Forensics is always my favorite topic in any CTF. Some of the challenges on this one turned out a little easy, but it was still very fun!
First I have to credit my team-mate @Matir - https://systemoverlord.com/. He came up with all the airport locations which was much needed to solve for the flag.
In this one we received a directory filled with 4 png's & one jpeg, shown below:
Ran various stego tools, tried some shifts and bitplane isolations, lsb, also xor'd the images to see if that would result in anything. But the StegHide clue was a glaring one. That couldn't be ignored.
Cloning StegHide and running it, we can notice that it won't work on any png images. So now the only option is to run it on the steghide image itself. Love it.
After running through many permutations of possible passwords, we ended up stringing together the airport IATA codes, to see if that would work.
First tried:
No Dice....
What about removing the dashes?
Got the Flag!
Keep Calm and CTF (100)
Starting out on this one, I did what I normally do. Run strings, exiftool and xxd.
Strings turned up with nothing, so next was exiftool:
$ exiftool img.jpg ExifTool Version Number : 9.12 File Name : img.jpg Directory : . File Size : 92 kB File Modification Date/Time : 2015:09:22 09:07:17-07:00 File Access Date/Time : 2015:09:22 09:07:17-07:00 File Inode Change Date/Time : 2015:09:22 09:07:17-07:00 File Permissions : rw-r----- File Type : JPEG MIME Type : image/jpeg JFIF Version : 1.01 X Resolution : 72 Y Resolution : 72 Exif Byte Order : Big-endian (Motorola, MM) Resolution Unit : inches Y Cb Cr Positioning : Centered Copyright : h1d1ng_in_4lm0st_pla1n_sigh7 Image Width : 600 Image Height : 700 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 600x700Instantly got the flag from that, hiding in the Copyright section:
h1d1ng_in_4lm0st_pla1n_sigh7
Flash (100)
The next one was even easier, again as I mentioned in the Crypto writeup, this year I thought i'd run strings on everything, and what do we get ?$ strings flash_c8429a430278283c0e571baebca3d139.img | grep -i "flag{"
flag{b3l0w_th3_r4dar}
airport (200)
This one was a little obscure, it was more of a stego challenge, with a bit of recon.First I have to credit my team-mate @Matir - https://systemoverlord.com/. He came up with all the airport locations which was much needed to solve for the flag.
In this one we received a directory filled with 4 png's & one jpeg, shown below:
$ ls -l total 17808 drwxrwxrwx 7 user staff 238 Sep 22 09:24 . drwxr-xr-x 5 user staff 170 Sep 18 17:28 .. -rwxrwxrwx@ 1 user staff 2198373 Sep 17 10:23 1.png -rwxrwxrwx@ 1 user staff 1899632 Sep 17 10:23 2.png -rwxrwxrwx@ 1 user staff 2262857 Sep 17 10:23 3.png -rwxrwxrwx@ 1 user staff 2744123 Sep 17 10:23 4.png -rwxrwxrwx@ 1 user staff 4185 Sep 17 10:59 steghide.jpg
1.png:
2.png:
3.png:
4.png:
steghide.jpg:
Ran various stego tools, tried some shifts and bitplane isolations, lsb, also xor'd the images to see if that would result in anything. But the StegHide clue was a glaring one. That couldn't be ignored.
Cloning StegHide and running it, we can notice that it won't work on any png images. So now the only option is to run it on the steghide image itself. Love it.
After running through many permutations of possible passwords, we ended up stringing together the airport IATA codes, to see if that would work.
First tried:
$ steghide extract -sf steghide.jpg -p HAV-HKG-LAX-YYZ steghide: could not extract any data with that passphrase!
No Dice....
What about removing the dashes?
$ steghide extract -sf steghide.jpg -p HAVHKGLAXYYZ wrote extracted data to "key.txt". $ cat key.txt iH4t3A1rp0rt5
Got the Flag!
flag{iH4t3A1rp0rt5}
