Why did the bicycle fall over? It was tired of all the ROTation!
rfgq ayl lmr zc rfgq qgknjc
Starting out simple with clear & obvious clues. That capital ROT leads to ROT13.
To solve this one, head over to CyberChef and bake up a recipe using ROT13. Set Rotate Numbers amount to 2 and viola… a fresh baked flag.
Flag: this can not be this simple
Have you ever tried reading the alphabet in reverse?
Ru lmob dv xlfow gfim yzxp grnv
Honestly, I don’t remember how I ended up at dcode.fr using that Atbash Cipher. I’m sure it involved some searching with terms such as crypto, alphabet, & reverse.
Flag: If only we could turn back time
The train joke I wrote didnt gain any traction— it went off the RAIL!
MO OFRSIB ECSNIENI ULSF
RAIL in all caps is good clue to start with. Let’s see what Cyberchef has on the menu.
Rail Fence Cipher Decode seems like a good recipe. Let’s bake it up. After fiddling with the key & offset, there was success.
Flag: MOBILE FORENSICS IS FUN
VIGorous ENcrypting? Embrace the Riddle’s Essence, it’s “essential”!
QshprMzepw
Another challenge for CyberChef. Searching for the apparent all-cap clue of VIGEN returns the Vigenère Decode. Pasting just the clue isn’t quite enough as it returns “No key entered”
Back to the title for the second bit of necessary info. “essential” stands out. And works!
Flag: MapleTrees
BASH these ROTten criminals
rj vuzcj n mncczza
More all capital letters that are likely clues. BASH & ROT both sound familiar. Let’s see if we can combine them together to back up another steaming, hot flag.
BASH = Atbash Cipher
ROT13 = ROT13 substitution + some rotation fiddling
Flag: we stole a balloon
What is your favorite SHAKESPEARE play?
lv bo sj cst ks tl, trel xw tyi ibecxadr
Neither CyberChef nor Dcode recognized this one, so I… guessed.
Flag: to be or not to be, that is the question
Surfing sound waves in California searching for hidden messages
Download song.wav
Played the .wav file for anything obvious. Thankfully not RickRolled, but still no joy.
Opened the .wav file in Notepad for text dumped at the end of the file. No luck.
One good thing about writing up your CTF follies, is that you have notes to review next year. I remembered something hiding in a .wav file last year. Went back to that post (https://dfir101.wordpress.com/2023/05/07/magnet-forensics-virtual-ctf-may-2023-cipher-challenges-walkthrough/) and grabbed Sonic Visualizer again. After some knob fiddling and eye squinting, I found the flag
Flag: HotelCalifornia
ROTten people hiding their secrets!
Download Steganography.rtf
Opened steganography.rtf in Notepad to hunt for interesting flag-like text. Sure enough, hiding at the bottom of the file was:
Used CyberChef to bake some more ROT13 to find the flag.
Flag: Hiding_out
EXIF data, the memory foam of photography, never forgets the shot you took!
Download nicedog.jpg
Viewed nicedog.jpg and sure enough, thatsagoodboy!!!!
Seeing EXIF in the title leads me to believe that there’s something hidden in the images EXIF data. Let’s view it using https://onlineexifviewer.com.
LensSerialNumber looks strange for no particular reason other than this is a CTF so let’s look at strange things.
CyberChef has a cool Magic recipe that is very often magical. It determined this was HEX and baked it for us.
Flag: found_flag
DFIR101 
1 Comment