- Resource: Diana Initiative CTF
- Difficulty: Easy-Hard
- Category: Web, Crypto
- Time Active: Aug 21-22, 2020
[Task 1] [Medium/Hard] Crypto
#1 The chef has cooked up a special recipe for you, but you'll need to decode it: BYBRCgAQEESvsleT8fFKoyzK7Tfxxk7Oj2YF7vMmywU=.
Acquired By:
Just trying to Base64 decode it wont work. After looking at the hint it talks about "two functions base64 decode combined with raw inflate (common in malware)" will help. I've never heard of "raw inflate" so this is something I needed to Google. After playing around with the combination of base64 and raw inflate on Cyber Chef I was able to get "diversity and inclusion" with the normal base64 decoding on top of the raw inflate with a start index of 0 and the initial output buffer of 2.
#4 2020 Mantra bin.txt
Acquired By:
When looking at the bin.txt file it looks like binary. Popping over to Cyber Chef I was able to get the answer of "Bre4k1ng B0undari3s Byt3 by Byt3" by chaining Binary to base64 to ROT13 with a rotation of 11.
#5 "Name the artist: 01101000 01110100 01110100 01110000 01110011 00111010 00101111 00101111 01110111 01110111 01110111 00101110 01111001 01101111 01110101 01110100 01110101 01100010 01100101 00101110 01100011 01101111 01101101 00101111 01110111 01100001 01110100 01100011 01101000 00111111 01110110 00111101 01110110 01110101 01110001 00101101 01010110 01000001 01101001 01010111 00111001 01101011 01110111"
Acquired By:
This again looks like binary so off to Cyber Chef. This gave me a Youtube link and I can't help but this I will get RickRolled... Thankfully it was a "Lizzo - Good As Hell (Official Music Video)" and "Lizzo" is the answer.
#7 Convert and answer the following: 87 104 97 116 32 121 101 97 114 32 119 97 115 32 116 104 101 32 102 105 114 115 116 32 68 105 97 110 97 32 73 110 105 116 105 97 116 105 118 101 32 99 111 110 102 101 114 101 110 99 101 63
Acquired By:
This looks a bit like hex so let's see what Cyber Chef can find. So this game be some odd "..Iq.2.....C!...S!..A.2.!..A..c&.... s'1..Q..Yq..Q...)..............." which looks kind of like byte output that like Burp Suite decoded shows you so this probably isn't right. My other option is decimals. When I used Cyber Chef for decimals that Supports signed values I get "What year was the first Diana Initiative conference?". Some quick Googling gives me the answer of "2016" which was wrong. Boo. I jumped to conclusions. After reading more on the Diana Initiative site I realized that the answer of "2017" is the right answer.
#8 You have received a text file message.txt. What is the flag?
Acquired By:
When looking at the message.txt file it looks like Braille. After hopping over to dcode.fr I was able to decode the braille to get "BRAILLEISGOODTOKNOW"
#9 This test file CupCakes.txt contains random sweet jibberish... or does it? What is the flag?
Acquired By:
This one I had no idea so I used the hint and it spoke about wrote wrap. After pasting this into a text file and playing with the word wrap size I was able to line up the text to get the flag of "TDI{TaStY_TREATS}". 
#10 You have received the compiled js file build.js. What is the flag?
Acquired By:
I've seen this before but I couldn't quite place where. It has to do with JavaScript so I started searching for decoding around JS. Once I found the de4js' site I was able to select the "JSFuck" JavaScript Deobfuscator and Unpacker. This got me two lines of console.logs that held the flag of "TDI{WhY_iS_jAvAsCrIpT_s0_w3IrD?}"
#11 What is the message in the picture message.png?
Acquired By:
Looking at the picture it looks like a pigpen cipher, but when looking up images of the pigpen cipher I determined though it was similar, it was not a pigpen cipher. After more looking into the specific shapes I found the Knights Templar Cipher and was able to decode it to "IDVTIWTGLTPRWXTKUBDGT". This is not the answer. It looked odd so I popped it into Cyber Chef and used a ROT13 with an offset of 11 and got "TOGETHERWEACHIEV_FMORE". This is also not the answer as I messed up on decoding the original image but I am only off by a letter. By changing it to "TOGETHERWEACHIEVE_MORE" I got the answer.
#12 What a nice informational message in The-Diana-Initiative_info.txt, but is there another included?
Acquired By:
This one took a bit of research but after using the hint about a '"snow" program' I was able to find a yourtube video on How to Hide Secret Data in a Text File Using SNOW: Steganography. This lead me to a dead link. It appears that the official site is down.. On further research I found a site that spoke of running the right commands to get the tool to run here. From here I was able to run the command ./snow -C The-Diana-Initiative_info.txt on the downloaded file and I got "TDI{byte_by_byte}".
[Task 2] [Medium/Hard] Malware/RE
#1 What was the C2 domain for the sample processed here: https://app.any.run/tasks/af338b11-62a1-41fb-aee8-273cf169cbf2/.
Acquired By:
I'm not entierly sure what this site was but based on the hint about "Network traffic" I looked there and found the answer of "morgotom.ddns.net." 
#2 Given the contents of an .rc script (diana-iniative-rc.txt), what is the target operating system?
Acquired By:
The included text file mentioned using "exploit/windows/rdp/cve_2019_0708_bluekeep_rce". This really was just some Googling but after a bit I found the specific year that was needed on a github page about it. I didn't know that "Windows 2008" was a specific operating system but apparently I missed some Windows updates.. haha. Anyway, that was the answer.
[Task 3] [Easy] Threat Intel
#1 What organization is also known as the Equation Group? Note: answer should be in the form of an acronym.
Acquired By:
When Googling the question the first link spoke about the NSA and TAO. I tried "NSA" first and it was the answer.
#2 What is the ID associated with DLL side loading in the MITRE ATT&CK framework?
Acquired By:
- Googling the Q I found a link to the MIRTE ATT&CK site that has the ID on the upper right. "ID: T1574.002" is apparently not the flag... "T1055", t1107, were not the answer but I finally found "T1073" from a12d404.com that was the answer.
#3 What country is associated with the threat group ZINC EMERSON?.
Acquired By:
The first link when Googled gives the answer of "India."
#4 What is the username and password a NETGEAR RP114 rotuer? Format is username:password.
Acquired By:
The first link when Googled gives the answer of "admin:1234" from cleancss Default Router Login
#5 What is another name for njRAT?
Acquired By:
First link when Googling gives the answer of "Bladabindi" from Wikipedia
[Task 13] [Easy] [Web] Pickle Rick
#1 What is the first ingredient Rick needs?
Acquired By:
N/A
#2 What is the second ingredient Rick needs?
Acquired By:
N/A
#3
Acquired By:
N/A
[Task 23] [Easy] Web Exploitation - Well Known (Jaime)
#1 I made this site about a well-known pilot.
Acquired By:
By using the hint about "/.well-known" files I found the "/.well-known/core" file but this was not the flag. This lead me to looking up information about more filed within this directory and once I made a list of them I was able to find the "/.well-known/mercure" file with the flag of "tdiCTF{a_v3ry_w3llkn0wn_p1l0t}"
[Task 24] [Easy] Web Exploitation - Gifspace (Jaime)
#1 Check out Gifspace, a new site for millennials who want the lovably bad graphic design of Myspace experience but with gifs!
Acquired By:
This flag "tdiCTF{w3lc0m3_t0_g1fsp4c3!!}" is right in the response on the main page. I actually didn't find it right away but it's there.
#2 Head on over to Gifspace and see if you can find the next flag! (Flag contains "GS2" as this is a multi-part challenge).
Acquired By:
After over thinking this one and looking at the oddly large image and the .ttf file I went and looked at the CSS and JS files for a third time and finally saw the flag of "tdiCTF{GS2_4lw4ys_r34d_th3_js_f1l3s}" in the js file at the bottom.
#3 Gifspace now has a special gif page for our premium members! (Flag contains "GS3" as this is a multi-part challenge).
Acquired By:
This was the first flag that I found in this set. I first attempted to login as admin but then registered an " admin" account. Once I was logged in I noticed a Cookie "isVIP" set to 'false'. Once I changed it to 'true' I noticed the VIP like at the top of the page and the flag "tdiCTF{GS3_c4r4ful_w1th_c00ki3s}" was there.
#4
Acquired By:
This flag is best found with the help of a proxy as I didn't see the flag in the body of the response but it is there in the ZAP history. Anyway, the flag is found after going to the robots.txt page. There is a address there for "/302" and when you go there you get redirected to the homepage but in the body of the response for the page there is the flag "tdiCTF{GS4_wh3n_1n_d0ubt_CURL_1t_0ut}".
#5 Rumor has it that there's a Gifspace admin panel. (Flag contains "GS5" as this is a multi-part challenge).
Acquired By:
I wouldn't call this an "admin panel" but more of an admin page... as the flag "tdiCTF{GS5_0h_n0_d3f4ult_cr3ds}" is in their profile once you get logged in as them. To login as admin use the combo of "admin:password" and then go to their profile.
Happy Hacking
Oldest comments (0)