Show Solution …
Level 11 provides us with a fairly odd-looking page from the start.
Looking for more details, the php image file has an interesting name. You can see its name either by looking at the source code, viewing its direct path, or opening its properties in the browser. I happened to look at its properties:
I downloaded the file to analyze it further. Seeing as it calls itself a virus, I ran it through the Linux
file command to verify whether or not it was a picture, but sure enough it said that it was indeed a valid jpeg image.
We actually get the flag right there in the file information! If you didn’t think to run
file on the image, you can also find the flag in the image’s metadata (which is where
file found it as well, but that won’t always happen).
You could have also found it with
However you get there, we’re still not done yet. This doesn’t follow the standard flag format; we need to decode the long string at the end of the flag. Since it has a combination of lowercase, uppercase, and numbers, let’s try base64.
Visiting this link gives us an image with text, and that text is the final part of the flag
This was another case of attention to detail. The name of the file was a clue to focus on that file. There were many ways of identifying this flag, so understanding each and why they work is beneficial. Remember that you can use
grep to search for the flag, as well.
Also, we were once again given a base64 encoded string. This is the third time decoding base64 in this CTF, so hopefully you’re starting to be able to identify it more quickly now and immediately decoding it.