Neurocracked CTF Part One: Upgrade Required

Earlier this month, Cyber Now released a couple of Capture the Flag exercise series and I just went thorough the first one. I wanted to do a write up to detail how I captured the flag, and start a blog series for future CTF write ups. So this is my first entry in that series although its not my first successful CTF.

What makes the Cyber Now CTF exercises interesting is the story driven approach, here is the description from the LinkedIn post:

🚨 The world’s first cinematic, story-driven CTF is here - and it’s FREE.

Are you ready to trace rogue neural updates, decode forbidden implants, and expose the black-market syndicate selling minds for profit?

🔍 Welcome to NEUROCRACKED, a multi-part Capture the Flag experience where every flag uncovers a deeper layer of conspiracy. Exclusively on the World's Largest SOC Analyst Knowledge Base.

🧠 Written like a sci-fi thriller.
💻 Played like a real-world cyber challenge.
📍 Hosted by Cyber NOW Education.

The Backstory

The story surrounding this CTF is pretty interesting, you can read it here, Im going to concentrate on the CTF walk through.

The Challenge

You’ve intercepted a corrupted firmware file: brainos_v14.2_patch.img.There’s an embedded ASCII payload designed to hide from normal detection tools. It contains a known trigger phrase, used to activate compromised individuals.

Your Objective:

1. Extract readable strings from the binary.

2. Identify the suspicious string containing ECHO_WORDS.

3. Submit the SHA-256 hash of that entire string.

4. Format your answer as: CTF(SHA256_HASH_OF_PAYLOAD)

Included Files:

• brainos_v14.2_patch.img

• README.txt (Instructions)

The Instructions

CTF Challenge #001 – "Payload in Plain Sight" (Strings Edition)

Objective:

• Use a strings-based approach to analyze brainos_v14.2_patch.img

• Locate a suspicious ASCII payload embedded in the binary (Hint: it contains the phrase "ECHO_WORDS")

• Submit the SHA-256 hash of the full payload string

The Tips

For full context reading the story is recommended.

Pro Tips:

• Use tools like strings, grep, or a Python regex to find printable substrings.

• Only one string contains the final trigger signature.

• Be careful what you say out loud while analyzing it...

Ongoing Investigation:

trust no one-some of them might already be activated.

The Walk Through

1. First download the zip file provided in the in the story page, then extract it somewhere of your choosing.

2. The 2 included files mentioned above will be found in the folder named:

   CTF001_Neurocracked

3. Open a terminal and navigate to the folder in step 2.

4. We were given clues in the tips, so lets run this command in the terminal:

    strings brainos_v14.2_patch.img > brainos_strings.txt
   

   This is our string based approach analyzing the brainos_v14.2_patch.img file. This command produces a text file named brainos_strings.txt that contains all the printable characters found in the .img file.

5. Next will use grep to search for “ECHO_WORDS", from the instructions. Run this command in the terminal:

    grep "ECHO_WORDS" brainos_strings.txt
   

   This will give us the full payload string needed to continue.

6. The instructions state we need to submit a SHA-256 hash, so this is the next command to run:

    echo -n "ENTER FULL PAYLOAD STRING HERE" | sha256sum
   

   You will need to replace “ENTER FULL PAYLOAD STRING HERE” with the actual payload string found in step 5.

7. Next head over to the Neurocracked CTF portal, and submit the hash produced in step 6:

   

And that’s how I captured the flag, I hope this helps anyone that might have had troubles. Ill be continuing on with this series as time permits. Thanks for reading and see you in the next one!