A beginner-level CTF challenge as one of the TryHackMe room, which focus in Cryptography and Forensics that divided into 5 different tasks.
Topic : Cryptography
- Translate, shift and decode the following questions.
- Note : Answers are all case sensitive
Personally recommend to use CyberChef as a tool to solve most of the questions here easier.
Leet is an alternative alphabet set that general for English language that used mostly on internet. It can also applies on those language that constructed similarly to english alphabet set, eg. German and Spanish
It can be confusing at first, while considering those 'weird' (non-alphabetic) characters and guess with their nearest lower/uppercase alphabet helps a lot in translation.
- Translate by using this tool, or
- By guessing (pretty straight forward here) , ie.
- 4 > A > a
- 0 > O > o
- 7 > T > t
- 2 > |2 > R > r
- 1 > l
- 9 > g
Binary is a number representing system using only 2 digits (0 & 1), and it is also digital representation of text and data in computing.
ASCII (American Standard Code for Information Interchange) code is one of the most common character encoding standard for electronic communication. It is prevalent on computers, telecommunications equipment and other devices. As a unicode, ASCII code can be represented in 8, 16 or 32-bit binaries, which means each ASCII character can be represented by a certain length of binraies.
01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001
- This cipher is delimited by whitespace, and each binaries are 8-bit long, thus it is in UTF-8 format.
- The easiest way is to use the recommended tool CyberChef to decrypt it.
- Basically each binary value correponds to specific ASCII character, according to the ASCII Table here.
- For example,
- 01101100 -> l
- 01100101 -> e
- 01110100 -> t
Base32 is a notation for encoding arbitrary byte (1 char = 5-bit) data, that using a certain restricted set of symbols that can be conveniently used by humans and processed by computers. The symbol set made up of 32 different characters, and an algorithm for encoding arbitrary sequences of 8-bit bytes into the Base32 alphabets. The most commonly used symbol set is RFC4648, that include :
- Uppercase letters A~Z (26 characters)
- Digits 2~7 (6 characters)
- And symbol "=" for padding purpose, that is required to yield correct decoded data when the size of transported data isn't confirmed.
- Since all characters in the given cipher satisfies the criteria above, thus we can assume it is a Base32 encoded text.
- By using Cyberchef, which the default character set for translating Base32 cipher is the one mentioned above, we can get the plain text right away.
Similar to Base32 that mentioned above, Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representaton. It is used especially when binary data, such as images or video which is transmitted over systems in a plain-text (ASCII) format. The scheme contains 64 characters with size 1 char = 6-bit, and the most common MIME's 64 scheme contains :
- Uppercase letters : A~Z (26 chars)
- Lowercase letters : a~z (26 chars)
- Decimal Digits : 0-9 (10 chars)
- 2 additional symbols '+' and '-'
- Padding symbol '=' (not included)
- Since all characters in the given cipher satisfies the criteria above, thus we can assume it is a Base64 encoded text.
- By using Cyberchef, which the default character set for translating Base64 cipher is the one mentioned above, we can get the plain text right away.
Hexdecimal is a number system that represents numbers using a base of 16. It consists the following characters :
- Digits : 0 ~ 9
- Letters : A ~ F (or a ~ f), that indicates the numerical values 10 ~ 15
- Since it consists letters c, d and f within the decimal values, thus we can assume it is hexadecimal value.
- By using CyberChef, since the default delimiter of the translation operator is whitespace, hence the plain message can be found directly.
ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the general alphabet set (A~Z : id = 1 ~ 26).
Since there are 26 characters in the alphabet set, thus the encryption and the decryption algorithm are the same (ie. 13 * 2 = 26), that make it considered to a weak encryption. Example :
| Plain | Encrypted | How |
|---|---|---|
| A (id=1) | N (id=14) | 1 + 13 = 14 |
| N (id=14) | A (id=1) | 14-13 = (14+13) mod 26 (wrap-up) = 1 |
- Based on the given cipher, assume the numerical value is unchanged. Also, take the integer value 13 as a hint since other characters are all letters, thus letter substitution encryption is in mind.
- Search any encryption method on Cyberchef that related to integer 13
- Apply ROT13 operator and the plain message is returned
ROT47 is a derivate of ROT13, which is a simple character substitution cipher that replaces a character within the ASCII range [33, 126] (ie. 7-bit printable characters).
Just like ROT13, ROT47 is also an invertible algorithm, ie. same algorithm for encoding and decoding, while plus 47 instead of 13, since ASCII range for ROT47 = 33 ~ 126 -> (126 - 33 + 1) / 2 = 94 / 2 = 47
Example (id=ASCII value) :
| Plain | Encrypted | How |
|---|---|---|
| A (id=65) | p (id=112) | 65 + 47 = 112 |
| p (id=112) | A (id=65) | 112 - 47 = (112 + 47) mod 94 (wrap-up) = 65 |
| / (id=47) | ^ (id=94) | 47 + 47 = 94 |
- Since all characters have the ASCII value within the range above, so we can assume it is encrypted with ROT47
- Select the ROT47 operator and the plaintext is obtained.
Morse code is an encryption method that used in telecommunication to encode letters (regardless lowercase or uppercase) and digits. It takes a standardized sequences of 2 different signal duration, dots and dashes or dits and dahs (ie. '.' and '-').
The characteristics of morse code are :
- Each morse code symbol is formed by a sequence of dots and dashes
- Dot duration is the basic unit of time measurement in Morse code transmission
- Dash duration is three times of the dot duration
- Each dot or dash within a character is followed by period of signal absence, called a space, which equals to per dot duration.
- Spacing and length of the signals : (signal=1, absence=0)
- Dot duration=1 && dash duration=111
- The space between the signals forming the same letter is equal to 1 space (0)
- The space between 2 letters is equal to 3 dot durations (000)
- The space between 2 words is equal to 7 dot durations (0000000)
- Example String : "As I said"
| Word | Each letter | Total dot duration / Word |
|---|---|---|
| As |
|
5 * 2 (a, s) + 3 * 1 + 7 = 20 |
| I |
|
3 (I) + 3 * 0 + 7 * 1 = 10 |
| said |
|
5 * 2 (s, a) + 3 (i) + 7 (d) + 3 * 3 + 7 = 36 |
| TOTAL | 20 + 10 + 36 = 66 |
Thus, it takes 66 dot durations to transmit the full message "As I said" in Morse code
- . .-.. . -.-. --- -- -- ..- -. .. -.-. .- - .. --- -. . -. -.-. --- -.. .. -. --.
- By identifying the cipher pattern, we can be assure it is morse code encoded.
- The morse code in text here takes whitespace as space between characters, and newline as space between words
- By using operation in CyberChef with default setting, we can get the decoded message directly
Decimal here means the base10 value which we see commonly throughout the world, that represents digits from 0 to 9.
-
The conversion here is done by referencing each whitespace-delimited decimal value that corresponding to ASCII table. Example :
Decimal Character 85 U 99 c 115 s -
By using CyberChef, the plaintext is obtained easily by using the right operator.
The cipher in this question is encoded using multiple encryption methods.
Exception : Since the cipher of this question is too long, refers to the link here to view the cipher on [Task 1] #10
- CyberChef is preferred since it has the ability to apply multiple operators in sequence and order them, to obtain the final result
- Also, it does basic analysis to any given inputs and suggest possible operator(s) to use based on that.
- By using CyberChef, we are able to disassemble the encryptions :
- Base64, since the given cipher consists of both upper and lowercase letters, and ended with an equal symbol "="
- Morse code, since the decoded cipher contains only dots and dashes
- Binary to ASCII, as only digits 0 and 1 are found in the decoded cipher
- ROT47, since the decoded cipher contains letters and certain symbols in ASCII range [33, 126]
- Decimal to ASCII
[Task 2] Hashes
- A hash function is any function that can used to map data of arbitrary size onto data of a fixed size, and the returned value called hashes (also hash values, hash codes or digests).
- There are 3 ways suggested by the author of this room :
- CyberChef, to analyze the given hashes
- Hashcat bruteforce, to unhash (Harder and Time-Consuming)
- md5hashing.net, to find the corresponding plain message (Recommended)
- Note : What have been done in mdhashing.net is not decrypting the hash (impossible in short time, ie. Hashcat) but reverse lookup records in their gigantic database.
#1. MD2
- MD (Message-Digest algorithm) series : MD2, MD4, MD5 and MD6, that sorted ascendingly according to their date released.
- So far MD2 (the earliest) is only one that not longer considered as a secure one-way hash function from 2004. Thus, we can be sure that the hint is referring to MD2 Hashing Algorithm.
- By using md5hashing.net with Hash type MD2, the following decoded message got returned.
#2. MD4
- Since we know MD4 is found after MD2 and before MD5 among the entire MD series, we can assume it is talking about MD4 hashing algorithm.
- By using md5hashing.net with Hash type MD4, the following decoded message got returned.
An MD5 hash is created by taking a string in any length and encoding it into a 128-bit fingerprint. Encoding the same string using it will always result in the same 128-bit hash output.
- By using the hash analysis feature of CyberChef, there is a list of hash functions that assumed to encode the message, according to the hash, byte and bit length of the hashes.
- As MD5 is on top of the list, so here we assume it is encoded by using MD5 hash function
- By using md5hashing.net with Hash type MD5, the message has been decrypted and the output as follow.
#4. NTLM Algorithm
It is a hashing algorithm used in Microsoft network security protocols, which specifically called NTLM Authentication Protocol. This hashing algorithm is actually based on MD4 Algorithm, to store encoded passwords as an 128-bit value in Windows.
- Note : I have spend actually quite a while to solve this question, since the encryption method here is not that common.
- I have tried all the encryption methods from the analysis of CyberChef and decode with them on md5hashing.net. However, none of them works.
- Back to the given hint and after some research done, I found out Microsoft does have a hashing algorithm that based on MD4, which is NTLM Algorithm.
#5. SHA512
SHA512 is part of the SHA-2 cyptographic hash function set that designed by United State NSA. It is named SHA512 since it generates an almost-unique 512-bit (64 bytes) signature for an arbitrary text, by operating on a 1024-bit message blocks, based on 64-bit words.
Hashes : a361f05487b879f25cc4d7d7fae3c7442e7849ed15c94010b389faafaf8763f0dd022e52364027283d55dcb10974b09e7937f901584c092da65a14d1aa8dc4d8
- Based on the hint, we can suggest that it is talking about SHA512
- It can be confirmed by analyse the given hash with CyberChef.
- By using md5hashing.net, we can obtain the encoded message directly.
SHA256 is also part of the SHA-2 cyptographic hash function set, while they are different in :
| Property | SHA-256 | SHA-512 |
|---|---|---|
| Max Input size | 2^64 bits | 2^128 bits |
| Size/Block | 512-bit | 1024-bit |
| Output size | 256-bit | 512-bit |
- Based on hash analysis, it assumes that this hash is encoded with SHA-256 in the highest possibility.
- The result can be obtained directly from md5hashing.net
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input with max size 2^64 bits, and produces a 160-bit (20 bytes) hash value as output. A SHA-1 hash value is typically expressed in hexadecimal, 40 digits long.
- We can expect it is SHA-1 hash function based on the given hint (ie. SHA family : SHA-1, SHA-2 & SHA-3, since SHA-0 is similar to SHA-1, thus not included)
- It can be confirmed by the hash analysis of CyberChef.
- The original message can be obtained by using md5hashing.net
[Task 3] Spectrograms
Topic : Forensics
- A spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time.
- When applied to an audio signal, spectrograms are sometimes called sonographs, voiceprints, or voicegrams.
- When the data is represented in a 3D plot they may be called waterfalls.
Given : secretaudio.wav
- The 'Audacity' from the given hint is actually an open source audio software, enable us to analyse an audio. However, since I dislike to download a whole software for just a question, thus I found sufficient tool online.
- By using online spectrum analyzer, it gave us a graph of all frequencies that are present in an audio at a given time, while playing it.
- By playing this audio that last 2 seconds, we can find the spectrogram actually form a secret message.
[Task 4] Steganography
Topic : Forensics
- Stegonagraphy describes the action to conceal a message/file within an appropriate carrier, that can be a message, image, video or an audio.
- By using this steganographic decoder, it extracts the plaintext within the given image.
[Task 5] Security through obscurity
Topic : Forensics
- Security through obscurity is the reliance in security engineering on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.
Both answers can be found by extract string components from the given image file. It can be done by either CyberChef Strings operator, or open the file with text editor (eg. notepad++ or vscode), which match the given hint : get "inside" the file -> metadata
-
Download and get 'inside' the file. What is the first filename & extension?
- Hint : Obscure Steg
- Solution : hackerchat.png
-
Get inside the archive and inspect the file carefully. Find the hidden text.
- Hint : Answer is case sensitive
- Solution : AHH_YOU_FOUND_ME!