Tags: vbscript warmup
Rating:
# Challenges
- [Challenges](#challenges)
- [OSINT](#osint)
- [#NahamCon2021](#nahamcon2021)
- [Read the rules](#read-the-rules)
- [Hackerone](#hackerone)
- [Discord Nahansec](#discord-nahansec)
- [Merch Store](#merch-store)
- [INE](#ine)
- [HTB](#htb)
- [Googgle Play](#googgle-play)
- [Miscellaneous](#miscellaneous)
- [esab64](#esab64)
- [Shoelaces](#shoelaces)
- [Pollex](#pollex)
- [buzz](#buzz)
- [Veebee](#veebee)
## OSINT
### #NahamCon2021
Twitter (<https://twitter.com/NahamSec>)
`` flag{e36bc5a67dd2fe5f33b62123f78fbcef} ``
### Read the rules
<https://ctf.nahamcon.com/rules>
HTML Source `` flag{90bc54705794a62015369fd8e86e557b} ``
### Hackerone
Discord
[announcements](https://discord.com/channels/514337135491416065/534475139602055168)
``Synt{rr907q188039nr543o81sq237o6o6q0o}``
[CyberChef](https://gchq.github.io/CyberChef/)
Recipe:
rot13
`` Flag{ee907d188039ae543b81fd237b6b6d0b} ``
### Discord Nahansec
Channel sub-title is the flag.
- UHC-BR
- Red Team Village
- Live Recon Village
- IoT Village
- INE Career Corner
- HTB Village
### Merch Store
### INE
<https://checkout.ine.com/starter-pass>
Page inspection = Deep on the page there's this base64 string
```Bash
echo "ZmxhZ3syOWZhMzA1YWFmNWUwMWU5ZWRjZjAxNDJlNGRkY2RiOX0=" | base64 -d
```
`` flag{29fa305aaf5e01e9edcf0142e4ddcdb9} ``
### HTB
Dropped in parts over twitter and discord
<https://twitter.com/hackthebox_eu/status/1371146586391261189>
<https://discord.com/channels/473760315293696010/477042310467813376>
``flag{57a3ca8be987fb8b7ea0a72e1124e302}``
### Googgle Play
Hint: <https://twitter.com/jon_bottarini/status/1370926690612826112>
search for flag{ camouflage font
`` flag{a0a6cb3b4bc98bf2a34b7aed76aebf53} ``
## Miscellaneous
### esab64
```Bash
$cat esab64
mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X
```
[Cyberchef](https://gchq.github.io/CyberChef/)
Recipe:
1. Reverse
2. From Base64
3. Reverse
### Shoelaces
```Bash
$strings shoelaces.jpg
```
`` flag{137288e960a3ae9b148e8a7db16a69b0} ``
### Pollex
More than one jpg file concatenated to identify used binwalk and to remove the second file used dd.
```Bash
$ binwalk pollex.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, little-endian offset of first image directory: 8
334 0x14E JPEG image data, JFIF standard 1.01
364 0x16C TIFF image data, little-endian offset of first image directory: 8
848 0x350 JPEG image data, JFIF standard 1.01
6731 0x1A4B Copyright string: "CopyrightOwner> <rdf:Seq/> </plus:CopyrightOwner> <plus:Licensor> <rdf:Seq/> </plus:Licensor> <dc:creator> <rdf:Seq> <rdf:li>Ste"
6765 0x1A6D Copyright string: "CopyrightOwner> <plus:Licensor> <rdf:Seq/> </plus:Licensor> <dc:creator> <rdf:Seq> <rdf:li>Stevanovic Igor</rdf:li> </rdf:Seq> <"
```
```Bash
dd if=pollex.jpg bs=512k | { dd bs=334 count=1 of=/dev/null; dd bs=512k of=trimmed_pollex.jpg; }
```
Flag printed on the image trimmed_pollex.jpg
`` flag{65c34alec121a286600ddd48fe36bc00} ``
### buzz
```Bash
file buzz
gunzip buzz
```
``flag{b3a33db7ba04c4c9052ea06d9ff17869}``
### Veebee
To decode the VBE script have tried:
<https://didierstevens.com/files/software/decode-vbe_V0_0_1.zip>
But didn't work
Google-fu find the tool
<https://github.com/JohnHammond/vbe-decoder/>
`` flag{f805593d933f5433f2a04f082f400d8c} ``