In this post, We covered the second part of the TryHackMe CTF collection Vol.1 challenge where we performed some encoding, decoding and decryption.
This post covers from task 11 until task 16.
Setup and Challenge Overview
I booted up a Kali VM and opened the TryHackMe CTF “Vol.1 Part 2” challenge. There were multiple tasks involving various forms of decoding and decryption. Each step built on beginner-friendly tools but emphasized important CTF habits, like metadata inspection, steganography, and clever OSINT.
Task 11: Fixing a Corrupted PNG Image
This task was all about repairing a broken PNG image file. I started by inspecting the image’s hexadecimal format to check its header.
- Command Used:
xd <image_name> | head
I quickly noticed the image header was incorrect, not indicating a PNG file. The fix involved replacing the first eight digits of the hexadecimal representation with the correct magic number for PNG files, which is 89 50 4E 47 0D 0A 1A 0A
.
- Command Used to Edit Hex Values:
hexedit <image_name>
After making that correction, the image opened perfectly, revealing the hidden flag!
Task 12: Finding a Hidden Flag on Reddit
This task challenged me to find a flag hidden on a TryHackMe-related social media account, specifically Reddit. I explored two main methods:
Method 1: Searching by Author
I identified the room creator, DesKel, and then searched Reddit for posts by this author, including “thm” (for TryHackMe) in my search. This led me directly to a post on the TryHackMe subreddit containing the flag.
Method 2: Using Google Dorks
I also tried using Google search operators to narrow down results specifically from Reddit.
- Search Query:
inurl:reddit.com intext:thm
This query was designed to find pages on reddit.com that contained the text “thm,” which was quite effective.
Task 13: Decoding “Binary Brainfuck”
This task presented a peculiar string of code that was identified as “Binary Brainfuck.” Although I initially confused it with standard Brainfuck, the solution was to use an online decoder specifically for this language. I simply pasted the code into an online “Binary Brainfuck” decoder, and it revealed the flag.
Task 14: XORing Two Strings 🧮
This task involved performing an XOR operation on two strings: one in hexadecimal format and another that was treated as hexadecimal in the Python script, despite being described as binary. I tackled this using two approaches:
Method 1: Online XOR Tool
I found an online XOR calculator, input both strings, and made sure to convert the output to ASCII to get the flag.
Method 2: Python Script
I also used a Python script to perform the XOR operation. Here are the interactive Python commands I used:
s1 = '49276d206b696e64276120626974206f66206120736369656e74697374206d7973656c6f'
s2 = 'c99138f5a23f2035ff008438a04f100a0127cc58e0df3da0d59310f480800131'
re = hex(int(s1, 16) ^ int(s2, 16))
print(re)
bytes.fromhex(re[2:]).decode('utf-8')
(This converts the hexadecimal result to ASCII/UTF-8, removing the ‘0x’ prefix from the hex result).
Task 15: Extracting a File with Binwalk
The final task was to extract a file embedded within an image, which hinted at using the binwalk
tool. I learned that binwalk
is a powerful forensic tool for searching binary images for embedded files and executable code.
- Command Used to Extract Embedded Files:
binwalk -e <image_name>
(In my case, it wasbinwalk -e hell
)
This command successfully extracted the contents, which included a text file. I then navigated into the newly created directory (e.g., _hell.extracted
) and viewed the contents of the extracted text file to find the flag.
- Command to View Extracted File:
cat hello.there
(assuminghello.there
was the name of the extracted file)
TryHackMe CTF collection Vol.1 Part 2 Room Answers
What is the content?
Did you found the hidden flag?
Can you decode it?
Did you crack it? Feed me now!
Flag! Flag! Flag!