This is from the Hackers Teaching Hackers HTH2020 CTF.
Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.
For this challenge, we are given a single file to download (no extention): “split” and the following text:
It’s a bird! It’s a plane! It’s…
A story in 4 parts.
We are also provided two hints:
Are we exclusive? Or…
ALL CAPS
To begin, I download the file and open it in notepad++ (as I always do for questionable files).
I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).
There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).
I first will run the file in Kali to see what it does…
It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f
I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_
This must be part one of the flag.
Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.
This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf
I try the usual suspects for decoding. In this case, Base64 was the ticket.
2_html_rulez_d00d_
This must be part two of the flag. Half way there!
Next, based on the text in the file indicative of PDF documents…
I copy the file and give it a .pdf extension and open it as such.
I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_
One more part to go!
As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…
That gives me a strange string: |y&x7$)a}5
After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).
I used dcode.fr/xor-cipher to try and decode it.
The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.
After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.
I went back to dcode.fr/xor-cipher and tried simpler passwords that I could think of for the cipher. HTH was it.
That gave me the 4th part of the flag: 4-n0cla55}
The final full flag was:
HTH{1-b1nz_r_fun_2_html_rulez_d00d_3_a_p0rtabl3_d0c_4-n0cla55}
This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.
I want to thank @mythdude for putting this challenge together. It was very creative!