CyberKavach QuestCon Series: The Unsounded Gate

-

 

The Unsounded Gate


Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is back to break down another challenge from our event.

This time, we're opening "The Unsounded Gate," an audio forensics challenge authored by Sai Veer.

Challenge Details

  • Category: Crypto / Steganography

  • Difficulty: Advanced

  • Flag Format: questCON{...}


Step 1: Audio File Metadata Extraction

You are provided with an archive containing several files. After unpacking, data.wav and transmission.b85 stand out along with Python scripts and documentation.

Start by inspecting the tail of data.wav for embedded parameters.


Step 2: Base85 Decoding and Decompression

The file transmission.b85 is encoded in Base85 and compressed. Use the following procedure to extract the raw binary:

  • Decode with Base85, then decompress with zlib.

  • Output is written to xored.bin.

Expected command sequence in Python:

python

import base64, zlib

b = open('transmission.b85','rb').read()

open('xored.bin','wb').write(zlib.decompress(base64.b85decode(b)))


Step 3: XOR Keystream Correction

Use the previously extracted nonce as a seed. Generate keystream bytes using SHA-256 for each block and XOR them with the data in xored.bin to recover blob.bin. This operation corrects a buggy keystream routine present in the original decryptor.


Step 4: Splitting IV, Ciphertext, and HMAC

Extract the initialization vector (IV), ciphertext, and embedded HMAC signature from blob.bin with precise byte slicing.

  • IV: first 16 bytes

  • Ciphertext: middle section

  • HMAC: last 32 bytes


Step 5: HMAC Verification

Calculate an HMAC value from SALT2 and a secret key, compare it to the embedded HMAC to ensure block integrity.


Step 6: Extract PASS and Derive AES Key

From image.png included in the archive, extract a base64-encoded passphrase found in EXIF UserComment. The decoded string is used to derive the AES-CBC decryption key using PBKDF2 with SALT1 and ITERS.

  • First 16 bytes of the PBKDF2 output are used as the AES-128-CBC key.


Step 7: Decrypt and Reveal the Flag

Finally,

  • Use the derived AES key and IV to decrypt the ciphertext.

  • Unpad the plaintext and view the flag, which begins with a partial string and a nonce found earlier.

Format the output to match the required flag style:
questCON<FlagPart><Nonce>

Expected: 

FLAG : questCON{El3v3n_Cr4ck3d_Th3_G4t3_00000000} 


Takeaways

  • Layered audio and crypto challenges require both forensic and algorithmic analysis.

  • Intentional bugs in provided scripts encourage understanding and repairing cryptographic routines.

  • This challenge integrates knowledge of audio steganography, Python scripting, cryptographic key derivation, and data carving.


Congratulations to those who cracked "The Unsounded Gate"!

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more