[Hacking walkthrough] THM: CTF 100 – Stage 1

[Hacking walkthrough] THM: CTF 100 – Stage 1

Whassup guys welcome to another series of tryhackme CTF challenges. I named this series as CTF 100 with a meaning of capturing 100 flags. This room was created by me. Guess what, I’m the guy who behind all this crazy challenge, upvote this room if you like it or let me know if you hate it XD. Since there are around 9 people solved stage 1 (As for 3/11/2019), this is a good time to do a write-up. Enough BS, let’s get started.

  1. Flag-1
  2. Flag-2
  3. Flag-3
  4. Flag-4
  5. Flag-5
  6. Flag-6
  7. Flag-7
  8. Flag-8
  9. Flag-9
  10. Flag-10
  11. Flag-11
  12. Flag-12
  13. Flag-13
  14. Flag-14
  15. Flag-15
  16. Flag-16
  17. Flag-17
  18. Flag-18

Task 1: Stage 1

The theme of stage 1 is about ciphering, text encoding and esolang. Nothing special here just wanted to test your skill.

Task 1-1: Flag 1 – The beginning of the end

Start your Nmap scanner and locate the open port.

$ nmap -Pn -p3000-3999 -v -T5 --min-parallelism 100 <Machine IP>

We have port 3333 open on the machine. Let’s check it out with telnet.

$ telnet <Machine IP> 3333

The terminal asking for your address. Enter the address according to your tunnel IP.

Alright! We just capture our first flag. The terminal also mentions that there are 5 ports are being opened in the machine. Time to perform another Nmap scan.

Answer: you_got_a_message

Task 1-2: Flag 2 – ROT 13

Do another Nmap scan with the following command.

$ nmap -Pn -p3000-3999 -v -T5 --min-parallelism 100

We are now able to identify all the ports current open in the machine. Let kick start with port 3343.

Upon accessing the port, you will be greeted with a message and an input field. The code can be deciphered using Rot 13 decoder.

Enter the plaintext and capture the flag. Take note of the number as we going to need it afterward.

Answer: qt8pm59jh5r49uqdwfw2

Task 1-3: Flag 3 – Ceaser cipher

Let’s move on to the next port (3353).

This is a Ceaser cipher. keep rotating the letter until you get a proper English word.

Answer: 5wdtc7jzk33qjauh5gxm

Task 1-4: Flag 4: Vigenere cipher

This task is a bit tricky. Let see what is inside the port 3363.

Where is the key. Get it? Basically the key is where. Did you fall into my trap? haha.

Answer: sm8jvu8jxu7dz6s7qmsp

Task 1-5: Flag 5 – Morse code

Next port (3373) please.

Use a Morse code translator to yield the following results.

Answer: 2p3363hrava9fbq296ca

Task 1-6: Flag 6 – Hex

Let’s hop on into next port (3383)

This one easy, just translate the hex code into ASCII.

Answer: skuj9359mqdm6sv8d8z6

Task 1-7: Flag 7 – Silent

Did you get all 5 numbers from the previous task? The number is

8989 7431 5667 9332 3331

According to the order of the flags. Open up port 9999 and enter those numbers. (There is a reason I choose port 9999 as port knocking channel, use Nmap and check the name of the port)

Does something happen? Time to do another scan.

$ nmap -Pn -p4000-4999 -v -T5 --min-parallelism 100 <Machine IP>

Another open port. Let’s check it out

DO NOT TRUST ANYTHING IT SAID. Keep silent by pressing enter and eventually it will open another path for you.

If you get trolled, I’m truly sorry. The PORT PORT … mean there is another 5 port opened in the machine.

Answer: zmht7gg3q3ft7cmc942n

Task 1-8: Flag 8 – Base64

Perform another Nmap scan.

$ nmap -Pn -p4000-4999 -v -T5 --min-parallelism 100 <Machine IP>

5 more challenges are ready to be solved. Let’s move on to port 4001.

This is a base64 encoded text. Let’s decode the text.

Take note of the number as you gonna need it later on.

Answer: dmm32qvfkfwm6yjnw46k

Task 1-9: Flag 9 – Base32

Let’s move on to the port 4002.

This is base32.

As simple as 1 + 1.

Answer: fuf8mx74nph26f69mr97

Task 1-10: Flag 10 – Base58

What inside port 4003?

This is a base58. For your information, base58 is almost look-alike to base64 but it is not very well-known.

Answer: hud9bm8yc37md5b7t7mn

Task 1-11: Flag 11 – Base85/ASCII85

Port 4004, onward!

Base85 something looks like gibberish to us. Base85 or ASCII 85 contains all the readable ASCII code from decimal 33 to 117. Use the following decoder to decode the text.

Answer: 4xm43r2wajrsrbm4775d

Task 1-12: Flag 12 – Base91

What does the port 4005 say?

Hey, another gibberish. This is base91 encoded text and nobody gonna uses it.

Answer: qtfvbd7gbvyg9gww5jwj

Task 1-13: Flag 13 – Recollection

Similarly to the task 1-7, collect all 5 numbers and reveal another path. The number can be ordered as (according to flag number)

10113 10415 21033 35555 25637

This order is not true, you need to reverse the order and become.

25637 35555 21033 10415 10113

Use the number on port 9999 to open a new path.

Perform another Nmap scan to find the path.

$ nmap -Pn -p6000-6999 -v -T5 --min-parallelism 100 <Machine IP>

Huh, port 6000.

More challenges ahead!

Answer: aehg24vwn5yyc8jz4tv5

Task 1-14: Flag 14 – pikalang

Do another Nmap scan and I promise this is the last Nmap scan, haha.

Alright, we located all 5 open ports. Let’s move on to the port 6010.

What? We can’t understand this language. Who let the Pikachu out? Actually this is an esolang called pikalang. Check this translator out.

Answer: k2phhw85emq3v4njj5g6

Task 1-15: Flag15 – Binaryfuck

Another esolang on port 6020.

This is not an ordinary binary number, this is another esolang called binaryfuck. Check this translator.

Answer: qtfvbd7gbvyg9gww5jwj

Task 1-16: Flag 16 – Spoon

Find the spoon on port 6030.

This is another esolang named spoon. Try this translator.

Answer: ckjug6sj88xuajfku72h

Task 1-17: Flag 17 – Reversefuck

Drop the bass on port 6040.

Brainfuck is too mainstream, that is why I go for reversefuck. Use this translator.

Answer: x4xhrqx3ywzyx2jmgc5j

Task 1-18: Flag 18 – Alphuck

Another brainfuck variation on port 6050.

This is a variation of brainfuck, called alphuck. Use this translator.

Answer: kr2t9qcgt4ht9h6j5ydp

Task 1-19: Until the next challenge.

Did you notice the numbering on the last 5 tasks? That is the port knocking sequence for stage two. The order should be

31031 50010 7968 20010 6100

Use this number to unlock the port on stage 2. IF you have doubts about the sequence, you can perform a check on port 9999.

Answer: 31031 50010 7968 20010 6100


That concludes the CTF 100 stage 1 write-up. Stage 2 write-up coming soon. See ya 😉

Share the knowledge

Leave a Reply