Cover Image

Hack me. If you can!

 March 23, 2021    CTF

Hack me. If you can! is a hacking challenge created by the University of Applied Sciences in Augsburg.

Can you break me? - Here is the file that Pepper sent to Salt. Help Salt figure out what's inside!

We can guess that the first line in the text file "YAMK EAAMKWA BXZAF UFB MAKKAF," reads "Sehr geehrte Damen und Herren" and that "MYX_OFFJY" is the beginning of the flag "HSA_INNOS". From there we can gradually exchange every letter with the corresponding encrypted letter. I wrote a little python script to automate the process of decrypting the text.

cipher = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']
corresp =['e', 'd', 'f', 'b', 'g', 'n', 'x', 'c', 'w', 'o', 'r', 'p', 'h', 'n', 'i', 'q', 'k', 'r', 'v', 'l', 'u', 'v', 't', 'a', 's', 'm']
deflag = ''

for i in range(len(enflag)):
    if enflag[i] == '_':
            deflag += '_'
    elif enflag[i] == ' ':
            deflag += ' '
    for j in range(len(cipher)):
        if enflag[i] == cipher[j]:
            deflag += corresp[j]


FLAG: hsa_innos_flag_quickbrownfox

Who am I? - Here is the original file. What's it all about?

We get a PDF file that states, 'I am not what you think I am. Who am I?'. The command foremost -v Challenge.pdf extracts a file called flag.txt containing the flag.


Are you joking me? - Help Salt one more time and find the flag!

We get a GO program that prints 'Go This Way! Find my Secret.' when executed. A simple strings challenge | grep HSA gives us the flag.


Are you joking me? - You are in demand again! Please help Salt.

We are provided with a challenge.wav file that provides a hint when opened with Sonic Visualizer as a Spectrogram. When the same WAV file is examined in Robot36 – SSTV Image Decoder the flag is displayed.


Can you capture the flag? - Take a look at the network recording with a suitable tool and find the flag.

We are provided a capture_easy.pcapng, upon inspection with Wireshark we can see numerous request with different URLs. strings capture_easy.pcapng | grep Host visualizes ASCII art. There is a message encoded in the first character of each line. We can use the following bash script to retrieve it:

strings capture_easy.pcapng | grep Host | awk '{print $2;}' | tr -d '\n'


Don't care? Ransomware! - Can you help Salt get its data?

We get an info file containing the obfuscated strings

e1e60272534605d4e6f01ab3b40f4c93b663cb0d08c979491fac3fb662505e91, 386c5159b1d283698e39a56c138dfabd.txt, OpenSSL_enc-d

and IV 54b8fb54458e2ade1649e78848200f24. Combined into the following command

openssl enc -aes-256-ctr -d -iv 54b8fb54458e2ade1649e78848200f24 -K e1e60272534605d4e6f01ab3b40f4c93b663cb0d08c979491fac3fb662505e91 -in 386c5159b1d283698e39a56c138dfabd.enc -out 386c5159b1d283698e39a56c138dfabd.txt

we can decrypt the message.


Combine & Conquer - Salt is close to the goal, he needs support. Find the flag!

We get two text files containing base64, after converting it from base64 this simple xor python script displays the flag.

import base64

a = '3d91d7f4e9844f2b03dbf4c0dca4f9281ddd03abe2844f2b03dbd4c0dca40102'
b = '75c296bda7ca00785c9db8819bfbc81a2ee43793d7b4761932eee0f9eb963635'

a = bytearray.fromhex(a)
b = bytearray.fromhex(b)

def xorArray(x,y):
    r = []
    for i in range(32):
        r.append(x[i] ^ y[i])
    return bytearray(r)


FLAG: HSAINNOS_FLAG_123948509215497277

Crack me! - Help Salt one last time to get the flag.

We get a password protected ZIP-File called With fcrackzip -u -D -p rockyou.txt the password is found within seconds.