TryHackMe | Shoot The Sun

6 min readAug 7, 2022

A walk through for the Capture the Flag challenge by CyberSec Society, MNSUAM. https://tryhackme.com/room/shootthesun

Task 1: R101

We are provided with an image file and a couple of questions.

We can easily recognize the image as Rick Ashley from his famous Rick Roll song, “Never Gonna Give You Up”, but lets explore the metadata of file just to know more. We can use exiftool for that.

Who Is Creator?

After running the exiftool command, we can easily see all the metadata.

What Is Title?

We can note the title provided in metadata.

What Is Blog Name?

We haven’t been provided with a blog name in metadata but if we look carefully, we can see the Description with a medium.com link in it.

lets open the link in browser.

We can easily find the Blog name.

Who wrote Blog?

If we look back into our previous task, we can easily find the answer to this question as well.

What Is Cracked String?

What string ?!?

haha, lets look back into the medium blog, I think I saw a pastebin link.

After opening the link (I had to use a VPN to open pastebin), I can see some text there.

And luck for us, its mentioned the usage of multiple encodings which our thinking work. Lets fire up the CyberChef.

If you don’t know what encoding is applied, always use Magic recipe.

Boom!!! we have decoded the string and that’s it for part 1.

btw, don’t repeat my mistake and remember the string 😁😂.

Task 2: Death Star

In this task, we are required to spawn a machine and answer the questions. So, lets begin.

Before moving to the questions, please remember to run nmap scan on the IP allocated.

We can see that there are 2 services running,
ssh on port 22 and http on port 80 in the first 1000 ports.

What Is Web Flag?

Lets add the IP in hosts file and visit the webpage.

As we can’t find anything juicy on the index page, lets do some Directory Busting.

So, we found some directories after running fuff on the website.

After going through the found directories, /space/ seemed to interesting.

lets do the magic in Cyberchef again.

we found a word after decoding, let check if its a subdirectory.

Yups, its a subdirectory and now the path becomes /space/r***/

lets check the source code the page and save the image.

The source code states “<! — The Web Flag Is SomeWhere In Pocket →”,
lets check pocket for a subdirectory.

/space/r***/pocket is a valid path and it contains the flag for first question.

now, lets move to the next question.

What Is yoda Flag?

did some say Yoda !!!

If my memory serves me correctly, we found a yoda pic in /space/r***/ and we saved it. Lets look into it.

I used exiftool on the image but it was no success so I used steghide info on the image to look for embedded data.

and it asked for a passphrase and if you remember, in the source code of /space/r***/ we came across a passphrase.

If we apply the rot13 recipe on encoded passphrase, we get the decoded passphrase.

Now use the passphrase for steghide.

and “secret.txt”, an embedded file in the image is extracted. If we cat the file, we see 3 interesting strings.

It is stated that b2Jpd2Fu is encoded, so lets first decode it. If we use magic in CyberChef, we get the decoded string.

now, the second string, glgsayyfz , I used Vigenère decode recipe on it and decoded the password.

now, remember, there were 2 services running on the IP and we have a string anakin. So, lets ssh into it.

After using the password from last step, I successfully logged into the machine. Now, lets check what directories we have.

I found a directory “yoda” at /home/ and it is not accessible by "anakin”, so lets switch user to yoda. The cracked string from task 1 was the password.