# Forensics
### Glory of the Garden \[50 pts]
> **Description**
>
> This [garden](https://jupiter.challenges.picoctf.org/static/43c4743b3946f427e883f6b286f47467/garden.jpg) contains more than it seems.\
> Hint: What is a hex editor?
**Solution**
Being the most basic flag I assumed it would have the flag in the file in plain text but after the image. I used a simple command and the last line printed out the flag. `strings garden.jpg`
**Flag: picoCTF{more\_than\_m33ts\_the\_3y3657BaB2C}**
### So Meta \[150 pts]
> **Description**
>
> Find the flag in this [picture](https://jupiter.challenges.picoctf.org/static/00efdf2961da1e21470ffc0d496c3cc2/pico_img.png).
**Solution**
Gave hint of the title "meta" so I used the built-in tool
```bash
exiftool pico_img.png
```
**Flag: picoCTF{s0\_m3ta\_fec06741}**
### shark on wire 1 \[150 pts] \[Not Solved]
> **Description**
>
> We found this [packet capture](https://jupiter.challenges.picoctf.org/static/483e50268fe7e015c49caf51a69063d0/capture.pcap). Recover the flag.
**Solution**
a
**Flag:**
### extensions \[150 pts]
> **Description**
>
> This is a really weird text file [TXT](https://jupiter.challenges.picoctf.org/static/e7e5d188621ee705ceeb0452525412ef/flag.txt)? Can you find the flag?
**Solution**
Either by trying to open, using the file flag.txt command, or hex editor flag.txt the conclusion is the same. It is a PNG file.
**Flag: picoCTF{now\_you\_know\_about\_extensions}**
### What Lies Within \[150 pts]
> **Description**
>
> There's something in the [building](https://jupiter.challenges.picoctf.org/static/011955b303f293d60c8116e6a4c5c84f/buildings.png). Can you retrieve the flag?
**Solution**
Using this [online website's](https://stylesuxx.github.io/steganography/) decoder function to find the flag.
**Flag: picoCTF{h1d1ng\_1n\_th3\_b1t5}**
### m00nwalk \[250 pts] \[Not Solved]
> **Description**
>
> Decode this [message](https://jupiter.challenges.picoctf.org/static/d6fcea5e3c6433680ea4f914e24fab61/message.wav) from the moon.
**Solution**
a
**Flag:**
### WhitePages \[250 pts]
> **Description**
>
> I stopped using YellowPages and moved onto WhitePages... but [the page they gave me](https://jupiter.challenges.picoctf.org/static/74274b96fe966126a1953c80762af80d/whitepages.txt) is all blank!
**Solution**
I know the file is filled with spaces but looking through hex editor it isn't spaces but more of other types of hex that are not viewable. I noticed it was a "." and " " pattern denoting 1's and 0's with hex "E2", "80", "83", and "20". Hmmm 4 but only needed 2... You can notice that the two patterns are E28083 and 20. Taking that and converting the bits in the file gets a bunch of 10 which goes to ASCII flag.
```python
import binascii
def text_from_bits(bits, encoding='utf-8', errors='surrogatepass'):
n = int(bits, 2)
return int2bytes(n).decode(encoding, errors)
def int2bytes(i):
hex_string = '%x' % i
n = len(hex_string)
return binascii.unhexlify(hex_string.zfill(n + (n & 1)))
with open("whitepages.txt", "rb") as bin_file:
data = bytearray(bin_file.read())
data = data.replace(b'\xe2\x80\x83', b'0')
data = data.replace(b'\x20', b'1')
data = data.decode("ascii")
print(data)
print(text_from_bits(data))
```
Output
> 00001010000010010000100101110000011010010110001101101111010000110101010001000110000010100000101000001001000010010101001101000101010001010010000001010000010101010100001001001100010010010100001100100000010100100100010101000011010011110101001001000100010100110010000000100110001000000100001001000001010000110100101101000111010100100100111101010101010011100100010000100000010100100100010101010000010011110101001001010100000010100000100100001001001101010011000000110000001100000010000001000110011011110111001001100010011001010111001100100000010000010111011001100101001011000010000001010000011010010111010001110100011100110110001001110101011100100110011101101000001011000010000001010000010000010010000000110001001101010011001000110001001100110000101000001001000010010111000001101001011000110110111101000011010101000100011001111011011011100110111101110100010111110110000101101100011011000101111101110011011100000110000101100011011001010111001101011111011000010111001001100101010111110110001101110010011001010110000101110100011001010110010001011111011001010111000101110101011000010110110001011111011000110011010100110100011001100011001000110111011000110110010000110000001101010110001100110010001100010011100000111001011001100011100000110001001101000011011101100011011000110011011001100110001101010110010001100101011000100011001001100101001101010011011001111101000010100000100100001001\
> picoCTF\
> SEE PUBLIC RECORDS & BACKGROUND REPORT\
> 5000 Forbes Ave, Pittsburgh, PA 15213\
> picoCTF{not\_all\_spaces\_are\_created\_equal\_c54f27cd05c2189f8147cc6f5deb2e56}
**Flag: picoCTF{not\_all\_spaces\_are\_created\_equal\_c54f27cd05c2189f8147cc6f5deb2e56}**
### c0rrupt \[250 pts] \[Not Solved]
> **Description**
>
> We found this [file](https://jupiter.challenges.picoctf.org/static/ab30fcb7d47364b4190a7d3d40edb551/mystery). Recover the flag.
**Solution**
a
**Flag:**
### like1000 \[250 pts] \[Not Solved]
> **Description**
>
> This [.tar file](https://jupiter.challenges.picoctf.org/static/52084b5ad360b25f9af83933114324e0/1000.tar) got tarred a lot.
**Solution**
a
**Flag:**
### m00nwalk2 \[300 pts] \[Not Solved]
> **Description**
>
> Revisit the last transmission. We think this [transmission](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/message.wav) contains a hidden message. There are also some clues [clue 1](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue1.wav), [clue 2](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue2.wav), [clue 3](https://jupiter.challenges.picoctf.org/static/599404f0bf7426a5a5c2deb538860cda/clue3.wav).
**Solution**
a
**Flag:**
### Investigative Reversing 0 \[300 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/6e007dc305ebb3d94c2ab361ee0127a6/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/6e007dc305ebb3d94c2ab361ee0127a6/mystery.png). See what you can make of it. There should be a flag somewhere.
**Solution**
a
**Flag:**
### shark on wire 2 \[300 pts] \[Not Solved]
> **Description**
>
> We found this [packet capture](https://jupiter.challenges.picoctf.org/static/b506393b6f9d53b94011df000c534759/capture.pcap). Recover the flag that was pilfered from the network.
**Solution**
a
**Flag:**
### Investigative Reversing 2 \[350 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/1d8e2ff583796340cf3eafbf81bf7b70/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/1d8e2ff583796340cf3eafbf81bf7b70/encoded.bmp) See what you can make of it. There should be a flag somewhere.
**Solution**
a
**Flag:**
### Investigative Reversing 1 \[350 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery) and a few images: [image](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery.png), [image2](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery2.png), [image3](https://jupiter.challenges.picoctf.org/static/c600f6c1bbe8969aefd6f9da0cbdc01c/mystery3.png). See what you can make of it. There should be a flag somewhere.
**Solution**
a
**Flag:**
### WebNet0 \[450 pts] \[Not Solved]
> **Description**
>
> We found this [packet capture](https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/capture.pcap) and [key](https://jupiter.challenges.picoctf.org/static/0c84d3636dd088d9fe4efd5d0d869a06/picopico.key). Recover the flag.
**Solution**
a
**Flag:**
### Investigative Reversing 4 \[400 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/mystery) and 5 images: [image01](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item01_cp.bmp), [image02](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item02_cp.bmp), [image03](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item03_cp.bmp), [image04](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item04_cp.bmp), [image05](https://jupiter.challenges.picoctf.org/static/cbab42643a1552d04a78dc2acfe4f930/Item05_cp.bmp). See what you can make of it. There should be a flag somewhere.
**Solution**
a
**Flag:**
### Investigative Reversing 3 \[400 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/fd9d5bc48b1a6821ce8128672faf3edf/mystery) and an [image](https://jupiter.challenges.picoctf.org/static/fd9d5bc48b1a6821ce8128672faf3edf/encoded.bmp) See what you can make of it. There should be a flag somewhere.
**Solution**
a
**Flag:**
### WebNet1 \[450 pts] \[Not Solved]
> **Description**
>
> We found this [packet capture](https://jupiter.challenges.picoctf.org/static/fbf98e695555a2a48fe42c9a245de376/capture.pcap) and [key](https://jupiter.challenges.picoctf.org/static/fbf98e695555a2a48fe42c9a245de376/picopico.key). Recover the flag.
**Solution**
a
**Flag:**
### investigation\_encoded\_1 \[450 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/713c412a478009913cccd92826bd69a2/mystery) and 1 file: [image01](https://jupiter.challenges.picoctf.org/static/713c412a478009913cccd92826bd69a2/output). See what you can make of it. NOTE: The flag is not in the normal picoCTF{XXX} format.
**Solution**
a
**Flag:**
### investigative\_encoding\_2 \[500 pts] \[Not Solved]
> **Description**
>
> We have recovered a [binary](https://jupiter.challenges.picoctf.org/static/c09444bcd3737284f3c046e700f2b7de/mystery) and 1 file: [image01](https://jupiter.challenges.picoctf.org/static/c09444bcd3737284f3c046e700f2b7de/output). See what you can make of it. NOTE: The flag is not in the normal picoCTF{XXX} format.
**Solution**
a
**Flag:**
### B1g\_Mac \[500 pts] \[Not Solved]
> **Description**
>
> Here's a [zip file](https://jupiter.challenges.picoctf.org/static/2b1cf2a4a463b1a3e031d2fcef3fa54d/b1g_mac.zip).
**Solution**
a
**Flag:**
###