HTH 2020 CTF: Misc: whoami (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.

For this challenge, we are given a single file to download (no extention): “split” and the following text:

It’s a bird! It’s a plane! It’s…
A story in 4 parts.

We are also provided two hints:

Are we exclusive? Or…


To begin, I download the file and open it in notepad++ (as I always do for questionable files).

I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).

There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).

I first will run the file in Kali to see what it does…

It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f

I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_

This must be part one of the flag.

Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.

This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf

I try the usual suspects for decoding. In this case, Base64 was the ticket.


This must be part two of the flag. Half way there!

Next, based on the text in the file indicative of PDF documents…

I copy the file and give it a .pdf extension and open it as such.

I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_

One more part to go!

As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…

That gives me a strange string: |y&x7$)a}5

After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).

I used to try and decode it.

The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.

After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.

I went back to and tried simpler passwords that I could think of for the cipher. HTH was it.

That gave me the 4th part of the flag: 4-n0cla55}

The final full flag was:

This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.

I want to thank @mythdude for putting this challenge together. It was very creative!