Fall 2023 Walkthrough

Easy Login Quest

Home Base

Number

Earl

Diamond and Pearls

RSA 1

RSA 2

X or Y

X or Z

Speech!Speech!Speech!

Here Kitty, Kitty!

Military Power

Cute Dog :)

Cosmo's Key

Find a cipher grid table online, it should be set up like this one.

Take each letter of the key “COSMOISCOOL” on the top of the grid, and then go down to the letter of the encrypted message. Once you have pinpointed that, look for the letter of that row on the left side. Do that for each letter, and you will get the GOOOCOUGARS as the deciphered message

Talent Show

Run the image through Bing Reverse Image search, pulls up an IV Press article that is locked, but the name of the school is present in the headline. Typing in the whole headline to google pulls up a YouTube video with clips from the show, including the little girl doing gymnastics to love is an open door from Frozen

Inspector, please!

Between the heading, the name of the challenge, and the contents of the YouTube video, it becomes clear that we need to inspect the html. Doing so will reveal a flag hidden in the comments.

Rick the Stegasaurus

Upload the image to StegOnline and choose “extract data”. Then select 0 for R, G, and B and press Go. Flag will appear in the strings

Robot Uprising

Add /robots.txt to youtube.com and you find a message saying that this occurred in the mid 90s

What Would Python Do

Meme Meta

Open the image, click on properties, flag is written in place of title

Hash Browns

After running “hashbrown” through all for provided hash functions, MD4 is the one that produces “0f1530ec0ff026f3672a474fa62a5ff9”

Password Sleuth

If you inspect the javascript, you’ll be able to see that the username and password are available on the client side. Simply input the values and the page will reveal the flag.

Wayback

Using the website Wayback Machine, you can find a NYT snapshot from the specified date. Doing so reveals the golfer to be Lucas Glover

Cryptic Map

The star on the map seems to lie close to the border between California, Arizona, and Mexico. Zooming into this area on Google Maps will reveal a place called “Center of the World”, which seems to fit with the call to meet the friend “at the center”. Plugging this address into a coordinate finder will give you the pieces you need for the flag.

Guess my name...

Open up the html file. Right click and select “View Page Source”. Looking at the HTML you will see in the script it has the correct name “Jerry George Kramer.” If you continue to scroll through you will also find the flag.

Hidden Redirect

I can't see

Some of the pixels aren’t true black, so if you run a script that takes every not exactly black pixel and turns it white, the flag will appear. Example Script:

Output script:

SQL Fun

The correct code for the SQL query is: SELECT * FROM Customers WHERE COUNTRY = "Germany" ORDER BY CustomerName; The third name will be Die Wandernde Kuh, which is the flag.

Chuck the Horse

Download the image. The flag has been hidden in the metadata of the file. An image analyzer like Aperi’solve will do an analysis and use zsteg extract to look for any hidden strings. If you go to the zsteg box from the analyzer you will see the flag.

Easy Hex

Go to cyberchef.org. Input the given hex code and use the “from Hex” method. This will give you the hex code translated into the flag.

John's Netflix

Using johntheripper (command: john --wordlist=rockyou.txt --format=Raw-md5 sample.txt) where sample.txt is the provided hash yields the password ‘monkey’

Syntax Error

Fixing the syntax of ‘append’ to be in dot notation ( valid_names.append(name) ) and running the script will print the flag.

Lighthouse

Download the image, and then put it in Bing image search. This will show that this lighthouse is called the Annapolis Royal Lighthouse in Nova Scotia. Open up maps and you will see that right next to the lighthouse is a market called the Red Onion Market, which is the flag.

Gingham Cipher

You can get each of the grayscale values for the nine squares in the pattern by opening it with Paint and using the color grab tool. If you subtract 40 from each of these values and plug them into a hex decoder, the present the man’s wife wants will appear.

The ROT13 Revelation

Unveiling Crypto

Wifi Gateway

Go to command prompt/ terminal. Type in ipconfig. Under Wireless LAN adapter Wi-Fi you will see the Wifi Gateway.

Python If....Else

Who is the Winner?

-download - add this at the end print(decode_secret(bezos_cc_secret)) -then you get this as your flag byuindctf23{everyone_wins!

Scavenger Hunt

change it to black to see the code

String Story

They have to go into the terminal and plug in the string command and grep (which is like a ctrl f) to then find the flag. It’s hidden in the code. If that doesn’t work, then you can always download and open it up on the notepad. This is similar to the picoctf strings it challenge.

Ximeno's Password

Using the information on Ximeno’s Instagram, you can generate a wordlist using cupp. Using that wordlist with john and the provided hash will yield the password.

The Next Level

If you look at the metadata of the image, you’ll notice the copyright looks strange. If you plug the string into a base64 decoder, you’ll get a string that looks like hex. Decode that and you get the flag.

Cewl Password

The name of the challenge hints at using the web scraping tool “cewl”. Using this command with the -w option on the provided website and letting it run for about thirty seconds will produce a wordlist. Using that wordlist, you can use john to crack the sha512 hash. Flag: byuindctf{saisissante}

Elf 64

Bleed royal

Using this website: https://stylesuxx.github.io/steganography/; Upload the image file. Once that file has been uploaded, you can hit the decrypt button and it should spit out the flag.

Teachers Learn too

Redaction

Defend your house!