Magnet Summit 2022 Virtual CTF - Egg Hunt

Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022.

Participants were provided with the following three images to process prior to the start of the Capture-the-Flag (CTF) challenge, as well as a trial key for the newly launched AXIOM 6.

1. Pixel image containing what appears to be a full file system extraction of a Pixel 3 running Android 9;
2. HP Image containing a full disk image of a Windows 11 system; and
3. Google Takeout image of the account used in the CTF, rafaelshell24@gmail.com.

The questions for the CTF are split into three sections, and the write-ups for each section is as follows:

1. Windows
2. Android
3. Egg Hunt

Egg Hunt

For this section, I found that the most useful tool was CyberChef and dCode's cipher identifier.

1. Boxed Crazy Bread

What is the flag found in the message below: CGTAOYFNHGHLIMGORUTNOODEGEAS0UNALISUUTETFGAN5
(25 points)

Using the cipher identifier at dCode, I wasted a lot of time initially on the top cipher, Ubchi Cipher. It wasn't until after the 3 hour sprint and I relooked at the question that I realized the question name, Boxed Crazy Bread, was a hint for Caesar Box Cipher.

Using the brute-force method for Caesar Box Cipher on the message gives: CONGRATULATIONSYOUFOUNDTHEEGGTHEFLAGISAM0NGU5

Answer: AM0NGU5

2. More bits please!

Using the keyword MAGNETVUS, what is the flag found in the message below: 55828323131891953189327594652829164582918353894339858568943391314972393439294341718944
(25 points)

dCode identified the cipher as Morbit Cipher, and using the provided keyword 'MAGNETVUS', the message was easily decoded to: CONGRATULATIONS YOU FOUND THE EGG THE FLAG IS WH3AT5

Answer: WH3AT5

3. Skip to My Lou

What is the flag found in the message below: 1A3HCCN
(25 points)

Due to the short length of the cipher text, dCode was not able to reliably identify the type of cipher. Using the same trick of taking the question name as a hint, I used the Skip Cipher and took a shot at the top result.

Answer: 1CHANC3

Note: I'm not sure if it was meant to be part of the hint, but in the question name, 'Lou' is three letters long, which coincides with the number of skips for the answer.

4. OMG They Killed Me

(25 points)

We're provided with a PNG file containing the above QR code. Using CyberChef to parse the QR code results in the message 'Mmfppfpppmfmpffmmmfmpfmfpmfmmmfmpmffppfpppfmm ffmppffmf mpfppffmfpppmpm fmpmfpmpp mppmfmmfm Fmpmfpmpp mpfpmfmmmmfm mfffmm mfm1mmmpppfmppffmmmfmp', which dCode then identifies as Kenny Language (Southpark)cip cipher. Decoding the cipher gives: Congratulations you found the egg The flag is g1antrat

Answer: g1antrat

5. Look in the mirror neo

What is the flag found in the message below: .y1f07318438d1u0h5338474h7y4w0n51323h7n0c4851941f3h7n01741v4f05w41nw0nk114079n1d20cc4
(25 points)

dCode identified the text as Leet Speak 1337 cipher but could not decode the message initially. The period at the start of the message string cued me in to the word 'mirror' in the question, which was a hint to reverse the string. Decoding the reversed string gives: AccORdInGTOANknOwnIAwSOfAUIATIOnThEfIAGISBAcOnThEREISnOwAyThATABEEShOuIdBEABBTOfIy.

Answer: BAcOn

Note: While writing up my solution, I realized that dCode did not manage to decode the cipher text accurately. Manually decoding leet speak provides the message: "According to all known laws of aviation the flag is bacon there is no way that a bee should be able to fly.", which is likely a reference to another question in the Android section.