IrisCTF is a 48-hour Capture the Flag competition organized by IrisSec. IrisCTF takes place the first weekend of every year online and features challenges in the disciplines of reverse engineering, binary exploitation, web exploitation, cryptography, radio frequency, networks, forensics, open-source intelligence, and more. IrisCTF is meant to be, above all else, a fun, lighthearted, and educational experience for all.

We would like to extend our gratitude to IrisSec and the sponsors for organizing IrisCTF, an incredible 48-hour CTF filled with engaging and diverse challenges. The competition was both a rewarding learning experience and a fun way to kick off the new year.

Forensics - deldeldel

In wireshark use filter usb.transfer_type==0x01 and !(usb.capdata == 00:00:00:00:00:00:00:00) and frame.len>=72

Search for length of 72 since they were the hex data from the keylogger (frame.len==72 is fine as well and used for the next few steps as del72.csv)

Export the output as csv (File>Export Packet Dissections>As CSV) and grab the hex data:

cat del72.csv | cut -d "," -f 7 | cut -d "\"" -f 2 | grep -vE "Leftover Capture Data" > hexoutput.txt

Use this script to remap the hex data into keyboard keys

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }

nums = []

keys = open('hexoutput.txt')
# tshark -r example.pcap -T fields -e usb.capdata > usbdata.txt

for line in keys:

    if line[:2] != '00' or line[4:6] != '00':
        nums.append(int(line[4:6],16))

keys.close()

output = ""

for n in nums:
    if n == 0:
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '--'

print('output:' + output)

Manually workout the output of the script to retrieve the flag

output:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
HHEEY   AAALI[DEL][DEL]LICCE1 II  TTHINK  II''M  SSUPO[DEL]PPOOSEED  TOO  GIIVEE YOOU   TISS FLLAAG;nnIRIISCTFF[[TTHIS-AJJD[DEL][DEL][DEL]KEYLOGGEER-IISS-BOO[DEL][DEL][DEL]TOO-HARD-TWO[DEL][DEL][DEL]TOO[DEL][D  
EL][DEL]TO-USE]nG--A--BAACBACAABB--BBABBABCBBCCCDCDCDCCCBCCBBCBAAA--A------AA--AA--A--BCABADADCACACBA------------------------------------------------------------------------------------------------------------  
--------------------CAAA--B--BBAC--BACB--C--B--B--------------------------------------------------------

irisctf{this_keylogger_is_too_hard_to_use}

OSINT - Checking out winter

We took our annual road trip to Baja California Sur to visit the beach and play some golf. I like how this location is farther from the city compared to other resorts. I really enjoyed the sweet and savory sauce on the pizza with shredded chicken. After eating, I fell asleep, and half of my legs ended up getting tanned. #Cabo #Pizza

The "#Cabo" stated in the description helped to narrow down the location.

Google Lens was used to search for images (shown on the right) featuring similar building structures. By analyzing the distinct similarities and referencing the provided caption, the hotel's identity was confirmed.

irisctf{Hilton_Los_Cabos_Beach_and_Golf_Resort}

OSINT - Sleuths and Sweets

I visited my friend in Japan, and we had some decent crepes! The area was bustling with foot traffic, so we expected a long wait, but it ended up being okay. I’m usually not a fan of yogurt in my crepes, but I was content with it.

Finding a seat was difficult because the place was crowded, and walking elsewhere to eat wasn’t an option, as it’s culturally considered rude to eat while walking in Japan.

Notice that most of these places have "Dine-in" spaces

irisctf{1_Chome_21_3_Jinnan_Shibuya}

OSINT - Not Eelaborate

After my long train ride, I visited a deer park and got to feed the wildlife. There were so many restaurants to choose from but I was craving eel. I really like the soup mixed in with the rice and fish. The wasabi threw me off since I don’t normally have it served this way.

I would recommend this place if you want to find a quiet restaurant to eat at, and wouldn’t mind finding a few small fish bones. Eels are known to carry lots of tiny bones it’s inevitable that you’ll find it in a lot of places.

We can first search for Unagi rice around the Nara region:

The images from this search looks pretty similar to the one posted by the challenge.

irisctf{Edogawa_Kintetsu_Nara}

OSINT - Late Night Bite

To search for the post, search for Late Night Bite according to the challenge's title:

Late Night Bite

Some nights, I enjoy walking out to this modern local izakaya restaurant. They close pretty late, which makes it perfect for a late night snack. What makes this place unique is their dedication to brewing their own teas and constantly experimenting with new dishes on the menu. I like to order their mocktail Shiso Dry as my drink. As for meal spicy tuna onigiri with a bowl of miso soup is enough for me.

AdamAdam

Some nights, I enjoy walking out to this modern local izakaya restaurant. They close pretty late, which makes it perfect for a late night snack. What makes this place unique is their dedication to brewing their own teas and constantly experimenting with new dishes on the menu. I like to order their mocktail Shiso Dry as my drink. As for meal spicy tuna onigiri with a bowl of miso soup is enough for me.

I just want to show my appreciation and admiration for this place. But you guys will never find it! I regularly come here during the weekends.

This place might not have been in Japan after all

Shirubē comes up as the restaurants. Lets look at their menu

irisctf{Shirube}

Final Scores

In total, we successfully retrieved flags for 1 forensics challenge (deldeldel) and 5 OSINT challenges, making this a productive and insightful CTF experience. Huge thanks again to IrisSec for organizing such an engaging competition—each challenge offered a great mix of fun and learning, and we look forward to participating again next year!