CSAW – Clams Don’t Dance


In this Forensics challenge, an image file was provided.

Opening a new Case and viewing the image file in Autopsy, I was faced with:


Upon viewing the files within the image, one particularly caught my attention, the .pptx file. I exported and saved the file for further analysis.

Since the file was appended with a .pptx extension, I then knew I could open the file with an archiver – WinRar, 7zip etc.


I opened the file with WinRar and extracted the contents. Navigating through the \ppt\media folders, I was met with images:


Of all the images, the one that really caught my attention was the one on the upper left corner:


With a little research, I found out that the image is a Maxicode.

Running this on a decoder produced the flag:


Flag Captured!

Headsup – Forensics Task

Wow! It has been a while I dropped anything here.

Well, I have been at Capturing some Flags lately and today I will be detailing a flag I helped capture.

A friend requested for help regarding Capturing a Flag for a task I suppose he got engaged in. I later found out that the task was a Forensics challenge for the angstromctf that came up in April, 2016.

The file provided for the challenge was duly downloaded and work began earnestly on it, to get the flag out.

A look at the file will indicate that it is a PDF, because of the .pdf extension. Oops! Having opened the file, the below error message appears.

With my little experience on CTFs, hints can always be derived from the subject of the challenge. On siting the task subject (headsup.pdf), I knew there was a pointer to the file header.

Using my favourite Hex Editor, I went ahead to view the file. Looking at the file header, I knew for certain that there was something wrong with the given file. Viewing the file headers, I came up with this:

2           5

The %PDF is a standard header for every PDF. The wrong thing about this is the IHDR, which a typical header format for PNG files. To satisfy my curiosity, I decided to view how the file ends, using the hex editor, and I found this:


A typical PDF ends thus:


I now concluded that this could be a picture file and not a PDF. To be sure I was dealing with a picture file, I opened a picture file, with the .png extension with a hex editor and arrived at this:

4              6

The above gives a clear picture of how the file signature of a picture file (.png) looks like. Knowing this, I began to manually tweak the file headers to ensure it turns up a perfect PNG file. The tweaking entails my using the ‘Fill Selection’ tool, in the Edit menu to fix in the right hex strings using the hex editor.

After doing that, knowing well that the file was downloaded with a .pdf extension, I now change the extension to a .png.

Opening the file, I see this:


Flag captured!!!


SMiShing – BVN validation

There is no way phishing attacks will ever stop. The one and only way to overcome this form of attack is not to get caught – do not be a victim.

Despite the prevalence of this form of attack, not everybody becomes a victim. One of the ways I would subscribe to avoiding being a victim of this form of attack is the application of “Common Sense”. Common Sense, some say, may not entirely be common after all. This is coming out of the fact that what one should ordinarily not be a victim to automatically catches up with one.

With the presence of phones and its widespread usage, communication is done through exchanging of SMS. Phishing has now evolved to the usage of messages to carry out these attacks. The aim of this attack is to get gullible users fall victim to it. One tool being employed in carrying out this form of attack is what I call “Subtle Intimidation”.

These messages sent have ways of invoking fear in the minds of the users and would at times harvest victims. This however is not to revoke from our minds that every one of us is a potential victim. Ending up as a victim depends entirely on what you do with the message you receive.

SMiShing is the art of making use of text messages to carry out phishing attacks.

I recently received an SMS, which I immediately knew was an attack. The message I received is :

“Dear Customer, Due to the BVN validation in compliance with CBN bank directives, your ATM card has been De_activated call our help line on (07033680531) now”

The above message was sent from +2349037918543.

Though phishing attack messages can be crafted without leaving room for suspicion, the above SMS is a poorly crafted one.

Certain features that mark the above as an attack include the poor usage of punctuation marks, issues with capitalization, wrong usage of words, and if this message actually came from my bankers, it would have been addressed to my person.

Care therefore must be taken to avoid being victims of these kinds of attacks. Do not be hasty to respond to any message that comes your way.

Should you want to call the above phone numbers to do your BVN (Bank Verification Number) validation, you can go ahead and place the call.

Goodluck 🙂

SECCON 2015 Online CTF – Steganography 3 solution

Having participated in the concluded SECCON 2015 Online CTF and capturing some flags, I decided to do this write-up to one of the challenges posed – Steganography 3.


A file was provided for us to examine, with the view to finding out what was embedded in it.

After downloading the file and viewing it with a picture viewer, we are faced with this:


Viewing this picture does not in any way reveal much, however, it leaves much to our imagination.

One thing in particular that gave me the strongest hint was the down-right part of the picture – where the picture file is opened using Paint.

I decided to open the file with Paint, but the result was no different from how it appeared having used another picture viewer.

Yes, Paint could do some tricky stuff. I took advantage of what I knew could be the solution to what I sought.

Clicking on the “Fill with color” tool, I left clicked on the picture and this showed up:

Capture SECCON{the_hidden_message_ever}.PNG

The flag was revealed: SECCON{the_hidden_message_ever}.

CTF Global Cyberlympics 2015 Challenge Write Up

The Global Cyberlympics finals recently held on the 20th of October, 2015, in Washington D.C. The competition is one where Ethical Hackers representing different organizations, all over the world gather to test their mettle on CTF exercises.

This however is not possible without them first having gone through preliminary stages to determine those who would represent the various regions around the world. Just as other groups represented various parts of the world, the African region got represented by 2 teams from Nigeria – Team Naija and HAWX. They participated in the competition and to me, they are indeed champions, having topped the chart to represent Africa.

Hack.ERS (Europe) emerged the winners of the competition, Sector C (Europe) came out first runner ups and CTRL+ALT+DEL (North America) emerged third place. Congratulations.

Several write ups have started being published, so as to aid others. One of such can be found here.

This is a write up on how I solved one of the challenges (I was not at the cyberlympics this year 🙂 ).

According to my friend (he participated), “the question was to find out what’s wrong with the pcap…the answer lies within the pcap…”.

I downloaded the .pcap file and one thing that got me curious was the size. I assumed it was not large enough.

It then occurred to me that no matter the size of the file, “packets don’t lie”.

After opening the .pcap file with Wireshark, I noticed that packets 20 to 77 had a continuous flow of data on the SSL protocol.


Afterwards, I reassembled the packets (SSL) by following the TCP Stream, which resulted in this hex editor:


Sighting the .PNG header, I knew a picture was involved. I saved the file with a .png extension, selecting the ‘raw’ radio button. After saving it, I opened the file and found this:


Hmmmm, warl0ck gam3z…I love these guys.

Network Miner has a way of indicating what a .pcap file contains but when I opened this file using Network Miner, there was no indication that a picture was embedded therein.

On the picture is indeed a clue as to what to work on.

Using my favourite online hash decrypter I tried decrypting the hash:


and I got this:


Wow! It can clearly be seen that the key asked for is the MD5 hash of ‘wg’.

Hashing ‘wg’, I got this:


Voila…Flag captured…challenge solved.


The Network of Things

Back in 1998, a hacker group named L0pht, disclosed to a panel of United States lawmakers, the impending disaster that would eventually rock the internet world. Their disclosure was that computers were not secure.

They foretold this based on the vulnerabilities and bugs they had found out in carrying out several tests on IT equipment. This disclosure was further enhanced by their point that IT products were not been hardened with enough security to ensure that end users utilize these products without having to concern themselves with “so much” security.

However, the case we have nowadays is that end users have been handed the task of ensuring the security of the products they buy from IT vendors.

The question which now is asked is “Who should be responsible for Security?”

Should security lie in the hands of end users who buy these products or vendors who make and sell these products at very expensive rates (including open source)? This is a question which has not gotten a universally accepted reply. If I need to buy a product – be it software or hardware – at a very dear rate, why then should I bother myself with ensuring that it is not hacked? Why should I pay so much and end up with sleepless nights because I do not want my product to be hacked.

This was the warning L0pht was intimating the world about, but it was disregarded, hence the several news about hacking. Consequently, Bill Gates, in his May 26, 1995 memo to his Microsoft staff had clearly foretold of an interconnected world, no wonder he titled his memo “The Internet Tidal Wave”.

Looking at the warning L0pht gave, Microsoft seems to be one of the major channels through which this warning came to fruition. In May 2000, the ILOVEYOU bug gained recognition by exploiting a feature in Microsoft Outlook. This was followed by the PIKACHU, ANNA KOURNIKOVA and NIMDA bugs.

Should we therefore conclude that the world is paying for not heeding the timely warning?

Furthermore, the interconnections of devices today have made communication and other aspects of life easier. This does not however take away the fact that hackers are still on the prowl.

To this effect, companies have come up with Bug Bounties for bugs to be found and fixed before they are disclosed to the public.

The rave of the moment is the Internet of Things, where gadgets now connect to the internet. Sincerely, I cannot understand why my refrigerator must be connected to the internet and end up giving me challenges.

According to a Computer Scientist at the University of California, Santa Barbara, hackers are like water, whom after putting a plug in place, they find another crack.

The essence therefore is for everybody to imbibe a security consciousness.

If I purchase an IT product at an expensive price, why must I break my sleep for its security?

FREE Computer Forensics Training

Have you ever thought of arousing your IT forensics instincts with some training?

I have come to notice that many people who are interested in IT Security tend to have more leanings towards Hacking. This is in no way to say that they are making wrong choices but several other areas abound in the world of security that you can delve into.

The world of Forensics is one that not so many people are interested in, but this is an aspect of IT Security that spurs up one’s security consciousness. As an IT person, security is of utmost importance to the IT infrastructures installed in the organization one works in.

The need to know what may have happened that resulted in a system crash is the Digital Forensics domain.

EH Academy is a platform where one can get training on Computer Forensics. Simply visit EH Academy and you will be availed of the course and several other courses.

To avail yourself of the Computer Forensics course, simply visit http://academy.ehacking.net/courses/computer-hacking-forensics-investigation/.

This course will teach you several ways to go about that investigation you are finding hard to go through.

Do not miss visiting here.

Cybrary.it – The IT Revolution

Investing in one’s self this year is what it takes to become better and knowledgeable.

Having introduced us to cybrary.it, I will like to add that anybody who has not yet patronized cybrary.it is really missing a lot.

Paraphrasing, to learn how to defend yourself, you must learn how to attack.

The above paraphrase is so true. In a world ridden with hackers, one must learn how to protect himself/herself from these marauding hackers.

The need for protection of digital assets therefore becomes imperative. Knowing what to protect from hackers of important.

Professionals are hired by companies to help them protect their assets from hackers. However, these bad guys, otherwise known as black hats, have access to the same tools and skill set white hats have also.

The concept of hacking is not a bad one. What makes it look bad is the motivation a hacker has. White hats are hackers employed by organizations with the view to defending their networks and protecting their assets.

Having gone through the course, Penetration Testing and Ethical Hacking, I have gotten training on the rudiments of penetration testing. The course exposes one to activities that are required for the protection of digital assets. The course can be gotten here.

The videos are explicit enough and the instructor, Leo Dregier, did just to the course.

As once said, invest in yourself this year using cybrary.it.


CYBRARY.IT – FREE IT and Cyber Security Training Revolution

Hi all. 2015 has begun and this is the second month already.

You had wanted to take that course and probably write that IT certification exam in 2014, but ended up not acquiring the required passmark. That could be very frustrating indeed. The joy of every exam candidate is to write and pass an IT certification exam at first sitting, as this is both cost effective and time saving.

This year is one where you should not be weary but continue to invest in yourself. Thinking of breaking the bank to go obtain lectures and eventually sit for that certification exam should not be a deterrent to your plans for the year.

Obtaining an IT certification comes with so much a cost but in this year, I will be introducing you to a platform through which your desire to obtain that IT certification will be easily and quickly achieved.

Cybrary.it  is a site dedicated to bringing you free lectures on your desired IT subject. You could attend online lectures on cybrary.it and go ahead and write that exam.

Cybrary.it presents very concise and explicit videos, which present you with real world lecture scenario and the videos are self paced. The videos are explanatory to a large extent and present you with practical learning experiences on your desired IT choice.

One big plus for cybrary.it is the revolutionary change they bring to the IT world – the courses are FREE. Another plus is that completion badges and certificates of completion are awarded successful students.

As may be thought, that anything free is of no value, the vision of cybrary.it is that IT should be taught free as we are in an information age.

On cybrary.it, so many learning paths exist. Some of the courses offered include Comptia Security+, MCSA, CISA, CISSP, Advanced Penetration Testing, Python for Security Professionals, Metasploit e.t.c.

One thought which may now be ringing in your head is how can the above courses be taught free?

I make it bold to tell you that the lectures are free. Simply watch the course videos and learn.

Having taken the Computer Hacking Forensics Course, it was a great experience. The course is a prerequisite to obtaining the EC-Council CHFI certification exam. The instructor, Leo Dregier, ensured the course was understood in the lecture videos.

Going through the course videos, the rudiments of Digital Forensics were expatiated. Various tools were discussed as the course modules were gone through. Most importantly is the fact that Forensics must follow some detailed processes to eventually have the evidence admissible in court.

The course can be accessed here.

I therefore implore you all that in this year, 2015, utilize cybrary.it in investing in yourself.


Phishing Again

“haha you gotta read this, its epic is.gd/ItItF”

The above is a message I just got from a friend, who follows my Twitter handle. After some investigations, it was discovered that his twitter account has been compromised and is being used to send out this message to other followers, who unsuspectingly click on the link and supply information they are asked of.

This is a phishing attack and we must be careful about it. On clicking the link, a page requesting your Twitter username and password appears. What this page does is to make you supply your credentials and someone else somewhere harvests them, thereby you get your account compromised.

Apart from being compromised, the same message is also sent to your followers, who think the message originates from you. They click on the link, supply their credentials and their accounts become phishing platforms.

Ordinarily, when you supply wrong information to any particular account you are given an error message, implying that the inputted details are wrong. To test the fake Twitter site, I supplied a fake username and password and instead of an error message appearing telling me I had given wrong details, it didn’t.

What happens at this instance is that the supplied information is sent to the phisher who now harvests them.

Twitter makes use of secure connection (https://), but this fake page makes use of unsecure connection (http://).

“Your current session has ended.
For security purposes your were forcibly signed out, you need to verify your Twitter account, please relogin.”
Read carefully and notice the typographical error. That is another way to know a phish.

Do not allow yourself to be phished. To supply account details on any particular site, it is more preferable to input such details after directly accessing the site, than through links sent to your email or wherever.

Phishing is an old attack and it still thrives. Do not be a victim.

You can know more on phishing here.