Challenge Description
I was walking home in the middle of this hacker conference, and my phone starting dialing on it’s own… Thankfully my friend happened to be recording at the time and got this audio of the incident. Can you help me find some clue that might lead back to the hacker?
Solution
Step 1: Analyzing the Audio File
The challenge provides an audio file phonehome.wav that contains what sounds like a phone dialing. The key insight is that this is likely DTMF (Dual-Tone Multi-Frequency) tones – the sounds you hear when pressing phone number keys.
Step 2: Decoding DTMF Tones
To decode the DTMF tones, I used the multimon-ng tool with sox to convert the audio to the proper format:
sox phonehome.wav -t raw -r 22050 -e signed-integer -b 16 -c 1 - | multimon-ng -t raw -a DTMF -
This command:
sox phonehome.wav– processes the WAV file-t raw -r 22050 -e signed-integer -b 16 -c 1– converts to raw audio format with specific parametersmultimon-ng -t raw -a DTMF -– decodes DTMF tones from the raw audio
Step 3: DTMF Decoding Results
The command successfully decoded the following DTMF sequence:
This gives us the sequence: 15558675309#115145164141103124106173147060164137171060165162137156165155142063162065175
Step 4: Interpreting the Sequence
The sequence can be broken down into two parts:
- Phone number:
15558675309(before the #) - Encoded data:
115145164141103124106173147060164137171060165162137156165155142063162065175(after the #)
Step 5: Decoding the Encoded Data
The key insight is that the data after the pound sign (#) is encoded in octal. Each group of 3 digits represents an octal number that corresponds to an ASCII character.
Converting the octal groups to ASCII:
115→M145→e164→t141→a103→C124→T106→F173→{147→g060→0164→t137→_171→y060→0165→u162→r137→_156→n165→u155→m142→b063→3162→r065→5175→}
Step 6: The Flag
Putting it all together, the decoded message is:
MetaCTF{g0t_y0ur_numb3r5}