The description said :
The notorious terrorist group known as the 10 rings got their elite hacker 5 to hack into Stark Industries and steal some sensitive files including the blueprints for the aRC Reactor second model, the hackers messed up the data badly and encrypted the files. Can you retrieve the files?
you see some marked text in the challenge? that was not there, we put it there and will break it down later. hold on.
First Look
So we got a file that looks like a WAV file. But ofc it was corrupt. 
So the header fixer guy of our team just fixed the WAV Header
See easy. Now what? now we did the following :
- Played the song
- Tested in Audacity
- stegcrack
- steghide
- LSB Steg
but none of the above gave any kind of result so we kinda moved on to the different challenges.
DeepSound Extraction
after some time we tried to see more WAV file hiding stuff and went with DeepSound
I already had DeepSound installed in my VM. so just fired it up…
And oh boy it was there challenge.img, extracted it and transferred it to our host machine for further analysis.
Linux File System (Readonly)
So it was ext4 Linux disk image.
so next step was pretty obvious
So we found some files and only pastebin.txt seems to be readable. The RAR files were password protected and we didn’t have any hint.
Encryption and Encodings
Initially, we thought pastebin.txt is a hash as it resembled SHA-256 (RAW) but oh boy we wasted time on that lol.
After some time we all again went reading challenge description and noticed some special things in there like :
Who names their team-mate
5? Why isRCcapital inaRC Reactor? They said hackersencryptedthe data
5, RC, encrypted ?? DAMN !!!
RC5 ENCRYPTED !!!
so we fired up online decryption tool soon found out it was
RC2 with key=5
so we got a Pastebin link, went there, and saw some text which looks like base32 OR base64 encoding. so again we put that into online decoders.. yes it was but gave some gibberish but again the header fixer guy pointed out that it was ROT47 and yes sir it was!
We got something like an online tag and our twitter guy said it was twitter ID so we went there and found a tweet.
By just seeing the tweet I knew it was substitution cipher and what to expect as the whole structure resembles URL, Caesar maybe.. that damn ape …
So fired up another online tool and it was indeed substitution cipher with 13 shift
and gave a mega file service link which had a hash stored in there…
and our twitter guy was fast enough and gave us the type of hash MD5 and also the password Password120
this can also be done via online services like crack station but I will share hashcat screenshot as it looks cool and I love OG Hash Cracking.
Final Mind F***
So now we had a password and a rar file but ofc it will not work for 600 points… so we have a non-working password and a rar file.
We wasted almost 30 mins on figuring out why the password was not working and what’s wrong with the obvious rar file.
and then after we tried everything we started studying all the steps and files we got..
and then I noticed something new…
Do you see it? these two files show a similar trend of strings …
and after some more observation it was clear that this is also A RAR FILE !! but without propper header itself …. time for header fixer guy again XD.
so we just patched the RARv5 header in Null …
and then we tried to extract this from twitter guy’s password Password120
and DONE !! we saw one of the most beautiful messages of that day …
and we have the flag .. let me make a new header in this post for that …
FLAG
And here you go : 
That’s all for this post … see ya in the next one!
in the meantime check other writeups from my teammates in our GitHub repo.. FrigidSec GitHub
This chal. had a significant amount of header fixing, so if you are new to this check this article out on how to use vim to edit files in hexadecimal level. Use VIM as HEX editor like a boss