Tags: dtmf forensics audio 


This is the UTCTF 2022 challenge “Sounds Familiar”. Overall, this was a fun challenge and was not what I was expecting at first.
Upon opening the challenge, we are greeted with the following clue and a wav file to download:

I downloaded and played the file and immediately recognized it as the DTMF from a phone keypad. For starters, I wanted to see if there was any files hiding within this file and tried out one of my favorite online steganography decoders: [Futureboy.us/stegano/decinput.html](https://futureboy.us/stegano/decinput.html) however this did not yield any results.

Next, I used the following DTMF decoder [https://github.com/ribt/dtmf-decoder](https://github.com/ribt/dtmf-decoder) and utilized the verbose option like this:

> $ dtmf -v /home/kali/Downloads/super_strange.wav

And I was quickly presented with the following output:


This provides a fairly clean output that corresponds to the timing of the key presses and made it easy to group together the digits. After ignoring the random non-digit characters, I got the resulting string: 100 88 82 106 100 71 90 55 78 87 86 106 99 109 86 48 88 50 89 120 81 68 108 102 90 71 57 102 98 109 57 48 88 122 86 111 81 72 74 108 102 81 61 61.

My first thought was to directly take the letters associated with the key presses, but realized the 1 and 0 don’t correspond to any letters and trying to decipher would need to do something like T9. I didn’t think this was the correct route, so I decided to put it aside if something else didn’t work.

I noticed that the string looked to be in Decimal encoding, so I took that string of digits and went to CyberChef (https://gchq.github.io/CyberChef/) and pasted it into the input field and decided to check out the “Magic” function. This presented me with the output showing that it was first needing to be decoded “From Decimal” and then decoded again “From Base64”.


Overall, not a difficult challenge, but it was fun!

Original writeup (https://medium.com/@mabsimmo/utctf-2022-sounds-familiar-39a809e88a11).