STORY DRIVEN OSINT CTF

easy
medium
hard
insane

The Archive

Briefing

Greetings, Special Agent.

As you might know, the end of the year is always signified with a massive uptick in cyber attacks. Particularly DDoS and Ransomware attacks are commonplace during this time of the year. Itโ€™s also the time of the year for agencies worldwide, to crack down on the criminal enterprises destroying the downtime of IT personnel everywhere. Our good friends over at the FBI have done just that. Yesterday morning around 0400 UTC they were able to seize a warehouse full of C2 servers, crypto miners and an entire scam call-center rolled int one.

During this bust, several laptops of key individuals were confiscated. There was however one laptop of which the owner was able to wipe the disk, right as the raid was happening. The FBI was able to recover most of the files, but is left puzzled at several of them. You might already feel this one coming. One of these archives was sent our way to be investigated. Find out what you can about the file inside the archive. It seems to have been damaged beyond the point of recovery, but the FBI has hopes our best and brightest can uncover something.

As always, Special Agent, the contract is yours, if you choose to accept.

Materials

Download the Archive

Answer Instruction

Use the answer to unlock the flagfile, this will reward you with your badge.

The answer starts with โ€œflag-โ€œ

MD5 Checksum for The Archive:

2625ae7c180080e580551347831362d7

Flagfile

Be advised, the flagfile is an encrypted ZIP. Make sure your OS supports the ZIP format. Ensure the password contains no hidden characters or formatting, paste in Notepad first if the password doesn’t seem to work.

Download Flagfile here

PS: Don’t forget to claim your Coins and XP, by posting your card in the #card-brag channel in Discord.

Official Write-up

Provided here is the official write-up, it does contain the answer. Use this if you’re stuck, or want to verify if you got the answer correct.

The Archive CTF

This challenge presents a recovered file from a wiped hard disk during an FBI raid. The file contains intentionally misleading content, and the true solution lies in the filename itself rather than the file contents.

Available Materials

  1. Recovered file with various content
  2. Context of FBI raid on cybercrime operation
  3. Information about file recovery

Solution Path

Step 1: Initial File Analysis

Important realizations:

  1. The file contains an encoded image of Rick Astley (a misdirection)
  2. The hex data is meant to distract
  3. The key is in the filename itself: “psvoxkwo8mm”

Step 2: Filename Decoding

  1. The filename is encoded using ROT47 with -10 steps
  2. Decoding process:
  • Take “psvoxkwo8mm”
  • Apply ROT47 (-10 steps)
  • Results in “filename.cc”

Step 3: URL Resolution

  1. Visit filename.cc
  2. This forwards to a Google Drive folder:
https://drive.google.com/drive/folders/1X6_SHL3f0zB34RBHTNGlA1J5KmEGwkUX

Step 4: Password Extraction

The final password is:

flag-gh32398D#C*$C#)*$V3405hv3j524952

Key Points

  1. Don’t get distracted by file contents
  2. Focus on the filename
  3. Use ROT47 decoding
  4. Follow Google Drive link
  5. Extract exact password

Common Pitfalls to Avoid

  1. Analyzing hex data unnecessarily
  2. Getting distracted by Rick Astley image
  3. Wrong ROT47 direction
  4. Missing URL forwarding
  5. Incorrect password copying

Analysis Tools Needed

  1. ROT47 decoder
  2. Web browser
  3. Text editor
  4. Hex viewer (but don’t waste time with it)

Tips for Solvers

  1. Don’t dive too deep into file contents
  2. Remember everything could be misdirection
  3. Focus on simple solutions first
  4. Pay attention to the filename
  5. Follow URL forwarding carefully

Verification Steps

  1. Confirm ROT47 decoding
  2. Verify URL forwards to Google Drive
  3. Access Google Drive folder
  4. Validate password format
  5. Test final solution

Important Notes

  1. File content is intentionally misleading
  2. Solution is simpler than it appears
  3. Multiple layers of misdirection
  4. Focus on the obvious (filename)
  5. Don’t overcomplicate the analysis

Remember: This challenge is designed to teach that sometimes the most obvious solution (the filename) is correct, and complex analysis (file contents) can be a distraction.

Creator(s): Frank Diepmaat