Free digital forensics CTF challenges
Published: September 5, 2021 11:18 am
Updated: September 9, 2022 4:42 pm
These are some of my digital forensics / steganography capture-the-flag challenges. They are freely available for personal and non-commercial use. Each section contains a description, download link, and a small write-up with the answer. You can download all the challenges (41.1 MB) if you wish.
Since making these CTF’s I’ve been asked numerous times about how I come up with the ideas. The ideas are a combination of adaptations of known methods and inspiration from TV shows (hacking, spies, etc). One thing I have learned from making these - the less technical, the harder they are.
Table of contents
Blockchain
To The Moon
This person has been storing messages on the blockchain with Bitcoin, but we can't even find their wallet address. All we found was a grumpy cat picture. Find the wallet address to find the flag{}.
Show hint
OP_RETURN
Show walkthrough
My first blockchain-based challenge. Originally it was a single challenge but I decided it would be far too easy so I mixed it up and chained two additional challenges to it.
The first challenge is simple password-protected JPG steganography cracking using stegcracker.
Next, is simple ZIP password cracking using john.
Then once you are in, it becomes a fairly simple OSINT challenge. Just search the internet with the string that you find and it will give you a clue to what it is. If you then try different resources, the answer will be in front of you without the need to decode anything.
Show answer
flag{Inf0S3cBl0ckch41nAn4lys15}
Bad Blockchain
This new botnet is using blockchain to store backup command-and-control server IP addresses. We’ve extracted the Bitcoin address but it’s not using the traditional OP_RETURN to hide the data. Can you find the IP address?
Show hint
Akamai
Show walkthrough
The problem with seemingly innocuous data. The Bitcoin transaction values when converted can convey different information. Inspired by real-world malware and a problem that we will likely see more of.
A little bit of OSINT will yield the research article: akamai bitcoin botnet
https://blogs.akamai.com/sitr/2021/02/bitcoins-blockchains-and-botnets.html
And a Python decoder:
#!/usr/bin/env python3
import sys
wallet_values=[int(sys.argv[1]),int(sys.argv[2])]
octets = []
for txn in wallet_values:
octets.insert(0,str(int(hex(txn)[2:4], 16)))
octets.insert(0,str(int(hex(txn)[4:6], 16)))
print("Malware IP:")
print('.'.join(octets))
Show answer
192.168.200.48
Image
Hit a brick wall
The spare key is usually under the doormat, a plant pot, or a rock…
Show hint
The writing is on the wall
Show walkthrough
Inspired by NASA and their Mars Rover Parachute as shown below. This is one of the less technical challenges and doesn’t require any fancy steganography tools. The flag is literally written on the wall.
Show answer
flag{b1nary}
Turtles all the way down
Just an archive of happy turtle pictures.
Show hint
Someone isn’t happy
The original image was a square
Show walkthrough
For this challenge, I decided to make it slightly more realistic by having an archive of many pictures instead of giving the flag bearer straight away. In a real-life situation, you will have to seek out and find the information rather than having the file handed to you on a plate.
There are many clues, however. The archive contains 20 pictures, 19 are JPG’s and 1 is a PNG. All of the pictures are happy turtles with the exception of one picture. There are a few misdirections, one of those points to a honeypot, but also provides further information for PNG steganography research.
Requires HEX editing of the IDHR headers, the bit that control the height, and then the CRC will need fixing. (The image has been modified to change the height, hiding the flag).
Show answer
flag{coffee_first_then_smiles}
Text
Sequence
The director of this company believes 2 of his employees are sending secret messages using some sort of mathematical code, but the messages seem to be on-topic.
Show hint
There are subtle clues contained within the document
An Italian mathematician from the Republic of Pisa
Show walkthrough
Text steganography with a twist. There are hints within the text explaining the structure if you can work it out. 1,2,3,5…

Show answer
FLAG LANGUAGE
Network/Data
Intercepted
This email was intercepted from a compromised webserver. We believe criminals were using it to send secret messages but the message body is vague and does not use PGP encryption.
Show hint
You can set custom headers in emails after the system generated ones
Leaving the keys in the lock and it's a really bad lock
Show walkthrough
An idea I came up with myself after testing an email server. I thought it would be a good idea to send the message via a custom header instead of the message body.
~$ echo "Test body" | mail -s "Test Subject" -a "From: Test <[email protected]>" -a "X-Spam-Signature: PABZTAYKDRkNAFkCBwlHBRtNXkUJQFQAXQQHFkQfDE4TDApNBwAfWVQcRBANRVkZCB0PBw4DSwscVQBPWRtIEUUOSQsJEB0MBQYcDRsJDTIJDkgIABoeRDsfCgwXDScbTAABCkNFSSwVDQEKSxERSFQbQhsEFgNhYwgLBQgWGAoUSAAHRBoPOkQYNg8FCxoZNBEWchwOXQQNC1A=" -a "X-Spam-Validator: 6b65792d746f2d7468652d6b696e67646f6d"
The premise of this challenge is a compromised server but it could also be expanded to a developer exfiltrating company data by sending innocent-looking external test emails.
In reality, a person using this method would not include the decryption keys but I decided it was a little more exciting than using the standard rockyou.txt password list. Additionally, a person would use better encryption.
Show answer
flag{something_is_about_to_happen}
Hidden
Found in the system32 directory, this
.dllfile doesn’t do what it says.
Show hint
These fork attributes are only found on the NTFS file system
Show walkthrough
This was supposed to be a moderately challenging CTF. It turns out that you simply run binwalk and directly extract the flag…
I’d hoped it would require a bit more work to determine the file type and then find the flag hidden within the Alternate Data Stream. It just goes to show that trying to be clever can fail big time.
Hidden within the Alternative Data Stream (ADS)
Solution:
- Extract zip
- Rename winsock32.dll to extension .vhd
- Mount VHD
- Check for ADS "dir /r"
- Open flag with "mspaint passwords.txt:flag.jpg"
Show answer
flag{me0w_hia!}
Audio/Video
Elliot’s secret stash
Free stuff is good, but you could be storing something sinister without your consent.
Show hint
Elliot used this method in Mr. Robot
Show walkthrough
Inspired by the method used on the TV show Mr Robot. This is an easy CTF with the right software.
I used a piece of software called DeepSound to encode hidden files inside the music track (the same method used on the TV show Mr Robot). The hidden file is a unfinished music video that was modified to visually include the flag. You will need to watch the video to find the flag. No other fancy stego involved.
Show answer
flag{hello_Elliot}