Who is it - 100 pts

 

Description

Someone just sent you an email claiming to be Google’s co-founder Larry Page but you suspect a scam.Can you help us identify whose mail server the email actually originated from?Download the email file here. Flag: picoCTF{FirstnameLastname}

Approach

we need to find the IP address of the sender. In order to determine the sender’s IP address, we should search for it within the provided .eml file.

Untitled

 

we can perform a WHOIS lookup using the IP address 173.249.33.206 to retrieve the owner’s name.

Untitled

 


Flag: picoCTF{WilhelmZwalina}


 

 

Find and Open - 200 pts

 

Description

Someone might have hidden the password in the trace file.Find the key to unlock this fileThis tracefile might be good to analyze.

Approach

We have two files: a password-protected ZIP file and a PCAP file. Upon inspecting the PCAP file in Wireshark, a base64 string was discovered.

wireshark

 

Decoded the base64 string and found half flag

┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ echo VGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8= | base64 -d
This is the secret: picoCTF{R34DING_LOKd_

 

I tried the half flag as a password on the zip and it worked got the flag.

 


Flag: picoCTF{R34DING_LOKd_fil56_succ3ss_cbf2ebf6}


 

 

MSB - 200 pts

 

Description

This image passes LSB statistical analysis, but we can’t help but think there must be something to the visual artifacts present in this image…Download the image here

Approach

Based on the name and description, it appears that the flag may be hidden in the most significant bit (MSB). I searched for ways to extract the data from MSB, and found a Python tool Sigbit.py

┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ python sigBits.py -t=msb Ninja-and-Prince-Genji-Ukiyoe-Utagawa-Kunisada.flag.png
Done, check the output file!

 

I search for “picoCTF” in the output and found the flag

output

 


Flag: picoCTF{15_y0ur_que57_qu1x071c_0r_h3r01c_06326238}