Magnet Virtual Summit CTF Ciphers

Lounge
1

SOLVED, THANKS!

Hey, I’m doing the MVS Forensic CTF and they have ciphers to do while waiting for the main questions to release on 26 Feb.

I was able to get 6/7 ciphers but the 2nd last one isn’t making sense to me.

I’ve tried DeepSound, Audacity for the spectrograph, Sonic Visualizer, and boosting the last 5s of audio but it gives me a headache so I‘m not able to figure out what’s being said. I’ve also tried various versions of int80, some other linux commands, and versions of “HideNSeek”.

The song is “Hide & Seek” by Dual Core (https://genius.com/Dual-core-hide-and-seek-lyrics)

I think I’m overthinking it, can anyone give me a hint?

Screenshot_20260221_142805_Opera GX
Screenshot_20260221_142805_Opera GX1440×3088 146 KB

Screenshot_20260221_142810_Opera GX
Screenshot_20260221_142810_Opera GX1440×3088 146 KB

Screenshot_20260221_142818_Opera GX
Screenshot_20260221_142818_Opera GX1440×3088 179 KB

2

I dont know the answer, but can give you some guess I would try

You probably worked it out,

Bonsoir Elliot will be a Mr Robot reference, maybe the passphrase or a variation there of…

Lets look at the clues

It’s not that Deep, just Sound it out (shout out to int80)

Break them down to 3 seperate parts

“It’s not that Deep”

To me, that woukd suggest to NOT use DeepSound

“just Sound it out”
To me i think phonetics, shorthand or stenography.
Maybe like the game MadGab
You read some words and it sounds like another…
Easier for the listener than the speaker

(shout out to int80)
I’m shit at linux, but int means interrupt correct?
So could that be pause at 80secs?
its “shouted out” / said at 80sec >
Also in parenthesis () That could be the bit you analyze / isolate

There was a hidden challange on the TV show Archer, season 6 that I did, it had a hidden .wav file, if I recall correctly, the sound file created a visual word and url to follow for the next clue.
You said you used Audacity, That is what I used,
Try the Spectrogram function, and try changing the frequency
were there any peaks at 80sec that maybe infrasound or ultrasound?
even compressed?
Oh, also try changing the resolution of the window.
Im not sure which, but toghle between linear and logarithmic, one setting I could see the clue, the other I couldn’t

Hopefully at least some of that may be of use…
Good luck.
keep us up to date

1 Like
3

Awesome, thank you! I saw the weird pause in the audio but I didn’t think to change frequencies/zoom in on it.

I got hung up on the last 5 seconds and splitting the channels.

Gonna grab some food and try your suggestions in a bit, I’ll update everyone with the results/answer.

1 Like
4

That could also be a “frequency” clue

not deep / bass
so maybe
higher / trebble

3 Likes
5

It’s referring to int 0x80 and that’s an x86 software interrupt instruction, not a Linux thing. But in Linux, on the x86 architecture, it’s the interrupt used for syscalls.

Maybe the answer is just 0xCD80 which should be the opcode for int 0x80? Or it’s syscall?

2 Likes
6

I couldn’t find anything in the wav file with the spectrograph, mostly cuz looking at it so much is giving me headaches, but I tried your suggestions and none were correct.

It’s probably something super simple and I’m just overthinking it, all the others were pretty easy.

Even the last cipher worth the most points only took me about 10 mins to figure out lol

7

A couple of thoughts

Anything in metadata?

noticed these in the lyrics

first 3 lines

Screenshot_20260222_214820_Chrome
Screenshot_20260222_214820_Chrome1079×1334 147 KB

These letters different font from the others

Screenshot_20260222_215059_Chrome
Screenshot_20260222_215059_Chrome1080×559 154 KB

1 Like
8

Nothing stands out in the metadata

hidenseekmetadata.pdf (19.2 KB)

The lyrics first letter line up differently on each device but the Cyrillic “е” is there on every device.

The “е” is “Ye” has a history of being a variant of Ukrainian Ye.

Unfortunately that points me back to the end 5s where it sounds like “Ye ye” (or some version) is being said.

I tried to mess with Audacity settings but nothing is legible enough to match it to real letters. All the settings I’ve tried make everything look like “8”, “W”, “U“, “H“, "or “B” which doesn’t mean anything to me.

9

It’s a song about a whistleblower. Maybe that’s related to the answer?

1 Like
10

Playing around, I had a look at the header
“It’s not that deep”

Screenshot_20260223_083410_Chrome
Screenshot_20260223_083410_Chrome1080×270 141 KB

R I F F WA VE fmt

Probably not too unexpected, or maybe, because “It’s not that deep” could be something

The other thing that stood out was

in that header, after the above RIFF WAVE etc at the end, there appears to be data
MOSTLY zeros, but mixed with some low values 01, 02, 03

Could there be something in that?

The last lyric is WikiLeaks…

1 Like
11

Yea I got “RIFFæýÄWAVEfmt D¬±dataÀýÄ” out of the hex which didnt make sense to me.

Also tried the wikileaks route “Snowden’“, “Edward Snowden”, “Vault7”, etc and no luck.

When I’m messing with the spectrograph I swear I see “WWW” (or a short sentence) very faintly but everything i try doesnt bring out text clear enough to match it to any letters/symbols”

This (screenshot) looks like it could be 2 letters, 4 letters, then 4-6 letters but nothing gets it clear enough to read.

image (3)
image (3)1920×1031 377 KB

12

This is the solution for Challenge 5

https://dfir.blog/unfurl/

How did you solve the last challenge?

I’m still working on it and haven’t reached a conclusion yet.

1 Like
13

@saif Which last challenge? The 6th one or the 5th one?

1 Like
14

hi @lucid_living
6th

15

Use Ghidra, add the exe, analyze the exe, then open the exe with CodeBrowser.

In Ghidra, filter for “png” in the PE resources menu, there’s some png files, the smaller one (1.892 kb) has a PDF417 barcode. Scan the barcode and you’ll get a 60 character password.

Enter the password (moo.exe “×××60×××”), then that password reveals the flag URL.

Also, I appreciate the help. I’m gonna go through the 5th cipher to figure out how the URL is found, but it was driving me crazy and the searching was giving me migraines lol

1 Like
16

Thank you for your reply.
I was able to use the Resource Hacker tool.

1 Like
17

No problem, thanks again for the help.

18

any luck?

19

Yep! Their answer was the correct flag.

Tried to find it myself and was able to. The header DSSF is steghide magic bytes. It was embedded using 2 bit LSB steganography between both channels.

It showed “YOU FOUND IT!\r\n\r\nhttps://dfir.blog/unfurl/”

All ciphers are complete now :saluting_face:

Thanks for the help!

4 Likes
20

I can give you a hint, if you could please help give me a hint for ‘Cows come in all shapes and sizes’…I will say that the Mr. Robot is a huge clue…I wonder if there was a program he used to hide info in a song :wink: again… this may sound deep