This is a writeup for the Fetch The Flag 2023 Beep64 challenge.
Challenge notes
Every CTF needs a base64 challenge… right?
Download the file(s) below.
Challenge archive
The archive chall.zip contains one file sine.wav. Run file on the
sine.wav to see what this file contains:
sine.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 8000 Hz
Here’s what the file output means:
- The file stores audio information in a
RIFFcontainer. - The file stores 8000 audio samples per second using pulse code modulation.
- One audio sample has 8 bit of information.
- One second then holds 8 bit * 8000 = 64000 bit, or
- 8 kB per second of information.
When you listen to the file sine.wav, you can hear a long series of
DTMF1 sounds.
Decoding the signal
You can decode the DTMF signals in sine.wav using sox 2 and multimon-ng3.
Here’s the full command that decodes the contents of sine.wav:
sox \
-V3 \
--volume 0.8 \
sine.wav \
--type raw \
--encoding signed-integer \
--bits 16 \
--rate 22050 \
- |
multimon-ng -a DTMF - |
tail -n+2 |
cut -d' ' -f2 |
tr -d '\n' |
sed -E "s/\*/\n*\n/g" > out.txt
This prints a long list of characters into the file out.txt. Reviewing
the out.txt file shows that it
contains sequences of 1-4 numbers followed by a * symbol.
9999
*
33
*
777
*
666
*
7777
*
7
*
2
*
222
*
33
*
666
*
66
*
33
*
[… rest omitted …]
Telephone keypad
This resembles letters written using a numeric keypad like on telephones. Here’s a mapping of the numeric keys and their corresponding letters:
2,A
22,B
222,C
3,D
33,E
333,F
4,G
44,H
444,I
5,J
55,K
555,L
6,M
66,N
666,O
7,P
77,Q
777,R
7777,S
8,T
88,U
888,V
9,W
99,X
999,Y
9999,Z
You can then skip the * characters and use this mapping to decode the contents of out.txt.
THEFLAGISZEROSPACEONESPACEZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROZEROSPAC
EONESPACEONESPACEZEROSPACEONESPACEONESPACEZEROSPACEONEZEROSPACEONESPACEONESPACEO
NESPACEONESPACEZEROSPACEZEROSPACEZEROZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZ
EROSPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACEONESPACEONESPACEZEROSPACEONESPACE
ZEROZEROSPACEZEROSPACEONESPACEONESPACEZEROSPACEZEROSPACEONESPACEONEZEROSPACEONES
PACEONESPACEONESPACEZEROSPACEZEROSPACEONESPACEONEZEROSPACEONESPACEONESPACEONESPA
CEZEROSPACEONESPACEONESPACEONEZEROSPACEONESPACEZEROSPACEZEROSPACEONESPACEONESPAC
EONESPACEZEROZEROSPACEONESPACEZEROSPACEZEROSPACEZEROSPACEONESPACEZEROSPACEZEROZE
ROSPACEONESPACEZEROSPACEZEROSPACEONESPACEZEROSPACEZEROSPACEONEZEROSPACEONESPACEO
NESPACEONESPACEONESPACEZEROSPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACEONESPACEO
NESPACEZEROSPACEZEROSPACEONEZEROSPACEONESPACEZEROSPACEONESPACEZEROSPACEONESPACEZ
EROSPACEZEROZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROSPACEONESPACEONEZEROSP
ACEZEROSPACEONESPACEONESPACEZEROSPACEZEROSPACEONESPACEZEROZEROSPACEONESPACEZEROS
PACEZEROSPACEONESPACEONESPACEONESPACEZEROZEROSPACEONESPACEZEROSPACEZEROSPACEZERO
SPACEONESPACEONESPACEONEZEROSPACEONESPACEZEROSPACEZEROSPACEZEROSPACEONESPACEONES
PACEZEROZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROSPACEONESPACEONEZEROSPACEO
NESPACEZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROZEROSPACEONESPACEZEROSPACEZ
EROSPACEZEROSPACEONESPACEZEROSPACEZEROZEROSPACEONESPACEONESPACEZEROSPACEONESPACE
ZEROSPACEONESPACEONEZEROSPACEZEROSPACEONESPACEONESPACEZEROSPACEZEROSPACEONESPACE
ONEZEROSPACEONESPACEZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROZEROSPACEONESP
ACEONESPACEZEROSPACEONESPACEONESPACEZEROSPACEONEZEROSPACEONESPACEZEROSPACEONESPA
CEONESPACEZEROSPACEZEROSPACEONEZEROSPACEONESPACEONESPACEONESPACEZEROSPACEONESPAC
EONESPACEONEZEROSPACEONESPACEZEROSPACEZEROSPACEONESPACEONESPACEONESPACEZEROZEROS
PACEONESPACEZEROSPACEZEROSPACEZEROSPACEONESPACEZEROSPACEZEROZEROSPACEONESPACEZER
OSPACEZEROSPACEZEROSPACEONESPACEZEROSPACEONEZEROSPACEZEROSPACEONESPACEONESPACEZE
ROSPACEZEROSPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACEZEROSPACEONESPACEONESPACE
ZEROSPACEONEZEROSPACEONESPACEONESPACEONESPACEONESPACEZEROSPACEONESPACEZEROZEROSP
ACEONESPACEZEROSPACEZEROSPACEZEROSPACEONESPACEONESPACEZEROZEROSPACEONESPACEONESP
ACEZEROSPACEONESPACEONESPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACEZEROSPACEONES
PACEONESPACEZEROSPACEONEZEROSPACEONESPACEONESPACEZEROSPACEONESPACEZEROSPACEONESP
ACEZEROZEROSPACEONESPACEZEROSPACEONESPACEZEROSPACEZEROSPACEZEROSPACEONEZEROSPACE
ONESPACEONESPACEONESPACEONESPACEZEROSPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACE
ZEROSPACEONESPACEONESPACEONESPACEONEZEROSPACEONESPACEZEROSPACEZEROSPACEZEROSPACE
ONESPACEONESPACEONEZEROSPACEONESPACEZEROSPACEONESPACEZEROSPACEONESPACEZEROSPACEO
NEZEROSPACEZEROSPACEONESPACEONESPACEZEROSPACEZEROSPACEONESPACEZEROZEROSPACEONESP
ACEZEROSPACEZEROSPACEONESPACEONESPACEONESPACEZEROZEROSPACEONESPACEZEROSPACEZEROS
PACEZEROSPACEONESPACEZEROSPACEZEROZEROSPACEONESPACEZEROSPACEONESPACEZEROSPACEONE
SPACEZEROSPACEONEZEROSPACEONESPACEONESPACEONESPACEZEROSPACEONESPACEONESPACEONEZE
ROSPACEONESPACEZEROSPACEZEROSPACEONESPACEONESPACEONESPACEONEZEROSPACEONESPACEZER
OSPACEZEROSPACEONESPACEZEROSPACEZEROSPACEZEROZEROSPACEZEROSPACEONESPACEONESPACEZ
EROSPACEZEROSPACEZEROSPACEZEROZEROSPACEZEROSPACEONESPACEONESPACEONESPACEONESPACE
ZEROSPACEONE
That already looks like binary. Store the contents into another file called letters.txt. Use sed to
rewrite the letters to binary like so:
cat letters.txt |
sed 's/THEFLAGIS//' |
sed 's/ZEROZERO/0\n0/g' |
sed 's/ONEZERO/1\n0/g' |
sed 's/ZERO/0/g' |
sed 's/ONE/1/g' |
sed 's/SPACE//g' > binary.txt
Binary
The binary.txt file now contains rows with patterns of 8 ones and zeros.
This suggests that these are ASCII values in binary.
01011010
01101101
01111000
01101000
01011010
00110011
01110011
01110111
Here’s how you can use Python to decode these binary ASCII VALUES:
python3 -c "
import sys
print(''.join(
chr(int(c, 2)) for c in sys.stdin.read().splitlines()
))
" < binary.txt | base64 -D
Here’s the flag:
flag{0421a964add97ff041431e2418e64508}
-
https://en.wikipedia.org/wiki/DTMF_signaling “DTMF signaling” ↩︎
-
https://en.wikipedia.org/wiki/SoX “Sound eXchange (SoX) is a cross-platform audio editing software.” ↩︎
-
https://github.com/EliasOenal/multimon-ng “multimon-ng: digital radio transmission decoder” ↩︎