NahamCon CTF Write-Up Part 1: Big Bird

By |Published On: July 15th, 2020|Tags: |

At Hurricane Labs, we like to participate in Capture the Flag (CTF) events from time to time. Last month, we participated in a few events including the NahamConHack-a-Sat, and Defenit CTFs. The variety of challenges across these events was diverse, giving our team a lot of interesting tasks to chew on and lose sleep over.

Having recovered from the excitement, satisfaction, and frustration that comes with any good CTF, now is a good time to discuss some of the challenges we encountered and our approaches to solving them. In this three-part series, we’re going to cover three different scripting challenges from the NahamCon CTF. So, without further ado, let’s open a text editor and put on our coding caps.

Big Bird

It’s time for some educational programming! We’ll first look at a 100-point scripting challenge: Big Bird. The challenge description directs us to a Twitter profile owned and operated by Big Bird:

Big Bird is communicating with us in a whole new way! But… how?
Connect here: https://twitter.com/BigBird01558595.

Each of Big Bird’s cryptic tweets contains a number and a value. There are a lot of Tweets, but we can download all of them in one fell swoop. For this, I used Twint:

Copy to Clipboard

The tweets are numbered in the form “Tweet #xxx”, but they were not posted in this order. Let’s utilize the cut and sort commands to fix this and clean up the above output:

Copy to Clipboard

This shows us that there are 402 uniquely numbered tweets (starting from zero). This is an encouraging pattern.

If we now look at the values that come after each Tweet number, we see that they are all between 0 and 255 (inclusive). This is the acceptable range of values for the byte data type, so we can convert these decimal numbers to the raw bytes they represent. The following script performs this conversion and writes the resulting data to an output file:

Copy to Clipboard

Running file on the output file, we discover that it’s image data:

Copy to Clipboard

Judging from the image, it looks like the letters of the day are “QR.” Here’s the image below:

Scanning the QR code reveals:

Copy to Clipboard

Part 2 coming soon!

If you’re interested in reading more, continue to part 2 of our NahamCon CTF series. This next challenge will also involve some creative decoding.

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.