CyberKavach QuestCon Series: The Upside Down

-

 


Forensics 1 - The Upside Down

Welcome to the official write-up series for CyberKavach QuestCon, presented by the PCCOE OWASP Student Chapter! We're excited to dive into the solutions for the challenges that tested your skills.

A fun forensics challenge authored by Rudraksh Charhate, themed around the Stranger Things universe.

Challenge Details

  • Description: The Upside Down is leaking secrets. Before vanishing, Jim Hopper left a message for Eleven but it's fragmented across four parts. Use your forensics skills to retrieve all four parts and reconstruct the full flag.

  • Hint: FYI: It's basic.

  • Flag Format: questCON{}.


Initial Analysis

The provided file was challenge1.zip. Upon unzipping it, we found four separate directories, appropriately named "1", "2", "3", and "4". This structure immediately confirmed the description's hint that the flag was split into four parts.


Part 1: The PDF Decoy

  • File: Directory "1" contained a PDF file named Research.pdf.

  • Investigation: Opening the PDF revealed a "Missing" poster for Will Byers, a report, and several fake flags.

 The end of the document had a clear, but misleading, hint: "GO FIND SOMEWHERE ELSE". Checking the file's metadata also proved to be a dead end.


Solution: The real secret was embedded within the PDF, not in it. By running the binwalk command with the -e (extract) flag, we could carve out hidden files.
Bash
binwalk -e Research.pdf

  • This command successfully extracted a _Research.pdf.extracted directory containing part1.txt.

  • Flag 1: K33p_0n_


Part 2: Plain Sight Strings

  • File: Directory "2" contained a disk image, disk.img.

  • Investigation: Forensics on disk images can be complex, but it's always best to check for the simplest solutions first.


Solution: Running the strings command on the disk image dumps all printable character sequences. By piping this output to less (or grep), we could quickly search for the flag.
Bash
strings disk.img | less

  • Almost immediately, the plain text "part2.txt" and the flag fragment were visible.

  • Flag 2: Gr0w1ng_



Part 3: The "Basic" Password

  • File: Directory "3" held a JPEG file, us.jpg.

  • Investigation: This part pointed towards steganography (hiding data within an image).

    • First, we checked the metadata (e.g., with exiftool). This revealed a "User Comment" saying "Nice Try", confirming we were on the right track but that this was another rabbit hole.

    • Next, we used steghide, a popular steganography tool. We tried common passphrases related to the theme, like "Eleven," "Hawkins," or "Jim," but all failed.




Solution: The key was the challenge's original hint: "FYI: It's basic". Using the word "basic" as the passphrase successfully extracted the data.
Bash
steghide extract -sf us.jpg

Enter passphrase: basic



wrote extracted data to "part3.txt". 


  • Flag 3: Up_K1d_


Part 4: Git Time Travel

  • File: Directory "4" contained multiple HTML files with text like "Can you see what's hidden?".

  • Investigation: This hint, combined with the presence of multiple files, strongly suggested a hidden directory. A quick ls -la would reveal a .git repository. This challenge required Git forensics.

  • Solution: By checking the version control history, we could see every change made to the repository.

    1. We ran git log to see all the commits.

    2. We found a suspicious commit message: "Add secret flag" , with the hash 20070b65cbe0c3078631b002f37daeccc464d53c. Another commit right after it, "Remove part4.txt", confirmed our target.

    3. We used git show to display the contents of that specific commit.

Bash
git show 20070b65cbe0c3078631b002f37daeccc464d53c


  • This command showed the diff of the commit, which was the creation of part4.txt and its contents.

  • Flag 4: 1L0V3Y0u

Final Flag

By combining the four fragments, we reconstructed Hopper's complete message:

K33p_0n_ + Gr0w1ng_ + Up_K1d_ + 1L0V3Y0u

The final flag is:

questCON{K33p_0n_Gr0w1ng_Up_K1d_1L0V3Y0u}

Congratulations to everyone who solved this challenge, and thank you for participating in CyberKavach QuestCon. Stay tuned for the next write-up!


Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more