TryHackMe | Hackfinity Battle Encore CTF WriteUp

Hello everyone, I am Ahmed (aka Pizza Steve), and today I will walk you through a couple of challenges I solved during the Hackfinity CTF. I will also share a couple of lessons I learned along the way, how I approached the challenges, and exposed the vulnerabilities and misconfigurations. This should help strengthen your cybersecurity skills for future CTFs or real-world scenarios.

Hackfinity Battle Encore is a re-release of the original event room, giving us an opportunity to either solve tasks we previously missed or refresh our skills.

Let's start with OSINT tasks:

OSINT - Task 1: Catch Me if You Can

Here, the task description basically tells us that the provided photo has a clue of the restaurant Cipher and Specter were leaving from, and the flag is its name.

Flag format:THM{restaurant_name}, separate words with underscores, and no capital letters.

Looking into the image, I noticed the street name, **Beco do Batman.**I used google to reverse search this image, then tried the first result I got ...

and BOOM WE GOT IT!

OSINT - Task 2: Catch Me if You Can 2

Checking the task photo, I got this.

To be honest, I first spent some time looking in the wrong way as if it was like the previous task. With no result, I came back and read the task description carefully: "**We believe they used some sort of cipher to communicate a location with each other".**It was in front of my eyes all the time. The description says there is a cyphered text on the picture, so I searched for the original one to compare both together.

Looking carefully, the original photo didn't have this part. We found the cypher text and now need to identify it. I used GPT hoping it could identify it but with no luck, so I did the work manually. It turned out to be **pigpen cipher.**I used PlanetCalc to decode the text.

OSINT - Task 3: Catch Me if You Can 3

This challenge is fairly easy as it depends on knowledge we gained so far. We are in São Paulo, Brazil, and need to find the address of Mr. Wok.

Doing a google search, a restaurant popped out with that name. Now, we only need to format the flag and submit it.

Now with the web tasks!

Web Section - Task 4: Notepad Online

After visiting the website, I quickly noticed the URL format and suspected it was vulnerable to IDOR. This means that by modifying the URL parameters, we could access unauthorized data.

I tried changing note_idparameterfrom 1 to 2, and it worked, confirming its IDOR vulnerable.

I kept incrementing the value till I reached 5

So, this one tells us to try a lower value instead of incrementing.

Here we goooo!

It is worth noting that this challenge scenario is on Portswigger Academy, so it is highly recommended doing their labs.

Crypto- Task 8: Order

his one is fairly easy. It simply requires us to create a decryption script using a repeating XOR cipher key. Additionally, every header must start with 'ORDER:'. Since all the requirements have been provided, we only need to make the script. Here is the one I used:

Crypto - Task 26: Cipher's Secret Message

Here we are given an encryption algorithm and need to analyze, so we can write our own decryption script and extract the flag.

If the character is a letter:

• If uppercase, its ASCII base is 'A' (65).

• If lowercase, its ASCII base is 'a' (97).

• The shift increases based on the index of the letter in the text.

• The new character is calculated using modular arithmetic to ensure it wraps around the alphabet.

• Non alphabetic characters remain unchanged.

This is the script I used to decrypt the flag: