fixed image URLs in markdown

Author: cacama-valvata

content/blog/angstromCTF-streams.md

@@ -27,7 +27,7 @@ First, we deduced some information about the challenge by reading the descriptio
 
 We then proceeded to inspect the website – the HTML looks pretty standard, and I decided to leave player.js alone and come back to it if we failed to find a solution (would be more of a web challenge at that point). Under the ‘Network’ tab, we see that there appear to be two streams of chunks:
 
-![Screenshot of Network monitor on ](/static/blog/angstromctf-streams-network.jpg)
+![Screenshot of Network monitor on ](/blog/angstromctf-streams-network.jpg)
 
 - chunk-stream0-0000*.m4s chunks initiated by init-stream0.m4s
 - chunk-stream1-0000*.m4s chunks initiated by init-stream1.m4s 

content/blog/auctf-aliedas-about-some-thing.md

@@ -23,13 +23,13 @@ Author: c
 
 `AUCTFShh` looks like a username. To find where that username is in use, we can either check manually (as I started out doing), or use some tools from the [OSINT Framework Site](https://osintframework.com/). Specifically, I used `OSINT Framework` > `Username` > `Username Search Engines` > `Namechk`.
 
-![Screenshot of Namechk service for username 'AUCTFShh'](/static/blog/auctf-aliedas-about-some-thing-namechk1.png)
+![Screenshot of Namechk service for username 'AUCTFShh'](/blog/auctf-aliedas-about-some-thing-namechk1.png)
 
 I opened each of the greyed out sites in a tab, and looked through each for anything suspicious. The usual suspects (Twitter, Instagram, Reddit) were all blank (even on the Wayback Machine), so on further…
 
 The Steam account by the name of `AUCTFShh` [link](https://steamcommunity.com/id/AUCTFShh) [archive](http://archive.today/2020.04.06-023418/https://steamcommunity.com/id/AUCTFShh) shows that this user has aliased their user name to `youllneverfindmese`. Back to [Namechk](https://namechk.com/):
 
-![Screenshot of Namechk service for username 'youllneverfindmese'](/static/blog/auctf-aliedas-about-some-thing-namechk2.png)
+![Screenshot of Namechk service for username 'youllneverfindmese'](/blog/auctf-aliedas-about-some-thing-namechk2.png)
 
 The first thing I noticed is the PasteBin account listed. Visiting it reveals that this user has one page [link](https://pastebin.com/qMRYqzYB) [archive](http://archive.today/2020.04.06-023833/https://pastebin.com/qMRYqzYB). It contains:
 

content/blog/auctf-osint-you-all-over-the-place.md

@@ -35,7 +35,7 @@ A Google search turns up first result of Shannon’s linkedin profile [link](htt
 
 This in turn has a photo on it, which is of some text:
 
-![Photo of a computer screen showing the Lorem Ipsum text containing a CTF flag](/static/blog/auctf-osint-you-all-over-the-place-lorem.jpg)
+![Photo of a computer screen showing the Lorem Ipsum text containing a CTF flag](/blog/auctf-osint-you-all-over-the-place-lorem.jpg)
 
 There is “auctf” and some leetspeak in there, but it is surrounded by (and split up by) the default sample text (“Lorem ipsum dolor sit amet”). We need to remove that, which I did manually (for each word after “auctf”, if it is in the default text, do not count it in the flag) (based on [this](https://loremipsum.io/):
 

content/blog/bsidespdx-2022.md

@@ -15,6 +15,6 @@ Many thanks to the BSidesPDX crew for hosting another great year! The passion an
 
 For more information on BSidesPDX, please visit: [https://bsidespdx.org/](https://bsidespdx.org/)
 
-![The OSUSEC team at BSides, crammed into an elevator, ready to head home.](/static/blog/bsidespdx-2022-elevator.jpg)
+![The OSUSEC team at BSides, crammed into an elevator, ready to head home.](/blog/bsidespdx-2022-elevator.jpg)
 
-![The CTF team in the “Big W” closet.](/static/blog/bsidespdx-2022-closet.jpg)
+![The CTF team in the “Big W” closet.](/blog/bsidespdx-2022-closet.jpg)

content/blog/bsidespdx-down-the-rabbit-hole.md

@@ -65,7 +65,7 @@ To get result `BSIDESTROLOLOLOL`. Bummer, but at least we can cross off this lea
 
 The message on the top of the screen was decoded, as it was quickly identified to be the [pigpen cipher](https://en.wikipedia.org/wiki/Pigpen_cipher).
 
-![Screenshot of rune-like text, the pigpen cipher](/static/blog/bsidespdx-down-the-rabbit-hole-pigpen.png)
+![Screenshot of rune-like text, the pigpen cipher](/blog/bsidespdx-down-the-rabbit-hole-pigpen.png)
 
 `not a flag either`
 
@@ -93,11 +93,11 @@ Following [an extremely thorough guide about how to decode this very kind of fil
 
 I was a bit slow to start it the first time, so I got the second half first:
 
-![Screenshot of grainy black and white video featuring a can of ovaltine and half of the CTF flag overtop](/static/blog/bsidespdx-down-the-rabbit-hole-ovaltine1.png)
+![Screenshot of grainy black and white video featuring a can of ovaltine and half of the CTF flag overtop](/blog/bsidespdx-down-the-rabbit-hole-ovaltine1.png)
 
 … and the second part on the second run:
 
-![Screenshot of grainy black and white video featuring a can of ovaltine and half of the CTF flag overtop](/static/blog/bsidespdx-down-the-rabbit-hole-ovaltine2.png)
+![Screenshot of grainy black and white video featuring a can of ovaltine and half of the CTF flag overtop](/blog/bsidespdx-down-the-rabbit-hole-ovaltine2.png)
 
 ```
 BSidesPDX{b3_sUR3_T0_dr!nk_y0Ur_Ov4ltin3}

content/blog/bsidespdx-please-stand-by.md

@@ -33,19 +33,19 @@ These QR codes, however, are obviously incomplete, as evidenced by the fractiona
 
 Following that, we screenshotted each image. Here they are:
 
-![A fragment of a QR code](/static/blog/bsidespdx-please-stand-by-1.png)
+![A fragment of a QR code](/blog/bsidespdx-please-stand-by-1.png)
 
-![A fragment of a QR code](/static/blog/bsidespdx-please-stand-by-2.png)
+![A fragment of a QR code](/blog/bsidespdx-please-stand-by-2.png)
 
-![A fragment of a QR code](/static/blog/bsidespdx-please-stand-by-3.png)
+![A fragment of a QR code](/blog/bsidespdx-please-stand-by-3.png)
 
-![A fragment of a QR code](/static/blog/bsidespdx-please-stand-by-4.png)
+![A fragment of a QR code](/blog/bsidespdx-please-stand-by-4.png)
 
 If we think about the regular format for QR codes, we would expect the “Position Patterns” (the square shaped sets of pixels) to be in the corners, so that informs us about the first orientation we should try.
 
 In [Gimp](https://www.gimp.org/), we can stitch these together, and we get the following:
 
-![](/static/blog/bsidespdx-please-stand-by-qr.png)
+![](/blog/bsidespdx-please-stand-by-qr.png)
 
 When scanned, that QR code becomes the text:
 

content/blog/defcon-qualifiers-2019-redacted-puzzle.md

@@ -40,7 +40,7 @@ Megapixels                      : 0.922
 
 OK. We know that this is likely a GIF with 35 frames. Let’s try opening it:
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-1.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-1.jpg)
 
 Let’s gather some more information about this GIF:
 
@@ -60,33 +60,33 @@ $identify -verbose redacted-puzzle.gif
 
 That is a bit of a weird color map… Those should correspond with different colors. Let’s open this image in [gimp](https://www.gimp.org/). We use the `Open as Layers` option to get each frame as an individual layer.
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-2.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-2.jpg)
 
 Much layers. Next, we gotta fix that color mapping issue. `Colors>Map>Set Color Map` and choose `Pallete>Ega`:
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-3.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-3.jpg)
 
 Well, we know what the flag’s alphabet will be. Then, after looking at each slide . . . 
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-4.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-4.jpg)
 
 We determined it best to remove the black backgrounds on each. One by one.
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-5.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-5.jpg)
 
 Now we can see them all overlapping. They form some sort of circle:
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-6.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-6.jpg)
 
 Let’s examine only a couple…
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-7.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-7.jpg)
 
 That is intresting. Going off a hunch, we decided to build sets of binary digits representing if the vertex of a frame was where one of the verticies of the overall ‘octagon’, using dots in the background:
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-8.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-8.jpg)
 
-![](/static/blog/defcon-qualifiers-2019-redacted-puzzle-9.jpg)
+![](/blog/defcon-qualifiers-2019-redacted-puzzle-9.jpg)
 
 As we repeated that for each layer, the shapes’ verticies started to ‘rotate’, or ‘drift’ (thus why when all overlayed, they formed a circle, not octagon). We decided to track the movment and adjust the background dots. We generated the ‘bytes’:
 

content/blog/doe-cyberforce-competition-2021.md

@@ -22,7 +22,7 @@ The team roster was:
 
 The final scoreboard was as follows, if a link to an official final scoreboard is made available, I will link it here. 
 
-![Screenshot of the scoreboard, showing Oregon State University in 7th place](/static/blog/doe-cyberforce-competition-2021-scoreboard.png)
+![Screenshot of the scoreboard, showing Oregon State University in 7th place](/blog/doe-cyberforce-competition-2021-scoreboard.png)
 
 We look forward to returning next year, even better prepared for the new competition format!
 

content/blog/fword-ctf-identity-fraud.md

@@ -21,7 +21,7 @@ Points: 419 Solves: 86 Category: OSINT
 
 We start at the twitter page of the account mentioned in the challenge description: [@1337bloggs](http://archive.today/2020.08.31-140505/https://twitter.com/1337bloggs/with_replies), and we are greeted with this tweet:
 
-![Screenshot of tweet advertising needing a final CTF player for a team](/static/blog/fword-ctf-identity-fraud-tweet.jpg)
+![Screenshot of tweet advertising needing a final CTF player for a team](/blog/fword-ctf-identity-fraud-tweet.jpg)
 
 This indicates that at some point (around 8/26/2020), Eword had something on their CTFTime page. Over to the Wayback Machine! It shows two captures in 2020, 08/26 and 08/27. Let’s view [the 08/26 capture](https://web.archive.org/web/20200826195056/https://ctftime.org/team/131587) – it appears to link to a PasteBin:
 
@@ -41,39 +41,39 @@ https://pastebin.com/PZvaSjA0
 
 Clearly we have to find the leader of Eword (we’ll get to that in a second), but we inspect this [new pastebin](https://pastebin.com/PZvaSjA0) first. It contains a bunch of what looks to be base64 data, so we put it into [cyberchef](https://gchq.github.io/CyberChef) and get this image out:
 
-![Picture of Hilton hotel with text around it.](/static/blog/fword-ctf-identity-fraud-hilton.jpg)
+![Picture of Hilton hotel with text around it.](/blog/fword-ctf-identity-fraud-hilton.jpg)
 
 It shows us a Hilton hotel somewhere, and the size of the image is `1080X2094` – an unfamiliar resolution to me, so I googled it up, and it appears that this is a resolution used by Instagram. I also tried using Google Image reverse search to locate the hotel, however I was unsuccessful there, too, not that it would have helped too much.
 
 > Note: if Instagram stories were indexed in a reverse image search engine like Google reverse image search, or TinEye, you would be able to jump to the end of the challenge using this information (instagram, photo), however I tried this and could not get success at the time.
 
 So we are looking for something that has to do with a Hilton and Eword Team, let’s use Google: when we search for `"Hilton" "Eword" "team"`, we are greeted with a review for a Hilton in Podgorica, Montenegro:
 
-![Screenshot of Google result that is a TripAdvisor review of the hotel](/static/blog/fword-ctf-identity-fraud-google-hilton.png)
+![Screenshot of Google result that is a TripAdvisor review of the hotel](/blog/fword-ctf-identity-fraud-google-hilton.png)
 
 Clicking that link gives us a tripadvisor page where we can search for that review with `Ctrl + F`.
 
-![Screenshot of a TripAdvisor review about the hotel](/static/blog/fword-ctf-identity-fraud-tripadvisor-review.png)
+![Screenshot of a TripAdvisor review about the hotel](/blog/fword-ctf-identity-fraud-tripadvisor-review.png)
 
 Looking further into that user, it’s clear what we have to do:
 
-![Screenshot of the TripAdvisor accounc that wrote the review](/static/blog/fword-ctf-identity-fraud-tripadvisor-account.png)
+![Screenshot of the TripAdvisor accounc that wrote the review](/blog/fword-ctf-identity-fraud-tripadvisor-account.png)
 
 We need to check the instagram of Wokaihwokomas Kustermann, which will likely be under the name he has in the Intro section, `wokaihwokomaskustermann`. Notably, you cannot just search for the username in google:
 
-![Screenshot of google returning no results upon searching for the Instagram username](/static/blog/fword-ctf-identity-fraud-failed-google.png)
+![Screenshot of google returning no results upon searching for the Instagram username](/blog/fword-ctf-identity-fraud-failed-google.png)
 
 Instead, you will need to go to log in to instagram first, then search for the username, and [the account indeed shows up](https://www.instagram.com/wokaihwokomaskustermann/). There are a couple “Highlights”, the first of which is the hotel image we got earlier, the second says:
 
-![Screenshot of an Instagram highlight](/static/blog/fword-ctf-identity-fraud-instagram-highlight.png)
+![Screenshot of an Instagram highlight](/blog/fword-ctf-identity-fraud-instagram-highlight.png)
 
 Well, that seems indicative that we need to get the original image behind the circular profile pic (the other picture on their instagram is not the same as their profile pic), and we do that with a bit of inspect element and a `wget` request to save it:
 
-![Photo of a man smiling at the camera with text at the bottom](/static/blog/fword-ctf-identity-fraud-pfp-small.jpg)
+![Photo of a man smiling at the camera with text at the bottom](/blog/fword-ctf-identity-fraud-pfp-small.jpg)
 
 There’s very obviously a flag along the bottom (or some other writing), however it is too low res to read. Instead of figuring out how to make a properly formed request to Instagram’s `cdn` servers, I used a tool called [instadp](https://www.instadp.com/) to get [a full sized display picture](https://www.instadp.com/fullsize/wokaihwokomaskustermann):
 
-![Photo of a man smiling at the camera with text at the bottom, the text now large enough to be legible](/static/blog/fword-ctf-identity-fraud-pfp-big.jpg)
+![Photo of a man smiling at the camera with text at the bottom, the text now large enough to be legible](/blog/fword-ctf-identity-fraud-pfp-big.jpg)
 
 That’s all there is to it!
 

content/blog/houseplantctf-catography-writeup.md

@@ -64,7 +64,7 @@ $ exiftool -fileOrder gpsdatetime -p gpx.fmt /path/to/all_cats > out.gpx
 
 Now, using [this online tool](https://www.gpsvisualizer.com/map?output_home) we can output this data as a png, and interpret the flag from the path:
 
-![Diagram depicting flight path that spells out the flag](/static/blog/houseplantctf-catography-writeup-flightpath.jpg)
+![Diagram depicting flight path that spells out the flag](/blog/houseplantctf-catography-writeup-flightpath.jpg)
 
 ```
 rtcp{4round_7h3_w0r1d}

content/blog/houseplantctf-satans-jigsaw-writeup.md

@@ -27,7 +27,7 @@ Then, comes the fun part. Before reading the hint, I tried just forming the imag
 
 The hint makes obvious that we must convert the decimal part of the filename to bytes, but it does not explain what to do with those. However, after trying it out, we saw that the he decoded filenames contain an X and Y ‘coordinate’ in the format “X Y”. Decoding all this, sorting, and making an image is all achieved in the script [image_reconstruct.py](https://github.com/lyellread/ctf-writeups/blob/master/2020-houseplant/satans-jigsaw/image_reconstruct.py).
 
-![A picture of a pencil held in a hand with two QR codes overlaid on top of it](/static/blog/houseplantctf-satans-jigsaw-writeup-pencil.jpg)
+![A picture of a pencil held in a hand with two QR codes overlaid on top of it](/blog/houseplantctf-satans-jigsaw-writeup-pencil.jpg)
 
 The top left QR code was essential to solving the challenge, however the bottom right one contains the flag.
 

content/blog/nahamconctf-finsta.md

@@ -21,7 +21,7 @@ I used the `namechk` tools from the [OSINT Framework Site](https://osintframewor
 
 `namechk` tells me that there are claimed usernames for the name `NahamConTron` for many sites, including Instagram.
 
-![Screenshot of website namechk for username NahamConTron](/static/blog/nahamconctf-finsta-namechk.jpg)
+![Screenshot of website namechk for username NahamConTron](/blog/nahamconctf-finsta-namechk.jpg)
 
 Checking out [the Instagram account](https://www.instagram.com/NahamConTron/), we get the flag.
 

content/blog/nahamconctf-microosoft.md

@@ -23,7 +23,7 @@ draft: false
 
 Opening the file does not do much, but it would not be that easy.
 
-![Screenshot of open Word document spelling "oof"](/static/blog/nahamconctf-microosoft-docx.jpg)
+![Screenshot of open Word document spelling "oof"](/blog/nahamconctf-microosoft-docx.jpg)
 
 Using file we can find out that this is an OOXML document:
 
@@ -34,7 +34,7 @@ microsooft.docx: Microsoft OOXML
 
 Based on this, and [some quick reading](https://ntnuopen.ntnu.no/ntnu-xmlui/bitstream/handle/11250/198656/EDidriksen.pdf?sequence=1), we can see that this format can contain files. To view these files, I first tried [this chrome extension](https://chrome.google.com/webstore/detail/ooxml-tools/bjmmjfdegplhkefakjkccocjanekbapn?hl=en), before settling on getting a trial licensed version of [OxygenXML.](https://www.oxygenxml.com/) Opening it in here, and viewing the file `src/oof.txt` gives us the flag:
 
-![Screenshot of Word document dissected into ZIPped files, including oof.txt](/static/blog/nahamconctf-microosoft-oxygen.png)
+![Screenshot of Word document dissected into ZIPped files, including oof.txt](/blog/nahamconctf-microosoft-oxygen.png)
 
 ```
 flag{oof_is_right_why_gfxdata_though}

content/blog/nahamconctf-time-keeper.md

@@ -25,7 +25,7 @@ After scoping out that site, the title and description heavily hint towards use
 
 First, I noted that there were only two captures, so I figured it would be worth it to compare them. In doing so, I came upon [this](https://web.archive.org/web/diff/20200509205430/20200418214642/https://apporima.com/):
 
-![Screenshot of webpage telling the reader that the flag is at ./flag.txt](/static/blog/nahamconctf-time-keeper-diff.png)
+![Screenshot of webpage telling the reader that the flag is at ./flag.txt](/blog/nahamconctf-time-keeper-diff.png)
 
 It clearly indicates that we need to browse to `apporima.com/flag.txt` but in current times, that page does not exist. What else to do but browse it in the Wayback Machine? It gives us [this page](https://web.archive.org/web/20200418213402/https://apporima.com/flag.txt).
 

content/blog/nahamconctf-tron.md

@@ -21,7 +21,7 @@ I used the `namechk` tools from the [OSINT Framework Site](https://osintframewor
 
 `namechk` tells me that there are claimed usernames for the name NahamConTron for many sites:
 
-![Screenshot of namechk for user NahamConTron](/static/blog/nahamconctf-tron-namechk.png)
+![Screenshot of namechk for user NahamConTron](/blog/nahamconctf-tron-namechk.png)
 
 Now that we have exhausted Instagram, I opened up all the other sites with claimed usernames for `NahamConTron` and systematically eliminated them. I ended up at the GitHub account owned by `NahamConTron`, and it included [a dotfiles repo](https://github.com/lyellread/ctf-writeups/blob/master/2020-nahamconctf/tron/dotfiles). This in turn contains [a bash history file](https://github.com/lyellread/ctf-writeups/blob/master/2020-nahamconctf/tron/dotfiles/.bash_history) that gives us the command that was run to access the server:
 

content/blog/nccdc-2023.md

@@ -19,6 +19,6 @@ The team consisted of Julie Weber, Mike Carris, Matt Jansen, Evan Mrazik, Otso B
 
 Congratulations to Stanford University, who finished first place!
 
-![Polaroid picture of OSUSEC’s CDC team posing by the school flag](/static/blog/nccdc-2023-polaroid.jpg)
+![Polaroid picture of OSUSEC’s CDC team posing by the school flag](/blog/nccdc-2023-polaroid.jpg)