DownUnderCTF (18 -20 Sept, 2020)

DownUnderCTF is a world-wide Capture The Flag (CTF) competition targeted at Australian High School and University Students.

I did this one just for some fun and practice over the weekend. Anyone outside of Australian schools could not win prizes, but people from all over the world joined. I saw people from Thailand, Canada, the Netherlands, India, Spain, Italy, and more.

It was basic jeopardy style, so I’ll be skipping around sections as I go through them. I’ll complete as many as I can before the time is up on Sunday morning. Let’s get started, shall we?

So let’s start with the two really easy 10 point ones. I just went over to @DownUnderCTF and looked around.

At the very bottom, I saw this:

I identified the cipher as BASE64 using THIS tool, and got these results:

Follow the YouTube link for some Australian tunes!

I’m already on the DownUnderCTF Discord server, so I just looked around a bit until I found this at the top of General Chat:

The next one I chose is in the Forensics section. It provides a .wav file for analysis.

I saved the file and opened it up using Audacity. It starts off looking something like this:

There is a little drop down menu by “message_1” where you can change it to Spectogram view:

I then zoomed in and messed with the Spectogram settings until it was a bit more clear:

DUCTF{m4by3_n0t_s0_h1dd3n}

The next one I picked was in the OSINT section, a favorite of mine. I first searched up “Petstagram” and wow, this was a whole thing I didn’t know existed…

First I tried some Google Dorking with no results:

I then tried “#alexandrosthecat” and got some promising leads

I opened the first link and saw Alexandros in all his fluffy glory:

The only other post on the page was a video with a bunch of beeping in the background.

Before I investigate that though, I check to see who Emily is following and see she is ONLY following Alexandros the Cat.

In one of his posts he says:

I see there is a link to his mom’s YouTube channel:

Then I realize that I am actually getting too far into this and that I’ve already found the flag! His mom is obviously Emily Waters…lol.

I tried DUCTF{emily_waters}, but that did not work. Then I see her email is emilytwaters92@gmail.com, so I tried I DUCTF{emily_t_waters} with no success. I need her middle name.

I notice she has her email address listed. Searching for that on Google brings up nothing. But I am reminded of one of my past challenges where I extracted a Google OID using Google Hangouts and was able to pull up other Google services that person had used. I used that same technique and checked Google Maps:

Well, I definitely found something, but it seemed to be a dead end, so I went to the YouTube channel Alexandros posted, which had no information but a username. I started searching for “gelato_elgato” and found this on Twitter:

Nice! So the flag was DUCTF{emily_theresa_waters}

This one was easily recognized as BASE64 and decoded HERE.

For this one I opened up Kali and connected via SSH:

And then saw this:

Oh boy…and they just keep coming. I looked at it for a little but and tried not to have a seizure. I saw a couple that looked like the flag a few times, but they disappeared too quickly for me. Then I used my Screenshot tool to pause the barrage of colors and was able to make it out. I’m pretty sure I got REALLY lucky by having two right next to each other so I could make out the whole thing.

I’m not sure if that was the intended solution but it worked for me!

DUCTF{w3lc0m3_t0_DUCTF_h4v3_fun!}

For this one I ran steghide on the file, but found that it was password protected. I researched how to crack a password on a .jpg and came across Stegcracker. Eventually I was able to crack the password:

After that I used steghide again and opened the secret file:

This goes on for many, many pages, just repeating the same thing over and over again. I attempted to use stegsnow to see if there was data hidden in the white spaces, but was unsuccseful in extracting anything via that method.

No idea what to do with this for now. I may come back to it later if I have enough time.

I was eventually able to find his Twitter profile here:

If you go through his Tweets, there is one about a password that might throw you off, but the main hint is the one about him already deleting something:

I headed to the WayBack Machine and input his profile URL:

I clicked on July 23rd, 2020 which took me to all his historical tweets, and helped me find the flag, shown here:

I downloaded the file and saw this text:

“Ypw’zj zwufpp hwu txadjkcq dtbtyu kqkwxrbvu! Mbz cjzg kv IAJBO{ndldie_al_aqk_jjrnsxee}. Xzi utj gnn olkd qgq ftk ykaqe uei mbz ocrt qi ynlu, etrm mff’n wij bf wlny mjcj :).”

After playing around with many different ciphers and settings (too many), I eventually ended up using Vigenere to get this:

“You’ve solved the beginner crypto challenge! The flag is DUCTF{crypto_is_fun_kjqlptzy}. Now get out some pen and paper for the rest of them, they won’t all be this easy :).”

This one takes you to a web page with a jar of Spaghetti Sauce:

However, you do notice that you are unable to right-click anywhere. To get by this I used Chrome and went into the settings to disable Java:

After that I inspected the source code and saw this:

OK, I’m on the right track. After that I clicked on a link in the source code:

Which brought me to the flag!

This is the image in question. When you move your cursor over these little dots, they change either dark blue or light blue.

As I found out the hard way, wasting an hour playing the thing like a version of minesweeper DID NOT WORK.

There is no way in hell I’m trying the reverse option. So this one can just stay unsolved. I’m OK with that.

For this one, frankly, I had no idea what “pickle” was. So I researched around a bit and found THIS thread right here, where I downloaded Pickle Viewer for windows.

I uploaded my file and got this:

I then copied all the decimals down and threw them in a decoder to get this:

Then I added the other parts and turned in the flag: DUCTF{p1ckl3_y0uR_m3554g3}

I searched FOREVER for this one. I know I wasted way too much time that took away from other questions.

We are given an image of a random train in the snow and are told to find out which station it’s at.

I’m not from Australia, and I didn’t even know they had snow there, but apparently there is a ski resort area in NSW. I used Google Maps and looked at EVERY. SINGLE. TRAIN. STATION. in that general vicinity, but unfortunately came up short.

I started examining the train itself. There was a very blurry logo, but after scrolling through MANY model train websites, I was finally able to identify the train as The Norwegian Di4:

Seeing that there are apparently only 5 of them in action, I just searched Google images for Norwegian Di4 until I found this, hosted on Flickr:

The caption describes that the train was at Dunderland Station when this was taken.

DUCTF{dunderland}

The next one I went for was another OSINT challenge. It gives us two pictures and some instructions for creating a flag.

For picture #1 I started by Googling “train derailed Australia” and eventually came across THIS article by The Guardian. I recognized the white building’s distinct black window frames.

The article didn’t give me all the info I needed though, so I Googled a bit further and found this report HERE:

Nice, so that’s our military time (0909) and place of origin (Railton)

Here’s our next picture:

For this, I Googled “Underground homes Australia” and came up with multiple hits about Coober Pedy.

Again, not being from Australia, I had no idea about what was going on at Coober Pedy. I was actually fascinated and got drug down a YouTube hole and ending up watching a bunch of videos about the town and the people in it.

Emerging from that a while later, I Googled “1134 Coober Pedy” and had the home come up on a real estate site. Looking through the included pictures, I spotted the cereal in question:

Then I had to Google Australian cereals to make out the words for sure (they were a bit fuzzy here)

Looking through the other photos led me to the car, which was the final thing I needed for the flag.

DUCTF{railton_0909_white_nutrigrain}

For this one I started doing a bit of reserach on audio steganography, eventually finding my way to THIS article. When I got to the part about SSTV and listened to the audio clip, I knew I had found the right thing because it sounded very similar to my clip.

I downloaded the Robot36 app on my Android phone and put it up against my computer speaker. This was the result:

Looks like the flag is in code up top: QHPGS{UHZOYB_Z3Z3_1BEQ}

This turned out to be ROT-13: DUCTF{HUMBLO_M3M3_1ORD}

However, this flag was not accepted, so I’m not sure if my formatting was off when I input it or if the SSTV thing was a deception to hide the real flag. Reading through the question again though, it says I need to “TURN DOWN” my speakers, so I’m leaning towards it being a false flag.

For now, this one is unsolved. But I’m happy to have learned this cool technique!

This was all that I had time to complete before the CTF ended. I had a lot of fun, especially with the OSINT ones! Next weekend I will be doing H@TH which is Red Team/Blue Team themed.

Happy Hacking! ❤

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store