The i18 has 13 challenges that you can find at this address. This CTF is in Norwegian, but has a very small amount of text so google translate is more than enough, but I will translate the text and clues to english here. This is the first part of my writeup where I will do the first 4 challenges. It is very possible that I will make mistakes or take longer path to the flag, so if you have any recommandation or correction, feel free to contact me by email or twitter. And same if you have questions or things you would like to know more about! Alright let’s jump in!
1: Ren rutine
Task: First task and this is simple. The answer we are looking for is sha256(lett som en plett).
This one seems fairly easy: just generates the sha256 hash for the sentence ‘lett som en plett’. Just type this command:
And it works! First flag!
2: This Must Be The Place
Task: We have put this on our head completely.
No more info than that. But it says the “head” so I would imagine it has something to do with the header, so let’s look at the page header! A quick way to do that is to right click, inspect element, go to to the network tab and click on the first GET request which is for this specific page. In the header, we do find a strange parameter called X-Answer with the value: b8e63fba4504b3c29e582cc3d1f6cc56918998d50e55b1af3382080506f2f969
And indeed it works! We could also have just pinged the page to get the header back:
3: I Skyggene
Task: nsm:$1$asH66rpo$gkIQMSAA.QS/ah5VZvrYi0:16403:0:99999:7:::
Clue one: Passwords that follow predictable patterns make them easier to crack.
Clue two: An article explaining why Summerferie2014 is a bad password.
The clues are completely essential for me here because I have very little experience in crypto challenges. I can easily guess that it will follow the pattern of Summerferie2014 though. So one word and then one number (probably a year). As it is in Norwegian, we can’t use already premade wordlists I have in English.
To find a list of words wasn’t easy but I found an old scrabble website that had one in their rules page by googling ordboka: https://www.ordspill.no/rules/ which redirects us in the end to this website with a downloadable list: http://www2.scrabbleforbundet.no/wp-content/uploads/2016/10/nsf2016.zip
I wonder if they know their innocent scrabble list can be used to crack passwords. Anyway this probably took me almost an hour but we got it! Oh yes, the actual challenge now.
We save the hash in a text file and after running a normal command with john (john hash.txt –wordlist=nsf2016.txt), it doesn’t manage to crack the password. So we probably need to help it by adding a rule as we know the format of the possible password (common word + number/year).
According to this article: https://www.gracefulsecurity.com/custom-rules-for-john-the-ripper/ - we should be able to create that by adding to the john’s Config file (etc/john/john.conf) this rule:
cAz"201[0-9]"
It tells me that it cracked it with the result being “Demokrati2015”. For some reason, the CTF did not accept this answer and I couldn’t understand why. But then I remembered that the previous answers were hashed in sha256 so I did the same with Demokrati2015 and it worked.
a4e3e09a00b0706add935ebdf627dc57bfb6e9d53b0be2c60754ad5865ce3c4f
4: Broen
A file. What is hiding in this.
Clue: sha256(lc(nameofaplace))
Ok so we get a file to download. Awesome! I love to do forensic challenges. The file is called data.bin. Let’s check what it could be with a simple command:
Great! A pcap file. I’m deep into a network security ebook so I recognise the extension directly. Basically for those that don’t know, pcap means Packet Capture Data. The file was generated through packet sniffing by the free software Wireshark. So let’s open the software and have a look at this capture. It’s a short packet capture and we see directly that there was a successful HTTP request and another request after that for an image:
If we continue down through this image request, we see that it was also successful:
Which means there is an image in this packet capture. To get the files transfered through HTTP, go to file -> Export Objects -> HTTP. Let’s have a look at this picture:
Interesting… It looks like a google map picture of a bridge (Broen, the title of the challenge means bridge in Norwegian). As the clue is about finding the name of a place, I can guess already that if we find where this bridge is, we should be good to go. Let’s start by checking the website that is written as Copyright. But we don’t find anything there, just an interactive map and I’m not going to visit all the places in Norway looking for this bridge. Let’s analyze the image then.
I did not find anything interesting by checking the usual commands like identify, file, exiv2. So after some googling I found an article by Nullbyte about extracting hidden information in images through exiftool. I quickly installed it and after running it, we get an interesting information:
A GPS position! Alright now we’re getting somewhere. I go straight to a GPS coordinate website, enter the coordinates and BOOM! We know that the bridge is in Eidsvoll. Fun fact: the Norwegian constitution was drafted and signed in Eisdvoll on the 17th of May 1814 by the constitutional assembly. And this is now the Norwegian national day.
Let’s finish the challenge now:
Success! See you in part 2!