~/xv1's projects

CCT2019

Posted on Jun 15, 2024

ctf link

Legacy challenges from the US Navy Cyber Competition Team 2019 Assessment sponsored by US TENTH Fleet

I think this is the longest a CTF has ever taken me

Steps

Challenge 1

  • The first pcap file only has 20 frames
  • They are all URB_BULK packets, which is a USB protocol
  • frame number 2 had the visible file name pcap_chal.pcap in the hex data
  • Seeing this I ran binwalk to extract any other files within the pcap
└─$ binwalk pcap2_1583863710056.pcapng

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
471           0x1D7           Zip archive data, at least v2.0 to extract, compressed size: 2308021, uncompressed size: 2731652, name: pcap_chal.pcap
2309652       0x233E14        End of Zip archive, footer length: 22
  • Extracting with binwalk -e directly didn’t work and since the challenge specified maintaining file integrity was really important I decided to try a different method
  • Instead I extracted the hex data directly and ran binwalk on that
  • For this I used tshark
# -r for infile, -T for text output format, -e specify field, usb.capdata is the leftover capture data
tshark -r pcap2_1583863710056.pcapng -T fields -e usb.capdata > extractedpcap

# hex to binary
└─$ cat extractedpcap | xxd -r -p >> unhexed

└─$ file unhexed
unhexed: data

└─$ binwalk unhexed

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
28            0x1C            Zip archive data, at least v2.0 to extract, compressed size: 2308021, uncompressed size: 2731652, name: pcap_chal.pcap
2308189       0x23385D        End of Zip archive, footer length: 22
  • Yayyyyyy :>
  • Now we can extract with binwalk -e with no issues
  • CDed into the extracted directory
└─$ ls
1C.zip  pcap_chal.pcap
  • pcap_chal.pcap is a much larger pcap file filled a variety of requests ICMP, TCP, TLS, DNS, etc
  • TCP and DNS requests are usually the easiest to decipher so I started with those
  • Following the TCP steam first, I found a couple intersting convos
POST /GTSGIAG3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
Connection: keep-alive


0Q0O0M0K0I0 ..+...........cb2..5..u...J..l...w..P.gvv.-.....~.~.K..R.L.x.].c......bHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Mon, 15 Jul 2019 04:43:48 GMT
Cache-Control: public, max-age=86400
Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

[ SNIP ]

and (#1)

GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 1P_JAR=2019-07-12-21; NID=187=SDiyx-7X1cbM4j2nPqFKdqGpQ-RNK5s7iqKCqSykF9_Z1OanmoFDXXd72XOOn-9fw6vhOgmW19N5WTlvDV_xENDntejAO6leq32QEW8Ttu8ELp193MrH2E8WsSzJhKZ3aNT9PFTZzu4b8ThXLijiaNxkPSEXa63CA1FicOWsRZQ; OGP=-5061451:; ANID=AHWqTUlcGgtLQsX46euJwP8amo5yvh02jnSUY_-P-JNKVo0YcA6Jd7o075-uiQaN; OGPC=19012637-1:19012625-1:
Connection: keep-alive
Upgrade-Insecure-Requests: 1


HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Mon, 15 Jul 2019 04:44:37 GMT
Expires: Wed, 14 Aug 2019 04:44:37 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN


<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

and (#2)

GET /analysis.php?id=e7e47ecfd72c324519c9a72239cd2b399aaafc4b.9686&fmt=card HTTP/1.1
Host: fotoforensics.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 Jul 2019 04:44:56 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Pragma: cache
Access-Control-Allow-Origin: *
Cache-Control: no-transform,private,max-age=600,s-maxage=900
Expires: Mon, 15 Jul 2019 04:54:56 GMT
ETag: "3KCUoJiun.nB8Iy_3biIsYO1yfyYqsn5za6W6pYx"
FF-Length: 102908
Content-Disposition: inline; filename="e7e47ecfd72c324519c9a72239cd2b399aaafc4b.9686-card.png"

[ plus an entire reacted png ]

and especially (stream 52 - IRC packet)

:irc.cct NOTICE Auth :*** Looking up your hostname...
CAP LS 302
PASS RedRoverRedRover$$
NICK zoobah
USER binaryphalanx 2 * :binaryphalanx
:irc.cct NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.55.64) instead.
:irc.cct NOTICE Auth :Welcome to .Localnet.!
:irc.cct 001 zoobah :Welcome to the Localnet IRC Network zoobah!binaryphala@192.168.55.64
:irc.cct 002 zoobah :Your host is irc.cct, running version InspIRCd-2.0
:irc.cct 003 zoobah :This server was created on Debian
:irc.cct 004 zoobah irc.cct InspIRCd-2.0 iosw biklmnopstv bklov
:irc.cct 005 zoobah AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 :are supported by this server
:irc.cct 005 zoobah MAXTARGETS=20 MODES=20 NETWORK=Localnet NICKLEN=32 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:irc.cct 042 zoobah 108AAAAAC :your unique ID
:irc.cct 375 zoobah :irc.cct message of the day
:irc.cct 372 zoobah :- Welcome to the CCT Test Server for the PCAP assessment!
:irc.cct 376 zoobah :End of message of the day.
:irc.cct 251 zoobah :There are 1 users and 0 invisible on 1 servers
:irc.cct 254 zoobah 0 :channels formed
:irc.cct 255 zoobah :I have 1 clients and 0 servers
:irc.cct 265 zoobah :Current Local Users: 1 Max: 1
:irc.cct 266 zoobah :Current Global Users: 1 Max: 1
  • I followed DNS aka UDP stream next which was mostly just the same google mozzila cloudflare github medium font api oscp (and cyber.meme.tips) things I had seen before
  • First I started with the GET request (found in and #2) for the site fotoforensics.com/analysis.php?id=e7e47ecfd72c324519c9a72239cd2b399aaafc4b.9686
  • Which was basically steg analysis on this REALLY weird looking picture
  • None of the site steg checks found anything useful so I downloaded the image
└─$ binwalk strange.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 300 x 300, 8-bit/color RGB, non-interlaced
166           0xA6            Zlib compressed data, default compression
  • Ok this might just be nothing
  • Moving on to the IRC convo we have the username binaryphalanx, the password RedRoverRedRover$$, and the unique id 108AAAAAC
  • At this point I was kinda stuck. I have some info but nothing to do with it
  • I decided maybeee I should check the ICMP packets I had been ignoring for the past hour (there’s no easy follow stream option, sue me idc)
  • I basically just speed scrolled through ICMP packets until I got a bright yellow message transfer param highlighted and continued doing this to decipher the conversation
# ROUGH recreation
- hi wyd
= hi nm
- u didn't send the thing
= not over this tf
- ok then over what
= lets use cryptcat instead
- another thing to install?
= no one can see this
- id still rather use encryption
= we need to pick a key to use
- ik just the one
- Angela Bennett uses it to log into the Bethesda Naval Hospital
= that old thing?
- lemme look it up rq
- found it, use the metasploit port to recieve
= listener is up, send it
- ok, it's sent
=
  7181f4d45de00ae35b6cf8201c8d852b
- hash is good
  • Ok so we have a password BER5348833 and a tool cryptcat
  • The default listening port for most is 4444 so I checked traffic under that port tcp.port == 4444
  • Used tshark for extraction:
└─$ tshark -r pcap_chal.pcap -Y 'tcp.dstport == 4444' -Tfields -e data.data > stream
└─$ cat stream | xxd -r -p >> encfile
  • Transferred and decrypted the file
└─$ cryptcat -vv -k BER5348833 -lp 7777 > dec

└─$ nc -vv -w 1 localhost 7777 < encfile

└─$ file dec
dec: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=10e9d33fce367a29cfe8d74866c3cb474ec61172, for GNU/Linux 3.2.0, stripped
  • Modding perms and running the file itself threw an error
  • Running strings on the file I found this
PRIVMSG H
#flag :CH
[]A\A]A^A_
irc.cct
ERROR %s
Failed to get ip
Found the server at %s
Connected to my server!
CAP LS 302
USER cct2019 cct2019 irc.cct :realname
NICK cct
JOIN #flag
  • I also found the string gethostbyname which is definitely referring to DNS
  • Based on the IRC convo from the pcap file earlier I assumed that the DNS resolution was through localhost
  • So I modified my /etc/hosts file with the irc.cct domain
└─$ sudo sh -c "echo '127.0.0.1 irc.cct' >> /etc/hosts"
  • The file makes requests through the default IRC port 6667 so I set up a listener with nc -lvnp 6667 and ran the file
└─$ ./dec
Found the server at 127.0.0.1
Connected to my server!


└─$ nc -lvnp 6667
listening on [any] 6667 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 39222
CAP LS 302
USER cct2019 cct2019 irc.cct :realname
NICK cct
JOIN #flag
PRIVMSG #flag :CCT{h3's_a_pc@p_w1z@rd_th3re_hXXXXXXXXXXXXXXXXXXXX}
  • Done! (except for 3 more tasks </3)

Challenge 2

  • After downloading the file, I first checked for any obvious anomalies
└─$ file re3_1583875067748.exe
re3_1583875067748.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

└─$ binwalk re3_1583875067748.exe

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
6503          0x1967          Copyright string: "CopyrightAttribute"
10587         0x295B          XML document, version: "1.0"
  • Finding nothing out of the ordinary here, I started reverse engineering the executable
  • Running it on windows, it showed a window with four sliders that you could move to change the numbers displayed. After you move the sliders you could check your answer to see if you have gotten it right
  • Based on the behavior of the program, I assumed the sliders either had to match certain numbers or add up to a certain number to get the flag
  • Any wrong answers are met with None shall pass! Again? Give up?
  • Running strings shows that the file is a .NET executable (Dotfuscator mentioned), so I downloaded dotPeek to decompile it
  • Right click exported the project to my IDE so I could look at all the C# code
  • Focusing mainly on the a.cs file I found this section
       int num1 = 711;
        int num2 = 711000000;
    if (A_0_1 + A_1_1 + A_2 + A_4 == num1 && A_0_1 * A_1_1 * A_2 * A_4 == num2 && A_0_1 > A_1_1 && A_1_1 > A_2 && A_2 > A_4)
    {
      int num3 = (int) MessageBox.Show(this.goodBoy(A_0_1, A_1_1, A_2, A_4, (byte[]) this.byteA.Clone()));
    }
    else
    {
      int num4 = (int) MessageBox.Show(this.badBoy(A_0_1, A_1_1, A_2, A_4, (byte[]) this.byteA.Clone()));
    }
  • This basically says that the numbers on the sliders must add up to equal 711, multiply to equal 711000000, and each successive value is smaller than the last
  • So I wrote some python code to find the four values
def nums():
    num1 = 711
    num2 = 711000000
    for val1 in range(1, 711):
        for val2 in range(1, val1):
            for val3 in range(1, val2):
                for val4 in range(1, val3):
                    if (val1 + val2 + val3 + val4 == num1 and
                            val1 * val2 * val3 * val4 == num2):
                        print(val1, val2, val3, val4)
    return None

solution = nums()
print(solution)
  • Input the values for the sliders and got the flag! 31C02DCFDE2FCF727016XXXXXXXXXXXX

Challenge 3

  • The file for this challenge is a jpeg
  • Started out with steg checks, string, binwalk, etc
└─$ strings for1_8f90d68390b565c308871a52c6572de8_1583875226079.jpeg
JFIF
xExif
CCT 2019
http://ns.adobe.com/xap/1.0/

└─$ binwalk for1_8f90d68390b565c308871a52c6572de8_1583875226079.jpeg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
29202         0x7212          Zip archive data, encrypted at least v2.0 to extract, compressed size: 159, uncompressed size: 189, name: fakeflag.txt
29529         0x7359          End of Zip archive, footer length: 22
  • So its JFIF adobe image with exif data, contains a fakeflag.txt file
  • Running exiftool I found this section
Description                     : .--- ..- ... - .- .-- .- .-. -- ..- .--. .-. .. --. .... - ..--..
  • Which decodes to JUSTAWARMUPRIGHT?
  • I extracted the zip archive with binwalk -e which revealed an empty fakeflag file and a password protected zip archive which also contained a fakeflag file
  • To find the password 0ni0n_0f_0bfu5c@ti0n I ran the image through http://georgeom.net/StegOnline/image with the LSB Half filter
  • This password didn’t work, so I used the hint which was about lowercase passwords and used the first string from the morse code as the password
  • This password worked and I got the contents of the real fakeflag.txt file, which contained another password Z10N0101
  • Assuming there was another zip file that binwalk didn’t catch, I used steghide to keep searching
  • The third password worked for this one
└─$ steghide extract -sf for1_8f90d68390b565c308871a52c6572de8_1583875226079.jpeg
Enter passphrase:
wrote extracted data to "archive.zip".
  • I extracted archive.zip with the second password which contained more txt files and a flag.zip archive
└─$ cat cipher.txt
FSXL PXTH EKYT DJXS PYMO JLAY VPRP VO

└─$ cat config.txt
C G. VI. VII. VIII. AMTU RING AM BY CH DR EL FX GO IV JN KU PS QT WZ
  • I replaced the cipher text with JHSL PGLW YSQO DQVL PFAO TPCY KPUD TF per the challenge description
  • the config file contains instructions for the enigma machine (M4 Shark, UKW C thin, first group of 4 are position, second four are ring)
  • Output minus spaces is the flag password ctfforensicsisnotrealforensics
└─$ cat flag.txt
CCT{Well_that_wasn't_suchXXXXXXXXXXXXXXXXXXXX}
  • Done!

Challenge 4

  • I started by running binwalk on the file, which showed it contained two zip archives
└─$ binwalk crypto1_1583878372378.zip

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 226, uncompressed size: 363, name: crypto1a.txt
268           0x10C           Zip archive data, at least v2.0 to extract, compressed size: 1487, uncompressed size: 1665, name: crypto1a.zip
1985          0x7C1           End of Zip archive, footer length: 22

# unzipped the file
└─$ ls
crypto1_1583878372378.zip  crypto1a.txt  crypto1a.zip
  • The txt file contained cipher texts that looked like it was alphabet encoded, ROTed, substitution encoded, or something similar
└─$ cat crypto1a.txt
Ab .aof y.jdbc'g. urp ornkcbi Ja.oap ogxoycygycrb jcld.po ,cnn rbnf i.y frg or uap x.jago. ru lgbjygaycrb ofmxrnov  Oycnnw cy odrgne i.y frg jnro. .brgid yr ucigp. rgy yd. p.oyv  Xgy jab frg ucigp. rgy yd. t.f ,dcjd dall.bo yr x. yd. bam. ru yd. _nafrgy_ ,dcjd jp.ay.e ydcov Ajygannfw frg dae x.yy.p .by.p cy ydpcj. hgoy yr x. oau. (ann nr,.p[jao. cu frg ln.ao.)v
  • I use dcode.fr for most of my decoding, so I tried the cipher identifier on that site
  • The highest result was a hill cipher (which didn’t work)
  • I tried monoalphabetic:
AN .ASY T.CHNI'U. FOR SOLVING CA.SAR SUBSTITUTION CIPH.RS ,ILL ONLY G.T YOU SO FAR B.CAUS. OF PUNCTUATION SYMBOLSE STILLW IT SHOULD G.T YOU CLOS. .NOUGH TO FIGUR. OUT TH. R.STE BUT CAN YOU FIGUR. OUT TH. K.Y ,HICH HAPP.NS TO B. TH. NAM. OF TH. _LAYOUT_ ,HICH CR.AT.D THISE ACTUALLYW YOU HAD B.TT.R .NT.R IT THRIC. JUST TO B. SAF. (ALL LO,.R[CAS. IF YOU PL.AS.)E 


|🔤₁|AXJEVUIDCHTNMBRLZPOYGKWQFS|
|🔤₂|ANIHDYUJGCVPMLSRXOZKFEWBTQ|
  • But this didn’t give me the layout answer
  • So I tried keyboard swap:
aN EASY TECHNIQUE FOR SOLVING cAESAR SUBSTITUTION CIPHERS WILL ONLY GET YOU SO FAR BECAUSE OF PUNCTUATION SYMBOLS>  sTILL< IT SHOULD GET YOU CLOSE ENOUGH TO FIGURE OUT THE REST>  bUT CAN YOU FIGURE OUT THE KEY WHICH HAPPENS TO BE THE NAME OF THE 'LAYOUT' WHICH CREATED THIS> aCTUALLY< YOU HAD BETTER ENTER IT THRICE JUST TO BE SAFE 9ALL LOWER_CASE IF YOU PLEASE0>
  • So the key is the name of the layout that created the ciphertext, all lowercase and repeated three times, which is the name of the keyboard layout used to decode the ciphertext
  • Using that to unzip the file, we get the first flag CCT{Actu411y_a_w@rmup}
  • Now on to crypto1b
A word of advice for the next one. Don't straddle the fence or you'll end up riding a rail or five. It'll hurt from the bottom up.

n h newuhe eddre nect tota ufyaolim7ter val lcy vsf slAroeeoiroigtatradetlno o pek ?Sl n aee s epeth  atedpairu hsg?Hot oe.wygoelrfo 93aei alsw'e  elntte l o.A eat o,b' by le frnsk,nt tes uv hl o ir lgHayairiteobbaam ibuohlm tursernuuohgteseoob srk    spsrirt1 mdvoho'eI nmpiihi ainuetere susutpa .lwc  dsa   t t,iiorgoguhfecae r tcslhslayhn eseaftaeo peelsantnthu e,nwati  Tetees ecfh ai ofCteb seisn eto potb hyli'rCtirbsx oaego'sbttamt u?Mingfh.e  ev dac cfp  c om  hahh t enm t.esg f ut t  oilso uhao
  • Advice was a lil wild but this one isn’t too bad
  • Started back with the dcode cipher identifier, which identified transposition cipher, skip cipher, and a few others
  • The hint mentions rails and fences, which was referring to the rail fence cipher
  • I made sure to keep punctuation and spaces while decoding, and I ended up with this barely legible jumble of letters:
onrving ggoht algfu throhhf a die.crent aeelleng  rHow a  tyou acesipherlvhike ts le? Soadyble bhanand a cemade s eier bacfuse otfahe plepoment   pthe ue er caslcsettera nnd putonuatiotmhhrougu  t thee ,ssagenhwo? Hoaatbout ih s for hTkey. e t way ete gooss  pellseecrrififnhrom t ma1973 i  matedotfvie oC.tharloeeb's we ssI've egin a ms npelli fein tht oitle  upa cliottn youb  e. Athtye verl ieast ' rs fouCots, buiirt's pblsably xs . Allooawer ce g for ou'dnessshbake, tat not aomt it t  ters,u ?i ouiM i
  • Yeah there are obviously some missing letters
  • I've egin a ms npelli fein tht oitle upa cliottn youb e. something about a youtube clip
  • hTkey. e t way ete gooss pellseecrrififnhrom and something about the key
  • the key is the way the goose spells ???
  • I looked up “the way the goose spells” and got a bunch of results with the word “terrific” in it
  • One youtube video title was Goose Spells Teerrrriiffiiccc and based on the missing letters and other things going on in the semi decoded ciphertext, I guessed that the key was teerrrriiffiiccc or some modification of it
  • Doing some more reasearch, I found this excerpt
According to the goose, it’s, “T double-E double-R double-R double-I double-F double-I double C, C, C!” (E.B.White, _Charlotte’s Web_).
  • teerrrriiffiicccccc!
  • And we get the flag CCT{th@t_w4s_XXXXXXXXXXXXXXXX} honestly more OSINT than decoding
  • On to crypto1c:
Last one of the basic batch. But is it compression, encoding, or encryption?

11122112141311112123131222211121621211124112213221112162112113114163113211421121132221622222411321311331611221121413111121231312222111216322121412123312222111122141624112123212416214122231631132114221112162321321242113531132142162321211424112123212322111121322231221111322216222232122141212112163113211422111216231224113221211211232216231224113113232121151124162312311111311416311321142211113212221112162411321222111216212111214132122211121623212114241121232123221111213222312211113222162411211422111124112214113316121421413132163131211211212321241642112141311112162222241132122211121624112231241121121121323221311416311321142141322122111216121212163131214121322213221111321311331615113114162411213242121632122411311322111211241631312211112123212416221321412132221112162411213222141621142211113212221112162112113222164211214131111132131622222123241122323113161421142111111341211212111151322122111122111111512213221111241122131151232121121135211422111132123221115124112123212311513113211422111111513113211211212111221111511
  • Provided hint: start with 0, not 1
  • Looks like a mix of binary and ascii
  • After staring at it really hard for about 10 minutes I was like “what uses a ton of repetition and seems much longer than the final result should be?”
  • Run Length Encoding! read about it here
  • So back to dcode we go
  • I decoded it in binary mode (0 first as the hint says)
01011001011011110111010100100111011101100110010100100000011011010110000101100100011001010010000001101001011101000010000001110100011010000110100101110011001000000110011001100001011100100010111000100000010110010110111101110101001001110111011001100101001000000111001101101111011011000111011001100101011001000010000001100001011011000110110000100000011011110110011000100000011101000110100001100101001000000110001101110010011110010111000001110100011011110010000001100011011010000110000101101100011011000110010101101110011001110110010101110011001000000110011001110010011011110110110100100000011101000110100001100101001000000110001001100001011100110110100101100011001000000110001001100001011101000110001101101000001011000010000001100010011101010111010000100
[ . . . ETC . . . ]
  • Binary -> ascii and we got the flag
You've made it this far. You've solved all of the crypto challenges from the basic batch, but there are more challenges ahead. How will you fare against those I wonder. At any rate, well done and here is your flag: CCT{I_see_dead_XXXXXXXXXXXXXXXXXXXX}
  • Done!