Post

BroncoCTF 2024 - Writeups

This is a writeup for all forensics challenges from BroncoCTF 2024. Despite the CTF being targeted for beginners, some challenges were actually pretty difficult with some unique challenges tailor-made for the forensics category. The organizers also do love their binary.

Keyboard Elitist [Beginner]

Question: My buddy is bragging about how cool his Framework laptop is and how much faster he can type than me. When I tried to type a message, it came out as garbage!

1
A;;apfkgij gj;ukd ar ut ghur war a Qwfpgj efjbyaps yk a Cyifmae uk;lg rchfmf maefr ghur iyye iuef dapbadf. Mj tpufks ur sftukugfij a efjbyaps rkyb, ylg hfpf wugh hur mysliap tpamfwype ia;gy;. Rudh, fughfp waj... hfpf ur ghf tiadO bpykcy{qwfpgj_vr_c0ifm@e}

Flag: bronco{qwerty_vs_c0lem@k}

At first I was stuck at this for quite awhile, but after reading the description carefully, it could suggest that this was a different keyboard layout. Using dcode, I noticed that the encoded text was actually Colemak which I have never heard of before.

beginner1

beginner2

Shrekanana Banana [Beginner]

Question: I was given this image of Shrek in a Banana, but I can’t help but feel like I am missing something…

Flag: bronco{shr3konogr@phy}

We were given an image file of Shrek banana, just use some generic steganography tool like Aperi’Solve to analyze the file.

beginner3

Stego-Snore-Us [Beginner]

Question: I’m not the only one tired after pulling an all-nighter for Hack for Humanity…

Flag: bronco{no_more_all_nighters}

We were given an image file of a sleeping dinosaur, just use some generic steganography tool like Aperi’Solve to analyze the file. However this time the flag was encoded, so I took the encoded flag and analyzed it slowly.

beginner4

Since we know pesxas should be bronco, it suggests a mono-alphabetic cipher. I used a good online substitution tool called quipquip and got the flag.

beginner5

Medieval Beats [Forensics]

Question: Check out my youtube video

Flag: bronco{1n_17_f0r_7h3_10n6_h4ul}

I could not solve this challenge before the CTF ended, however I tried it again the next day and finally understood the challenge. We are given a 1 hour Youtube video with characters of the flag coming up in random frames throughout, however, some of the frames were too quick for the human eye. One way is to watch the whole video in fast playbacks like 8x or 16x. Another way by @Krauq is to just download the video and extract each frames with a tool like ffmpeg.

1
2
ffmpeg -i Flag\ Vido.mp4 -vf "fps=1" output_%04d.png  
find . -type f -size 284c -exec rm {} +

Wario Party [Forensics]

Question: Who is the true hero of the Mario Party games you might ask? Look inward and you might find it at the intersection of Mario’s color and the number of brothers.

Flag: bronco{b0ws3r_g0t_th4t_dumpy}

We are given an image of Super Mario Bros poster that has a huge file size which suggest steganography. Reading the description carefully, it mentions something about Mario’s color and the number of brothers.

1
2
Mario's color = Red
Number of brothers = 2

Using this information, it seems that a LSB steganography is performed. To ensure this logic is correct, analyzing the image shows that there data encoded in Red 2. So we can use online tools like StegOnline to extract the hidden data embedded within the image.

forensics1

forensics2

The extracted data seems to be an image of another puzzle with Wario and Waluigi. Analyzing the image, it seems that it is another binary type puzzle where Wario=0 and Waluigi=1. Converting the binary to Ascii, the flag can be obtained.

RealHeroOfMarioDecoded

forensics4

Boom [Forensics]

Question: With all these talks of arbitration, things are tense here around the office. I feel like people are going to explode at any moment. I gotta watch where I step before I accidentally bring something up and uncover something I didn’t want to.

Hint: Look into Minesweeper and hex

Flag: bronco{bo0m!}

We are given a file with the .mbf extension, containing several hex digits. Initially having no clue on what the file should be used on, the authors provided a really good hint that helps clarifying this issue.

forensics5

By Googling minesweeper and mbf, I come across MZRG that allows players to load custom minesweeper boards to a game using the hex values. After getting the minesweeper board, I had no clue what I was looking at. However, I noticed ‘XD’ was written using the mines at the right side of the board map. This suggest that the flag was probably the huge chunk at the left side of the board map.

forensics6

Mystery Sound [Forensics]

Question: This transmission supposedly contains a secret flag, but I can’t decode it because of some interference. Can you help?

Flag: bronco{y0u_mu57_h4v3_4m4z1ng_h34r1ng}

We are given a wav audio file in this challenge, which also means audio steganography. Using Sonic Visualizer on Windows, a spectrogram layer can be added and a weird encoded message can be found. It seems to either be digital waves or morse code.

forensics8

But after analyzing it, it was definitely digital waves where down=0 and up=1. With 0s and 1s again, it is yet another binary type puzzle. So I manually inserted each bit and decoded them using cryptii (had to repeat 6 times rip my eyes) and finally got the flag.

forensics9

forensics10

LAN Party [Forensics]

Question: My friend is SO MEAN! He changed my password on my home router and hid it in this Minecraft world. He even unmined the chunk I dug out…what a jerk. Ugh, now I am just here at the top of the world rather than at bedrock mining diamonds.

Flag: bronco{b1rd's_Ey3_View}

I could not solve this challenge before the CTF ended, however the authors gave me the method to solving it so I attempting it myself after. Since it was Minecraft forensics, I assume we had to analyze the chunk position in NBTExplorer to uncover hidden values. However, the authors mentioned that another specific tool can be used to get the flag directly.

forensics11

As shown in the Discord chat, it seems that using uNmINeD allows the player to see a top down view of a minecraft world, where the flag can be easily seen.

forensics12

Wiki Wiki Wiki [OSINT]

Question: Not much to go off here, but it’s all you need: Wikipedia and 128.125.52.138. The flag is not in the typical format, but wrap it in bronco{} before submitting. You will know when you find it.

Flag: bronco{cNi76bV2IVERlh97hP}

Search the IP address on Wikipedia

osint1

osint2

Preschool Lessons [Cryptography]

Question: a b c… easy as 1 2 3… Do you REALLY know your ABCs?

1
abbaaabacabbbaabacabbabbbbcabbabbbacabbaaabbcabbabbbbcabbbbabbcabbabaabcababbbbbcabbabbabcaabbaaabcabbbaabbcabbbaabbcababbbbbcabbbaaaacabbbaabacaabbaabbcabbbaabbcabbaaabbcabbabaaacabbabbbbcaabbaaaacabbabbaacabbbbbab

Flag: bronco{i_m1ss_pr3scho0l}

Reading the description, it is obvious that abc maps to 123. But thinking about it, it does not map to anything related to an encoding method or the flag. After analyzing the text for a long time, I noticed that it looks like binary again (the authors love binary for some reason) where c represents the space between a byte. So I mapped a=0 and b=1 and it worked.

crypto1

Zodiac Killer [Cryptography]

Question: The Zodiac Killer is on the loose! I saw this message spray painted on a wall.

Flag: bronco{LOOKOVERYOURSHOULDER}

We are given a simple text that resembles the Zodiac Killer Cipher, just decode it.

crypto2

Electrical Engineering [Cryptography]

Question: I hate electrical engineering

Flag: bronco{rEsi5t_ev1L}

We are given a pdf with many 6-band resistors. After awhile, I stumbled upon this tool that helps calculate the Ω values for each resistor.

crypto3

crypto4

Noticing that the Ω values seems to represent certain numbers, I tried every resistor’s Ω value on CyberChef and it succesfully decoded the flag. Thanks @eror__404 for the sanity check.

crypto5

Oh, Danny [Cryptography]

Question: When using AES in CBC mode, Danny has a habit of leaving messages in his initialization vectors. Can you find his secret message?

1
2
3
4
key = 73757065725f6b65795f73747265616d
pt1 = 4163636f7264696e6720746f20616c6c
pt2 = 206b6e6f776e206c617773206f662061
ct2 = 817ed4df4521cc2d6e746c45a834aa2d

Flag: bronco{d0nt_l3@k_ur_k3y}

From the description, it seems that we have to reverse the AES-CBC encryption to obtain the IV. I could not solve this challenge before the CTF ended, however I tried it again the next day since I knew the concept.

crypto6

So I created a simple Python script to reverse the encryption process and obtain the IV. This script was heavily inspired from @Krauq writeup so credits to him.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Cipher import AES
from binascii import unhexlify

key = unhexlify("73757065725f6b65795f73747265616d")
ct2 = unhexlify("817ed4df4521cc2d6e746c45a834aa2d")
pt2 = unhexlify("206b6e6f776e206c617773206f662061")
pt1 = unhexlify("4163636f7264696e6720746f20616c6c")

# Decrypt ct2 to get "pt2 XOR ct1"
cipher = AES.new(key, AES.MODE_ECB)
decrypted_ct2 = cipher.decrypt(ct2)

# Calculate ct1
ct1 = bytes(a ^ b for a, b in zip(decrypted_ct2, pt2))

# Decrypt ct1 to get "pt1 XOR IV"
decrypted_ct1 = cipher.decrypt(ct1)

# Calculate IV
iv = bytes(a ^ b for a, b in zip(decrypted_ct1, pt1))
print(iv)

crypto7

ACM Borg Members [Web]

Question: I am convinced the board members of Santa Clara’s ACM clubs are cyborgs! They are definitely digitally enhanced! ACM Board? More like, ACM-BORG! If only I had a way of proving it.

Flag: bronco{be3p_b0op_@CM_are_cyb0rgs}

Reading the title and description, it seems that I should be using robots.txt on a specific website.

web1

web2

Blue Boy Storage [Web]

Question: This blue boy saved something on his home planet but cannot seem to find it. Can you help him?

Flag: broncoctf{ab4_d3_4ba_d1e_1m_blu3}

We are given the website, and what I always do is to look at the source code for any open flags.

web3

web4

Analyzing the javascript, the flag can be found as expected.

web5

All I Do Is [Web]

Question: I LOVE TO ROLE PLAY! for my upcoming convention, i am reliving my glory days of being a minecrafter.

Flag: bronco{Finding_diamonds_aint_so_hard_just_dig_baby_dig}

We are given a Youtube video and a website, however the website seems to not work.

web6

Watching the video, it was a Minecraft song on digging. Noticing how the name of the challenge closely resembles the video title, I assume we have to use the dig command, specifically to dig any TXT info in the URL.

web7

Blue Herring [Web]

Question: This page contains the elusive blue herring, however it’s never been seen by the human eye. See if you can catch it and rip it open to find a flag.

Flag: broncoctf{D1s_H3rr1ng_Sh0uld4_B33n_Blue}

We are back at Task 2 website again and this time there is another hidden flag inside it. By grepping the word “herring”, a path to an image can be obtained.

web8

web9

At this point I had no clue what to do next, but after asking for hints, it seems I have to perform steganography on it (this should be a forensic challenge, not web). Since the question mentioned Blue herring, I thought of LSB steganography again. Hence I went ahead and tried zsteg and the flag can be located on Blue 8 LSB.

web10

However, the intended method was to just select every Blue bit MSB on StegOnline and the flag can be obtained.

web11

Countries Unite [Misc]

Question: “yoshie” sent me a peculiar message. What could he possibly be trying to say?

Flag: bronco{diveristyequityinclusion}

We are given an image of Discord emojis. Just get the first letter of each country flag and the flag can be obtained.

misc1

BroncoCTF Crossword [Misc]

Question: I am really annoyed. I work at Bronco Venture Accelerator and instead of doing work, my boss is just sitting doing a crossword. And drinking lemon juice? WHY! I want to dump it on him and his paper. We need to make MONEY.

Flag: bronco{crosswords_do_not_increase_shareholder_value}

We are given a pdf file of a crossword puzzle and it seems that there are white boxes covering the crossword. Initially, I spent an hour doing the crossword puzzle and it lead to no information on the flag. Hence I had to ask hints from Discord which mentioned something about lemon juice and paper. This obviously means the text “disappeared” as lemon juice on ink produces invisible ink.

misc2

Sadly, I could not solve this challenge before the CTF ended, however, I found out that using a simple CTRL+A reveals the flag (bruh).

misc3

This post is licensed under CC BY 4.0 by the author.