HTH 2020 CTF: Misc: whoami (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.

For this challenge, we are given a single file to download (no extention): “split” and the following text:

It’s a bird! It’s a plane! It’s…
A story in 4 parts.

We are also provided two hints:

Are we exclusive? Or…


To begin, I download the file and open it in notepad++ (as I always do for questionable files).

I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).

There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).

I first will run the file in Kali to see what it does…

It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f

I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_

This must be part one of the flag.

Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.

This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf

I try the usual suspects for decoding. In this case, Base64 was the ticket.


This must be part two of the flag. Half way there!

Next, based on the text in the file indicative of PDF documents…

I copy the file and give it a .pdf extension and open it as such.

I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_

One more part to go!

As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…

That gives me a strange string: |y&x7$)a}5

After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).

I used to try and decode it.

The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.

After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.

I went back to and tried simpler passwords that I could think of for the cipher. HTH was it.

That gave me the 4th part of the flag: 4-n0cla55}

The final full flag was:

This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.

I want to thank @mythdude for putting this challenge together. It was very creative!

HTH 2020 CTF: Cloud: OhSnap! (150)

This is from the Hackers Teaching Hackers HTH2020 CTF.

For this challenge, we are provided with this text:

I’m pretty sure that I backed up our hth instance properly. Can you take a look at the AWS EBS snapshots and check?

and this hint:

You will need an AWS account for this challenge. You can make one for free here:

I already had an account, so I logged into it and went to the EBS dashboard…

I then went to “snapshots” in the left navigation pane…

I then changed the search dropdown to “Public Snapshots” and did a seach for “hth”…

This yielded only on result. Look at that! the description field contained the flag…

HTH 2020 CTF: Cloud: BucketList (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

This was my first cloud challenge.
We are given this challenge text:

Hey guys! I set up an AWS bucket for this year’s hth that we can use to store our flags for the ctf. I think I made the bucket private but I’m not very good at this cloud stuff. Send me a message if I need to edit the permissions.

With this as a hint (yeah I looked at it… This is my first cloud challenge)

Let’s keep a flag in hth2020-private where it should be safe!

Some quick google searching gave me some basic URL examples for AWS buckets…
So I plugged this in and I get what I was looking for…

So I then navigate to…
And I get the flag…

Notice the hint about snapshots? Check out my next writeup for that.

HTH 2020 CTF: Reversing: Super Secret Login (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

I’m provided with a JAR file (super_secret_login.jar) and this challenge text:
All of our secrets are hidden behind a secure Java application. What could go wrong?

I open the JAR file with Java Decompiler (

Poking around I see that there is a shift by 13 characters (ROT13) for a decoded base64 string.

I see this value for PASSWORD: ZmJzZ19zeWhzc2xfeHZnZ3JhZg==
I base64 decode this and get this: fbsg_syhssl_xvggraf
I then treat it as a ROT13 cipher and decode it to get this: soft_fluffy_kittens

I see that the expected username is admin
I then run the jar file with java and provide admin:soft_fluffy_kittens for credentials
java -jar super_secret_login.jar

And I get the flag.