/ NITECTF  MISC

The Boys

Miscellaneous sure is one way to describe it.

We are evil. Not just evil: we are a gigantic corporation that controls superheroes and hopefully one day, the world. Our current mission? Hunt down a skinny white kid. Armed with nothing but his GitHub username, we must figure out how to bring this dangerous vigilante to justice. Even if he is only 5’7” and 130 pounds soaking wet.

Alright then, let’s check out his profile. It has one just one repository.

GitHub repository showing chat application

And just two commits.

Commit showing removal of "server" link

Whelp. There’s step one, I guess. And when we go to the link, we get a WAV file that supposedly contains a secret message. Nice job sk1nnywh1t3k1d. Didn’t anyone ever tell you not to commit private information?

Well, let’s go ahead and toss that in a spectrum analyzer.

Spectrum analysis of WAV file, showing something that looks like text

There’s definitely a message here, but it’s also backwards. We could reverse the audio file, but I’d much rather practice my backwards reading skills. After utilizing our massive brainpower to read the text, we’re greeted with another link that leads us to this image:

Scrambled tiled image

Ok well, let’s unscramble it. Once again, we could be smart and write a program to unscramble the image… or we could just manually cut out that parts with text and rearrange them in a photo editor. This gives us our final clue: an email address.

Scrambled tiled image

Wait, an email address? What do we do with that? Well, I can’t spoil anything, but I can give you a list of things that we do NOT do with that.

  1. Send an email asking for the flag
  2. Use the address as the flag
  3. Go back and spend hours looking for more information in the WAV and PNG files (only to find nothing and become very frustrated)
  4. Open a ticket and ask what to do with the email
  5. Realize that this email address was the one associated with the GitHub account in the first place, and there wasn’t much point to all of this song and dance

You might be thinking to yourself, “Wow Sam, those sound like wonderful ideas, how in the world did they not work?” Well, dear reader, you make a mighty fine point, and I would have agreed with you. Except you see, we both missed the very obvious solution: go to this guy’s Google Calendar, where the flag was hiding.

Google Calendar, with the flag as an event

So, TL;DR:

  1. Go to the given GitHub account.
  2. Go to the Google Calendar of the person who owns the GitHub account.
  3. Profit.

Yay.

smsliman

Sam Sliman

Sam is currently losing his battle with scurvy. In lieu of thoughts and prayers, please send lemons and limes.

Read More