on this pdf to see if we miss anything

<figure><img src="/files/15SCYtvioTpF2YU9f2Oy" alt=""><figcaption></figcaption></figure>

I used this site to beautify this JS code \[ <https://beautifier.io/> ]

<figure><img src="/files/38tBTQswS2SwXJWi6gGf" alt=""><figcaption></figcaption></figure>

there was an interesting function at the end of this code `function hi()` which was having intersting chars, So i deleted everything else and wanted to see these separated chars&#x20;

The final result was `IZWGCZ33IFZGKVKMN5ZXIP3` which was encoded with base32. after decoding it.

<figure><img src="/files/sNublM9tRqzUMdeNAMh5" alt=""><figcaption></figcaption></figure>

And we got Eliot\`s Flag!!

FLAG: Flag{AreULost?}

<figure><img src="https://media.giphy.com/media/l4EpkVLqUj8BI7OV2/giphy.gif" alt=""><figcaption></figcaption></figure>

### <mark style="color:orange;">**🌟**</mark><mark style="color:green;">**Web Security**</mark>

### <mark style="color:yellow;">xCode</mark>

**Description**

Your typical php challenge!

**Walkthrough:**

After visit challenge link wo got this php code viewed

<figure><img src="/files/5QjxIXdDxaQ5v04x14Ga" alt=""><figcaption></figcaption></figure>

This php code is vulnerable to OS command injection and setting http parameter `echo` which we gonna use the it to retrieve flag file on this server.

let\`s fire-up our burpsuit and try to inject anything at first like `echo=1`&#x20;

<figure><img src="/files/jG1O4vXagTRQtKJxFksL" alt=""><figcaption><p><strong>notice that 1 is reflected in response</strong></p></figcaption></figure>

now let\`s try  with this payload `echo=1;id` and see if we got OS Command Injection?

<figure><img src="/files/QqTFDr4lKEkkdVTg1Z2F" alt=""><figcaption></figcaption></figure>

indeed the `id` command was executed, so we need to find where is the flag file

Moving backwards with this payload `?echo=1;ls+../../../` to root dir we found our flag

<figure><img src="/files/Dp28upuu50OGJXGfvAFz" alt=""><figcaption></figcaption></figure>

### <mark style="color:yellow;">**Hunter**</mark>

**Description:**

who can I trust?

**Walkthrough:**&#x20;

This one was simple to solve but a little challenging. Depended on some encryption.&#x20;

To begin the challenge, you will get the following page:

<figure><img src="/files/gJTiRhfWFvcsh5DV4GIp" alt=""><figcaption></figcaption></figure>

After launching our burp proxy, load this website and quickly notice the http requests.

<figure><img src="/files/TcJcJlbIYPVXglJ5zWRv" alt=""><figcaption></figcaption></figure>

As you can see the cookies was very interesting to play with. the very first part of the cookie was `flag=who_has_gohn_cookie`

moving to second part of cookie i noticed at once that was base64 encoded because of `%3D` at the end.&#x20;

so after decrypting all this cookie parts using [cyberchef ](https://gchq.github.io/CyberChef/)and [Hashes.com](https://hashes.com/en/decrypt/hash) you will get:

```
Ging_Freecss ===> try harder Gon! (hash & base64)
Hisoka =========> i am just a waste of time john ^_^
Killua =========> do+you+remember+satotz (ROT13)
```

I still didn\`t watch HunterxHunter anime 😅 But i can tell that `satotz` is what we need. So i changed `flag=who_has_gohn_cookie` with `flag=satotz` . and it worked!!

<figure><img src="/files/rljaPjAtuIjudRQNdrkJ" alt=""><figcaption></figcaption></figure>

**FLAG:** flag{Always\_Trust\_Your\_Fr13nds}&#x20;

<figure><img src="https://c.tenor.com/tko8aa7ZOY8AAAAC/hunter-x-hunter-smile.gif" alt=""><figcaption></figcaption></figure>

### <mark style="color:yellow;">v13w3r</mark>

**Walkthrough**:

Unfortunately I haven't taken any screenshots of this challenge. This challenge was an image upload website which was vulnerable to [XSS](broken://pages/0Uzsm42H7WzUDgOqBVzU#first-of-all-what-is-xss), with only one input field for the picture url you want to download.

when you put the url of the image url you want to download. a J.S function was made to create anchor element and take your input inside it. now if you tried to put this link `http://www.link.com/ onload="alert(1)"` this will fire-up XSS alert(1) and we will have our flag.

<figure><img src="/files/UKOKIMLN48abmJ5fwww0" alt=""><figcaption></figcaption></figure>

**Flag:** flag{loOks\_You\_ar3\_xSs\_mast3r\_1337}

### <mark style="color:orange;">**🌟**</mark><mark style="color:green;">**Network Security**</mark>

### Refresher

This was network security challenge with pcap file to dig in.

**Walkthrough:**

we got pcap file to download so after open it with [Wireshark ](https://www.wireshark.org/)we see a lot of traffic&#x20;

<figure><img src="/files/ntdBatOMqgEEVAv2M0D8" alt=""><figcaption></figcaption></figure>

when playing any network security CTF i used to use Wireshark tools power to make it easy win

* using <mark style="color:yellow;">**credentials**</mark> from tools bar to extract any CRED though FTP or HTTP traffic. And we got some credentials from it.

<figure><img src="/files/lymK76Nxn7yImydSRB8P" alt=""><figcaption></figcaption></figure>

* Also from go to **Statistics > Protocol Hierarchy**. This will show you most used protocols within the traffic

<figure><img src="/files/rESEFNgdSgmnssmVxbOw" alt=""><figcaption></figcaption></figure>

found 2 Data Packets which maybe something very interesting to see. after navigating to them we can see it is a .zip file (i can tell it is a .zip file from PK header value)

<figure><img src="/files/qGmYO1pEnWDRDjSVU5u2" alt=""><figcaption></figcaption></figure>

Moreover, while navigating within the pcap file streams i got this stream which confirm that we have a .zip file

<figure><img src="/files/8CtiNJgxpXK8EVhagtDL" alt=""><figcaption></figcaption></figure>

So without wasting time i extracted this .zip file. But when i tried to open/unzip it asked for a password.

<figure><img src="/files/KABtNoTwFBokMtyppduD" alt=""><figcaption></figcaption></figure>

I tried to bruteforce this .zip file with tools like [fcrackzip](https://github.com/foreni-packages/fcrackzip) but got nothing :/

Then i remembered that i know a little wireshark magic power to give it a try

<figure><img src="https://media.giphy.com/media/iBjylURwS9N9FCl8Dl/giphy.gif" alt=""><figcaption></figcaption></figure>

* using export objects to see any interesting files through HTTP traffic&#x20;

<figure><img src="/files/ehwibKf45aPfstYcG49X" alt=""><figcaption></figcaption></figure>

And we got many jpg files&#x20;

<figure><img src="/files/WCW7qnFyUTkawlBtI0Yg" alt=""><figcaption></figcaption></figure>

if you noticed that there is a pattern in files name, But i did not notice this until downloaded them and opened folder

<figure><img src="/files/fqPRZWMg3tUAGqdpBw48" alt=""><figcaption></figcaption></figure>

As you can see. If you collect the letters together you will find it mean something&#x20;

Password ==> iamsupersecretpasswordgood4uthefinding

So let\`s grap that flag

<figure><img src="/files/PUkrVUdNLyXZ8ydGXhZF" alt=""><figcaption></figcaption></figure>

### <mark style="color:orange;">**🌟**</mark><mark style="color:green;">Cryptography</mark>

### <mark style="color:yellow;">**Encoding 1 & Encoding 2**</mark> <a href="#id-8d02" id="id-8d02"></a>

These was Cryptography challenges and Both can be easily solved using [CyberChef](https://gchq.github.io/CyberChef/)

<figure><img src="/files/zbrF29I1n8DNMm22vy4j" alt=""><figcaption></figcaption></figure>

<figure><img src="https://media.giphy.com/media/l3q2Z6S6n38zjPswo/giphy.gif" alt=""><figcaption></figcaption></figure>

> Thanks For Reading

<table><thead><tr><th width="748" align="center"> Follow Me ​​</th></tr></thead><tbody><tr><td align="center"><a href="https://www.facebook.com/StrikerHacker33/">Facebook</a></td></tr><tr><td align="center"><a href="https://www.linkedin.com/in/eslam-kamal/">Linkedin</a></td></tr><tr><td align="center"><a href="https://twitter.com/xxEslam_Kamalxx">Twitter</a></td></tr><tr><td align="center"></td></tr></tbody></table>
