# Forensics

### Glory of the Garden \[50 pts] <a href="#glory-of-the-garden" id="glory-of-the-garden"></a>

> **Description**
>
> This [garden](https://jupiter.challenges.picoctf.org/static/43c4743b3946f427e883f6b286f47467/garden.jpg) contains more than it seems.\
> Hint: What is a hex editor?

**Solution**

Being the most basic flag I assumed it would have the flag in the file in plain text but after the image. I used a simple command and the last line printed out the flag. `strings garden.jpg`

**Flag: picoCTF{more\_than\_m33ts\_the\_3y3657BaB2C}**

### So Meta \[150 pts] <a href="#so-meta" id="so-meta"></a>

> **Description**
>
> &#x20;Find the flag in this [picture](https://jupiter.challenges.picoctf.org/static/00efdf2961da1e21470ffc0d496c3cc2/pico_img.png).

**Solution**

Gave hint of the title "meta" so I used the built-in tool

```bash
exiftool pico_img.png
```

**Flag: picoCTF{s0\_m3ta\_fec06741}**

### shark on wire 1 \[150 pts] \[Not Solved] <a href="#shark-on-wire-1" id="shark-on-wire-1"></a>

> **Description**
>
> &#x20;We found this [packet capture](https://jupiter.challenges.picoctf.org/static/483e50268fe7e015c49caf51a69063d0/capture.pcap). Recover the flag.

**Solution**

a

**Flag:**&#x20;

### extensions \[150 pts] <a href="#extensions" id="extensions"></a>

> **Description**
>
> &#x20;This is a really weird text file [TXT](https://jupiter.challenges.picoctf.org/static/e7e5d188621ee705ceeb0452525412ef/flag.txt)? Can you find the flag?

**Solution**

Either by trying to open, using the file flag.txt command, or hex editor flag.txt the conclusion is the same. It is a PNG file.

**Flag: picoCTF{now\_you\_know\_about\_extensions}**

### What Lies Within \[150 pts] <a href="#what-lies-within" id="what-lies-within"></a>

> **Description**
>
> &#x20;There's something in the [building](https://jupiter.challenges.picoctf.org/static/011955b303f293d60c8116e6a4c5c84f/buildings.png). Can you retrieve the flag?

**Solution**

Using this [online website's](https://stylesuxx.github.io/steganography/) decoder function to find the flag.

**Flag: picoCTF{h1d1ng\_1n\_th3\_b1t5}**

### m00nwalk \[250 pts] \[Not Solved] <a href="#m-00-nwalk" id="m-00-nwalk"></a>

> **Description**
>
> &#x20;Decode this [message](https://jupiter.challenges.picoctf.org/static/d6fcea5e3c6433680ea4f914e24fab61/message.wav) from the moon.

**Solution**

a

**Flag:**&#x20;

### WhitePages \[250 pts] <a href="#whitepages" id="whitepages"></a>

> **Description**
>
> &#x20;I stopped using YellowPages and moved onto WhitePages... but [the page they gave me](https://jupiter.challenges.picoctf.org/static/74274b96fe966126a1953c80762af80d/whitepages.txt) is all blank!

**Solution**

I know the file is filled with spaces but looking through hex editor it isn't spaces but more of other types of hex that are not viewable. I noticed it was a "." and " " pattern denoting 1's and 0's with hex "E2", "80", "83", and "20". Hmmm 4 but only needed 2... You can notice that the two patterns are E28083 and 20. Taking that and converting the bits in the file gets a bunch of 10 which goes to ASCII flag.

```python
import binascii

def text_from_bits(bits, encoding='utf-8', errors='surrogatepass'):
    n = int(bits, 2)
    return int2bytes(n).decode(encoding, errors)

def int2bytes(i):
    hex_string = '%x' % i
    n = len(hex_string)
    return binascii.unhexlify(hex_string.zfill(n + (n & 1)))
    
with open("whitepages.txt", "rb") as bin_file:
	data = bytearray(bin_file.read()) 
	data = data.replace(b'\xe2\x80\x83', b'0')
	data = data.replace(b'\x20', b'1')
	data = data.decode("ascii")
	print(data)
	print(text_from_bits(data))
```

Output

> 00001010000010010000100101110000011010010110001101101111010000110101010001000110000010100000101000001001000010010101001101000101010001010010000001010000010101010100001001001100010010010100001100100000010100100100010101000011010011110101001001000100010100110010000000100110001000000100001001000001010000110100101101000111010100100100111101010101010011100100010000100000010100100100010101010000010011110101001001010100000010100000100100001001001101010011000000110000001100000010000001000110011011110111001001100010011001010111001100100000010000010111011001100101001011000010000001010000011010010111010001110100011100110110001001110101011100100110011101101000001011000010000001010000010000010010000000110001001101010011001000110001001100110000101000001001000010010111000001101001011000110110111101000011010101000100011001111011011011100110111101110100010111110110000101101100011011000101111101110011011100000110000101100011011001010111001101011111011000010111001001100101010111110110001101110010011001010110000101110100011001010110010001011111011001010111000101110101011000010110110001011111011000110011010100110100011001100011001000110111011000110110010000110000001101010110001100110010001100010011100000111001011001100011100000110001001101000011011101100011011000110011011001100110001101010110010001100101011000100011001001100101001101010011011001111101000010100000100100001001\
> picoCTF\
> &#x20;           SEE PUBLIC RECORDS & BACKGROUND REPORT\
> &#x20;           5000 Forbes Ave, Pittsburgh, PA 15213\
> &#x20;           picoCTF{not\_all\_spaces\_are\_created\_equal\_c54f27cd05c2189f8147cc6f5deb2e56}

**Flag:  picoCTF{not\_all\_spaces\_are\_created\_equal\_c54f27cd05c2189f8147cc6f5deb2e56}**

### c0rrupt \[250 pts] \[Not Solved]

> **Description**
>
> &#x20;We found this [file](https://jupiter.challenges.picoctf.org/static/ab30fcb7d47364b4190a7d3d40edb551/mystery). Recover the flag.

**Solution**

a

**Flag:**&#x20;

### like1000 \[250 pts] \[Not Solved]

> **Description**
>
> &#x20;This [.tar file](https://jupiter.challenges.picoctf.org/static/52084b5ad360b25f9af83933114324e0/1000.tar) got tarred a lot.

**Solution**

a

**Flag:**&#x20;

### m00nwalk2 \[300 pts] \[Not Solved]

> **Description**
>
> &#x20;Revisit the last transmission. We think this [transmission](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/message.wav) contains a hidden message. There are also some clues [clue 1](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue1.wav), [clue 2](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue2.wav), [clue 3](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue3.wav).

**Solution**

a

**Flag:**&#x20;

### Investigative Reversing 0 \[300 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/6e007dc305ebb3d94c2ab361ee0127a6/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/6e007dc305ebb3d94c2ab361ee0127a6/mystery.png). See what you can make of it. There should be a flag somewhere.

**Solution**

a

**Flag:**&#x20;

### shark on wire 2 \[300 pts] \[Not Solved]

> **Description**
>
> &#x20;We found this [packet capture](https://jupiter.challenges.picoctf.org/static/b506393b6f9d53b94011df000c534759/capture.pcap). Recover the flag that was pilfered from the network.

**Solution**

a

**Flag:**&#x20;

### Investigative Reversing 2 \[350 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/1d8e2ff583796340cf3eafbf81bf7b70/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/1d8e2ff583796340cf3eafbf81bf7b70/encoded.bmp) See what you can make of it. There should be a flag somewhere.

**Solution**

a

**Flag:**&#x20;

### Investigative Reversing 1 \[350 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery) and a few images: [image](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery.png), [image2](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery2.png), [image3](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery3.png). See what you can make of it. There should be a flag somewhere.

**Solution**

a

**Flag:**&#x20;

### WebNet0 \[450 pts] \[Not Solved]

> **Description**
>
> &#x20;We found this [packet capture](https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/capture.pcap) and [key](https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/picopico.key). Recover the flag.

**Solution**

a

**Flag:**&#x20;

### Investigative Reversing 4 \[400 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/mystery) and 5 images: [image01](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item01_cp.bmp), [image02](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item02_cp.bmp), [image03](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item03_cp.bmp), [image04](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item04_cp.bmp), [image05](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item05_cp.bmp). See what you can make of it. There should be a flag somewhere.

**Solution**

a

**Flag:**&#x20;

### Investigative Reversing 3 \[400 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/fd9d5bc48b1a6821ce8128672faf3edf/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/fd9d5bc48b1a6821ce8128672faf3edf/encoded.bmp) See what you can make of it. There should be a flag somewhere.

**Solution**

a

**Flag:**&#x20;

### WebNet1 \[450 pts] \[Not Solved]

> **Description**
>
> &#x20;We found this [packet capture](https://jupiter.challenges.picoctf.org/static/fbf98e695555a2a48fe42c9a245de376/capture.pcap) and [key](https://jupiter.challenges.picoctf.org/static/fbf98e695555a2a48fe42c9a245de376/picopico.key). Recover the flag.

**Solution**

a

**Flag:**&#x20;

### investigation\_encoded\_1 \[450 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/713c412a478009913cccd92826bd69a2/mystery) and 1 file: [image01](https://jupiter.challenges.picoctf.org/static/713c412a478009913cccd92826bd69a2/output). See what you can make of it. NOTE: The flag is not in the normal picoCTF{XXX} format.

**Solution**

a

**Flag:**&#x20;

### investigative\_encoding\_2 \[500 pts] \[Not Solved]

> **Description**
>
> &#x20;We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/c09444bcd3737284f3c046e700f2b7de/mystery) and 1 file: [image01](https://jupiter.challenges.picoctf.org/static/c09444bcd3737284f3c046e700f2b7de/output). See what you can make of it. NOTE: The flag is not in the normal picoCTF{XXX} format.

**Solution**

a

**Flag:**&#x20;

### B1g\_Mac \[500 pts] \[Not Solved]

> **Description**
>
> &#x20;Here's a [zip file](https://jupiter.challenges.picoctf.org/static/2b1cf2a4a463b1a3e031d2fcef3fa54d/b1g_mac.zip).

**Solution**

a

**Flag:**&#x20;

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://codingmace.gitbook.io/masterward/ctf/2019/picoctf/forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.