================We lost the flag==============================
LOST .PNG =====> IS PROBLEM
LOST 2.png
References "file signatures" (hinting to check file headers).
LOST 3.png & LOST 3A.png
Show hex dumps of a file named lost (1).png with JFIF markers.
Likely another corrupted JPEG/PNG hybrid.
LOST 4.png (Hex Data)
Starts with FF DB FF E8 (non-standard JPEG header; should be FF D8 FF E0).
Contains JFIF (JPEG metadata) and strange decoded text (MOVE...JFIF).
Corrupted header (try fixing to FF D8 FF E0).
Hidden data (e.g., appended files, steganography).
FLAG4.png
Contains the text: CIT{using_m4glc_1t_s33m5}
This is likely a fake flag or a hint pointing to "magic numbers" (file signatures).
The flag suggests using file command or hex analysis (e.g., JFIF = JPEG signature).
Next Steps:
- Extract Hidden Data
Use binwalk to check for embedded files:
bash (binwalk LOST.png) Use foremost or dd to extract hidden files:
bash (foremost LOST.png -o output_dir)
- Check for Steganography
Try steghide (if the file has embedded data):
bash (steghide extract -sf LOST.png)
Use stegsolve to analyze LSB (Least Significant Bit) patterns.
- Fix the File Headers Change FF DB FF E8 → FF D8 FF E0 (standard JPEG header) using a hex editor (e.g., HxD).
If the file is a PNG, the correct header should be 89 50 4E 47.
======================================================================
===============================True CTF Love==========================
EMAIL 1.png shows an email header with a DKIM signature containing base64 encoded parts (lines 25-29).
EMAIL 2.png shows operations being performed on what appears to be corrupted base64 text, with partial output that hints at the flag format.
EMAIL1B.png contains cleaner base64 text that decodes to reveal the flag.Decoding Process
The base64 text from EMAIL1B.png:
b=V293LCB3a6F0I6EgYmVhdXRpZnVsIGxpdHRsZSBwb2VtLiBJI6FsbW9zdCBza6VkI 6Egd6VhciByZWFkaW5nIHRoYXQuIEhvc6VmdWxse8B5b3Ugb6Vhom51ZC8tb3J1I6Fi b3V0I6VtYWLsI6hLYWR1cnMuIEJ1dCBzZXJpb3VzbHksI61QI6d1dHWgbWUqd29uZ6V yaW5nLi4uI6RvIHLvdSBsb3ZLIENURnMgYXMgbXVjaCBhcy80a6V5I6RvPwoKQQ1Ue2 1fbDB2M19jd6YKX3QwMH0=
When decoded (after removing the leading "b="), it reveals:
Wow, what a beautiful little poem. I almost shed a tear reading that. Hopefully you learned more about email headers. But seriously, it gets me wondering... do you love CTFs as much as they do?
CTF{1_l0v3_ctf$_t00}
========================================================================
==================================Brainrot Quiz!========================
PACAP 1.PNG
A network analysis tool (likely Wireshark) displays ICMP requests and replies, with some requests showing .
The hexadecimal data view correlates with the Base64 string.
A Base64-encoded string (Q0lUe3RyNGw0bDNyMF9OcjRsNGw0fQ==) is shown in a Notepad windows.
PACAP 2.PNG
The CyberChef tool is used to decode the Base64 string from Image 1.\
The decoded result is {CIT{tr4l413r0_tr4l414}}, which appears to be a flag for a cryptographic challenge.
PACAP 3.PNG
The decoded flag (CIT{tr4l413r0_tr4l414}) is submitted in a quiz interface called "Brainrot Quiz!".
The flag is validated as correct, and the response is marked as “Correct,” confirming successful completion of the challenge.
===========================================================================
=======================Bits 'n Pieces======================================
Bits 'n Pieces1.PNG
A GitHub repository (https://github.com/ANSSI-FR/bmc-tools.git) is cloned using git clone.
The user navigates to the repository directory and runs a Python script (bmc-tools.py) with parameters to process a binary file (Cache0000.bin)
and save output to a specified directory.
Bits 'n Pieces2.PNG:
A Windows command prompt displays the flag: CIT{c4ch3_m3_if_y0u_c4n}.
The reference to "cache" in the flag and browser-related activities suggests a challenge involving browser cache analysis.
===========================================================================
============================baller.zip======================================
Command Used: ===>>> binwalk --dd='.*' baller.zip
This command analyzes the file baller.zip using the binwalk tool, extracting all detected data with the --dd='.*' option.
Output Details:
Multiple Zip archives are detected at different offsets:
Offset 0 (0x0): Main archive named baller/.
Offset 69 (0x45): Archive named baller/01.
Offset 7726 (0x1E2E): Archive named baller/02.
Offset 11387 (0x2C7B): Archive named baller/03.
Offset 16609 (0x40E1): End of the Zip archive, with a footer length of 22 bytes.
A GIF image is detected:
Offset 16631 (0x40F7): GIF image data, version "89a", with a resolution of 3840 x 2160.