museifu > blog

rgbCTF 2020 Write-up


Challenge Name Category Solves Points
Name a more iconic band Beginner 89 411
I Love Rainbows Cryptography 408 50
Penguins Misc 135 295
Tic Tac Toe Web 333 50
vaporwave1 [ZTC] 166 190

Name a more iconic band

Category: Beginner | Solves: 89 | Points: 411

Name a more iconic band challenge description

We download the “data.7z” file and extract the contents:

$ file data_1 data_1: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)

Running strings on this “ELF” file we become immediately aware that this is not in fact an ELF file. This file contains a Windows memory coredump. We will need to extract the raw data and then analyze it with Volatility. We use objdump with egrep to locate the size and offset of the first LOAD section.


This section contains the RAM information we care about. We remove the bytes we don’t need.


Next, we use volatility to determine the image information from our data.raw file.


Then, we use hivelist to locate the SAM and SYSTEM Virtual memory locations.


Next, using these locations we dump the NTLM hashes stored in memory from this file.


Now all we have to do is crack the NTLM hashes, sort the passwords alphabetically, create an MD5 hash of the result, and submit the flag.


Lastly, we use the following command to generate our flag:


Flag: rgbCTF{cf271c074989f6073af976de00098fc4}

I Love Rainbows

Category: Cryptography | Solves: 408 | Points: 50


We download the rainbows.txt file and list the contents.


From the name of the challenge we are given a hint that we may be looking at a rainbow table attack using this list of hashes.

We run hash-identifier on the first two hashes to determine their hash type.



Okay, so the first hash 4b43b0aee35624cd95b910189b3dc231 is an MD5 hash and the second cd0aa9856147b6c5b4ff2b7dfee5da20aa38253099ef1b4a64aced233c9afe29 is SHA-256. We will assume the shorter hashes are MD5 and the longer hashes are SHA-256. Assuming these hashes are not salted, we could attempt to crack these locally. I even considered generating my own rainbow tables (yikes) for the sake of the challenge, but instead let’s see if we can use an online password cracker that already has rainbow table lists generated and likely has the plain-text results.

We’ll use Crackstation. A limit of 20 hashes can be submitted at once, we’ll submit the first 20 hashes and then the last 4 separately.



Awesome, the plain-text value of these hashes were previously cracked, let’s submit our flag!

Flag: rgbCTF{4lw4ys_us3_s4lt_wh3n_h4shing}


Category: Misc | Solves: 135 | Points: 295


We download and unzip the file.


Ah, a git challenge. Let’s explore the contents and see if we can find any useful information.



After some digging around the .git folder I decided to take a look at the git log history.


Commit 57adeae7 looks interesting. Let’s check out the “relevant file” change.


After checking the new files we find the following:


We base64 decode this string with base64 -d < perhaps_relevant_v2 to receive the following output:

as yoda once told me "reward you i must" and then he gave me this ---- rgbctf{d4ngl1ng_c0mm17s_4r3_uNf0r7un473}

Flag: rgbctf{d4ngl1ng_c0mm17s_4r3_uNf0r7un473}

Tic Tac Toe

Category: Web | Solves: 333 | Points: 50


We navigate to and are presented with the following:


As the player we are given uwu as our mark, the script uses owo.

I played a few games to determine the behavior of the script running this site. I soon realized that the script was making a logic error when presented with the following condition: In the case that the human player makes a move that sets up a winning condition the following round, the script will prevent the player from winning on the following round even if the script can win on that same exact round. See image below:


If we place our uwu marker on the middle bottom row, the script will prioritize blocking our next move versus winning itself on the top row. See image:


The trick here is to set ourselves up to win on the middle column. Thus, we are winning on the next move, top middle square.


We base64 decode this string and retrieve the flag!


Note: I’m sure there was another way to solve this by modifying the javascript, but why work hard?

Flag: rgbCTF{h4h4_j4v42cr1p7_ev3n72_AR3_c00L}


Category: [ZTC] | Solves: 166 | Points: 190


We download the vaporwave1.mp3 file and open it using Audacity. My first thoughts on this challenge were that this file is likely encoded, as is common with steganography challenges.

ZTC brought some great tunes this year, I especially had fun working on the third installment of this challenge in “vaporwave3”. Shoutout to ZTC for the summoning salt/speedrunning homage.

Now back to the challenge.

In Audacity we choose “spectrogram” and modify the spectrogram settings to include ranges up to 22000Hz frequency. By viewing the spectogram at this range we see a message between 15kHZ and 22kHz. We have found our flag.


Flag: rgbCTF{s331ng_s0undz}