CTF Write-Up: Raise the Dead – The Haunted Brewery Challenge

Introduction

I recently joined my first CTF event, “The Haunted Brewery,” hosted by Hackers N’ Hops and sponsored by Tac 9 Security and the National Cybersecurity Center. This event has been an exciting way to dive into the world of cybersecurity, especially with spooky challenges like “Raise the Dead”

Challenge Description and Clues:

When I entered the crypt, I could barely see anything. The only light came from a small flame near a large steel coffin. Suddenly, a ghostly voice whispered, “Release me… and I will help chase off these amateur ghosts ruining your beer… release meeee.” This immediately set the scene for an interesting (and creepy) puzzle.
I was given a file called coffin.txt that I suspected held the key to solving this spooky puzzle.

On the coffin, there was a sign that read:

Within we have buried the count. We are sure he will never get out. Do not make the mistake of releasing him!

Should you encounter another vampire, do as we did! We put a giant STAKE into the heart of him... rolled him facedown and then put him in the coffin backwards!

Investigating the coffin.txt File:

The file contents were strange at first glance. Here’s what I found:

1. Hexadecimal Pattern: The file mainly consisted of hexadecimal-looking sequences, but something was off. The first line appeared incomplete, as if missing a chunk, which raised my curiosity about hidden information.

00000000000000000000000000000010000000000000000000000000
000010c20000000000006644000000000000000000000000000000000000
003000000011000000000000000000000000000000100000000000000000
000000000000e045000000000000750f0000000000000000000000000000
000000000030000000900000000000000081000000000000008000000051
000000e1000000000000700b000000000000050400000000000000000000
000000000000000000200000001000000000000000100000000000000010
000000000000000000000000000000620000000000000581000000000000
000000000000000000030000001000001032000000000000000000000000

1. “EKATS” Pattern: Scrolling down, I encountered repeated sequences of “EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS.” This sequence seemed unusual until I realized that “EKATS” was simply “STAKE” spelled backward, aligning with the clue about the vampire being “staked” in reverse.

EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS
EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS
EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS
EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS
EKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATSEKATS

1. ELF Header at the End: Near the end of the file, I found a hexadecimal sequence resembling an ELF header, 64C454F7. When reversed, it read 7F454C46, which is the standard ELF file magic number (\x7FELF). This hinted that the file might contain a hidden ELF executable embedded in reverse.

000400d00083000400000000000000000000760700000000000000040000
00000000220c0000001000e3003000000000000000000010102064c454f7

Solution Steps:

After recognizing the hints, I realized that the entire file was likely encoded backward. Here’s how I approached the solution:

1. Reversing the File Content: I used a command-line tool to reverse the contents of coffin.txt from end to start. This allowed me to see if any coherent data appeared when the file was read in reverse order.

➜ tac coffin.txt | rev > reversed_coffin.txt

1. Remove STAKE from Count Heart: I edited reversed_coffin.txt manualy to remove STAKE. This left me with a cleaner hexadecimal sequence that appeared to be the hex representation of a binary file.

2. Converting Hexadecimal to Binary:
   I took the remaining hexadecimal data and converted it into binary format. Here’s the command I used:
   

➜ xxd -r -p reversed_coffin.txt > opened_coffin

1. Identifying the Binary as an ELF File: After converting, I checked the file type:

➜ file opened_coffin

after execute the ELF file, I got the flag HnH{BackFromTheDead}

Conclusion:

This challenge was a fantastic exercise in recognizing patterns, reversing data, and converting hex to binary to reveal a hidden executable file. Removing the “STAKE” pattern was key to extracting the ELF file and ultimately finding the flag. This experience not only improved my technical skills but also reminded me to pay close attention to story-based hints in CTFs.

A big thank you to Hackers N’ Hops, Tac 9 Security, and the National Cybersecurity Center for organizing this event. It’s been a great learning experience and a fun way to practice Forensic (or RE ????)

nah, I just hate RE.