BruhCTF Writeup

1. 1. Get the archive, unpack it and find "there you go.png" file ----- STEGO #1 part
2. 2. By manipulating the picture, you can find the rick-roll URL. -> clck.ru shortened link
3. 3. At the end of the picture (in HEX editor) you can find a Base64 message. Decrypting it leads to an encyphered message ----- CRYPTO #2 part
4. 4. Structure of the message appears to look like an URL, the cipher is ROT (Caesar cipher), pretty common cipher
5. 5. https://vk.cc/avXot0 is the decrypted URL. The link redirects to http://iktm.me/ctf/Doubled_IUGHEUR.mp3
6. 6. Download the song. It is "Take on me", except for some reason you only hear the actual song on your right ear. ----- STEGO #3 part
7. 7. In the end of the file you can find some filename. Attempt to open the track with archivator reveals the file is also an archive. Yet it's passworded
8. 8. Open the song in Audacity, split stereo track into mono tracks, and remove right channel.
9. 9. The track left will contain morse. Use any decoder to decode it
10. 10. WENEEDMOREPASSWORDS is the password.
11. 11. Inside, you can find another picture. Opening it in archivator reveals it's a passworded archive. By auto-leveling the picture, you can find the password right under the HACKERMAN label. ----- STEGO #4 part
12. 12. "V3ryP@ssw0rd9" is the password.
13. 13. Inside, there's an .exe file. When open, requires password. ----- REVERSE #5 part
14. 14. *there's multiple solutions*
15. 14.1 opening the file in HEX reveals it's C# file. Use dotPeek or any C# decompiler to reveal the password
16. 14.2 opening the file in HEX reveals the Unicode link (something like h.t.t.p.s.:././......)
17. 14.3 opening the file in HEX reveals the Unicode password (V.e.r.y.S.3.c.r.e.t.V.e.r.y.P.@.s.s.w.o.r.d)
18. 15. Any of those ways will lead to the link - https://vk.cc/avXj3Q
19. 16. The link contains an image (look at the URL). Use ctrl+S to save it. --- PPC + STEGO #6 part
20. 17. The image is one long array of white and black pixels. It's probably binary.
21. 18. Use your programming skills to read all bits and convert them to string.
22. 19. Get binary that looks like this 01001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001101001011100000110100101110011011000110110100101101110011001110010000001100101011011000110100101110100001011000010000001110011011001010110010000100000011001000110111100100000011001010110100101110101011100110110110101101111011001000010000001110100011001010110110101110000011011110111001000100000011010010110111001100011011010010110010001101001011001000111010101101110011101000010000001110101011101000010000001101100011000010110001001101111011100100110010100100000011001010111010000100000011001000110111101101100011011110111001001100101001000000110110101100001011001110110111001100001001000000110000101101100011010010111000101110101011000010010111001101000011101000111010001110000011100110011101000101111001011110111011001101011001011100110001101100011001011110011001001100010001110010111001001011010011011101001011110001011100010111000111110001100110001011101000011010000100010011001010011010001100111001001110011010000100111101000100110100111100111001010011110110101
23. 20. Converting it to UTF-8 string, it looks like this: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.https://vk.cc/2b9rZn???????????О?????
24. 21. Get rickrolled
25. 22. By inverting all the bits (or the image), such as white = black and black = white, or 1 = 0 and 0 = 1, you can then convert them to UTF-8 again and get string similar to this: ????????????????????????????????????????????????????????????????????????????????????????????????????????ї???????????????https://vk.cc/avXcXJ
26. 23. Link leads to a .txt file, containing the flag: BruhCTF{y0u_d1d_it_83756}