Introduction
I first discovered Hacktoria in early 2022, during my "OSINT" phase. They had some really great geolocation challenges that introduced me to a lot of the basics.
I first discovered Hacktoria in early 2022, during my "OSINT" phase. They had some really great geolocation challenges that introduced me to a lot of the basics.
Recently, I noticed the site totally redesigned, with many of new challenges and pixel art. If, like me, you're a fan of CTFs with lots of backstory and visual props, I think you'll love the CTF challenges on Hacktoria.
Challenge Info
Name: Hidden Messages
Category: Forensics
Challenge Creator: Hoxed
Challenge description:
Hello Agent,
We have received some troubling news from our sources: the Order of Hades organization is planning to go into hiding for some time after the detention of one of their members, Maksim. According to our informants, if the Order of Hades vanishes, they will disappear like a ghost, and we will not be able to pursue them any further. As a result, we must apprehend their leader as quickly as possible. Following Maksim’s detention, a seemingly ordinary file was discovered on his laptop at his residence, and we require your expertise in the digital forensics field to determine whether it is a normal file or not.
We have attached the file for you to analyze using your skills and to provide us with your findings.
We understand that this mission may seem daunting, but we have faith in your abilities. If you choose to accept this mission, you will be provided with all the necessary resources to complete it. Good luck, Agent. The responsibility of capturing the leader of the Order of Hades organization rests in your hands.
As always, Special Agent K. The Contract is yours, if you choose to accept.
Link to challenge files: https://hacktoria.com/contracts/hidden-messages/ (Contains backstory and challenge file: nothing.data)
Setup
This challenge is solvable with very little setup, but as I had a Kali Linux set up for some CTF work, I'll be working on this challenge in the Kali environment.
Simply copy nothing.data into Kali Linux to start.
Solving the challenge
The first step in a file forensics challenge is to identify what filetype we are dealing with. File extensions can be misleading, so use the Linux file command that identifies the file type based on the actual data within the file.
Since it is a Zip file, we can extract it using the unzip command.
Based on the names of the files extracted, we can deduce they came from Microsoft Word file. From here on, it is mostly a treasure-hunt style challenge, where we look at each file for suspicious content.
The challenge webpage informs us that we will need to recover four parts of a message.
Screenshot from the challenge website
The message is in Morse code
Decoding the Morse code in CyberChef
Part 3 can be found again in the contents of word/document.xml. Certain characters are singled out by xml tags.
Example of letter 'P' being separated from the word 'People'
Breakdown of the regex expression from Regex101
Exporting the matched characters
The portion "<w:szCs w:val="20"/>" is important, was "w:szCs" is used to denote a change in font size. The challenge's intended solution was to repair the Word Document and open it, after which the player would notice certain characters were larger.
Part 4 has to do with a file in _rels. There is a text file called Boss.txt. On the surface, there's nothing interesting about it, just a note that fits the scenario.
Some invisible data.
This is known as whitespace steganography. A popular tool used is stegsnow. Unfortunately, just decoding the message does not work. We probably need a password.
Figuring out the password had me stumped for a long time. Luckily, a player BoΠeShΔdϴw³ from the Hacktoria Discord server was able to give me a clue: it was not a single word, appeared multiple times in the challenge description, and to use the same case the words appeared in.
The correct password was "OrderofHades", which the fictional organization Maksim and his boss belong to.
Conclusion
After finding all four parts, all that remains is to construct the final flag and get our contract card. The final flag is: Hacktoria{Plea$e_B0$$-RUN_THR0UGH-Gate5-ImMediateLY}.
Completed the last part on my main Windows machine, so I'm using 7zip.
Mission complete! We are rewarded with a beautiful collectable contract card. You can see the whole list on Hacktoria.
Screenshot of the contract card for this challenge.
Thanks to Hoxed, for creating this challenge, and BoΠeShΔdϴw³ for the hint. You can check out BoΠeShΔdϴw³'s writeup here, which follows the intended solution of repairing the Word document.