Showing posts with label gimp. Show all posts
Showing posts with label gimp. Show all posts

Monday, September 7, 2015

MMA CTF 2015 - Splitted (30)

This challenge started with a 7z that extracted a pcap.
Launching wireshark, I sort by the length column to check the largest packets captured.

 Looks like there's a zip that was transfered, this is probably what we need to extract, also looks like it's in multiple chunks ('splitted').

After naively doing a "Follow TCP Stream" and exporting the data, I realized the segments were in the wrong order.  Notably the "PK" bytes were in the middle, which are part of the magic bytes for a zip file.  Now we need to figure out how to arrange it correctly.  The intuition of where to find this data came from a friend on the team - http://lockboxx.blogspot.com/
On a past challenge he had mentioned there are parts of the packet describing the order in which streams constructed.  Looking a little further I found the "Content-Range" attribute needed to reconstruct the original file.

By the way, if anyone knows of a nice way in python to pull the "Content-Range" section out of the HTTP headers, please leave a comment below, I would love to know!



In this example, we're looking at the 2nd packet in the chain of total split packets.  It shows the Content-Range is 269-937.  Now we just need to export each data portion of the packet to a file.  We'll start by copying the hex representations to a python file and export the zip this way.

By right-clicking on the field underneath "Media Type" we can go to Copy > Bytes > Hex Stream, which will be the representation of bytes in the payload section of this packet only ( A lot nicer than trimming down the header section of each packet ).



Following the "Content-Range" attribute for each packet, we assemble a python file that will export the zip file contained within the capture:


Now we can extract it with unzip, and check what's inside!
Looks like we have a file called flag.psd.
Let's open that up in gimp and see what we've got.



Looks like we've got a blank canvas!  But there's another layer in the psd.  Turning off the first layer, or swapping the layers seems to do the trick.


Posted by at
Labels: , , , , , , , , , , , , , , , , , ,

MMA CTF 2015 - Nagoya Castle (100)


This challenge was a fun relaxing one, playing around in GIMP and eventually discovering a new tool which looks useful for future stego challenges.

The Image provided can be seen above. An upshot of a Beautiful Castle in Central Japan.

My first intuition was to go into GIMP and start playing around with threshold, color balance and curves.
Out of that I got a partial reveal of the Flag:


After taking a break and coming back, I decided to research what other people were doing to solve CTF stego challenges out there.
I stumbled upon Balda's Stegpy Release page -
http://www.balda.ch/posts/2013/Jun/04/release-stegpy/

Github link - https://github.com/Baldanos/Stegpy


After playing around with this tool (Which was very nice to use), I found the flag within seconds: 
$ python stegpy.py -V castle.png
Posted by at
Labels: , , , , , , , , , , , , , , , , , , ,

Sunday, August 16, 2015

Defcon 23 :: OpenCTF 2015 - Enhance (50)

OpenCTF was a great time at Defcon23 this year. One of the first challenges I attempted was this one called "Enhance".

By the name I almost immediately associated it with all those bad hacker moments in Movies & TV Shows where they shout out "Enhance! Zoom In! Sharper!"

I learned later this was a reference to the Super Troopers scene, you can find a snippet of this great moment here - https://www.youtube.com/watch?v=_KN42ntgmdw

For this challenge we were given a high resolution jpeg image. Here's a smaller version of the original image:



I had originally opened this in 'feh' which is a great application you can get on linux. When opening in feh, it was automatically zoomed to 100%. This helped a lot when solving the challenge. After looking around I started to think where someone would hide data, it would probable be in the reflection! I remember hearing something about a CSI episode where they found evidence based on the reflection of an eye or watch or something similar. So that's where I looked first. After looking at the eyes, I found a QR code hidden in the reflection.



After flipping the orientation and taking my phone out for the QR code, I got nothing. Looks like the QR code needed to be "Enhanced"

Going into GIMP, I boosted the levels a bit and took another shot and BOOM, there was the flag! :)
Also when scaling it back up, make sure no Interpolation is set so that it stays crisp.
Another Note: QRDroid ended up doing the trick on the messy QR Code



Flag: 
Ju5tPr1nTheDAmNTh1n6

Posted by at
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)