Introduction

The fine folks over at RITSEC were kind enough to host a CTF over the past few days. I didn’t manage to complete as many challenges as I wanted to, but the ones that I solved or made an attempt to solve were really interesting, so a big shout out to the organisers and challenge creators over at RITSEC!


Table of Contents

  1. Stego

    1. the_doge
  2. Forensics

    1. Take_it_to_the_Cleaners

    2. findme


Stego

the_doge

So from the challenge description, it looks like the image is hiding a message, let’s grab the image and see what we’re working with!

My process for dealing with Steganography challenges is to run the image through the following:

  • Check the metadata with exiftool
  • Run the file through binwalk to see if there are any hidden files
  • See if I can recover any files with foremost
  • If the file is an image, load up StegSolve and check through each frame of the image in different filters to see if there are any hidden visual messages
  • See if I can retrieve the hidden message by using StegHide with an empty password
  • Running StegCracker with the rockyou wordlist

So after running through all of these steps (except that last one, which as I later learned would have given me the password), I reread the challenge description, specifically where it says feed the doge a treat to get the hidden message.

Boom. Light bulb moment.

Running StegHide again and giving the word treat as the password gives us the flag!



Forensics

Take it to the Cleaners

First thing that comes to mind from reading the challenge description is metadata.

Running exiftool on the image gives us this output.

The thing that stands out is the user comment field which gives up a bit of encrypted text: RVZHRlJQe1NCRVJBRlZQRl9TTlZZRl9KQkFHX1VSWUNfTEJIX1VSRVJ9.

Popping open CyberChef (which is a great utility that handles quite a lot of use cases), I start with running base64 decode on the string which gives me some recognisable text: EVGFRP{SBERAFVPF_SNVYF_JBAG_URYC_LBH_URER}.

This is looking like a substitution cipher so first thing I do is run it through the classic ROT13 decrypt.

And presto! We get the flag!



findme

Time for a good ol’ forensic PCAP challenge, let’s load it up!

Checking out the PCAP, we can see a HTTP request and a bunch of TCP packets. Having a look at the HTTP packets we can see a request and a response, if we check out the response, we can have a look at the HTML page returned.


So what we get is a link to http://phrack.org/issues/7/3.html, which is the famous The Conscience of a Hacker article, better known as The Hacker Manifesto. Our flag probably won’t be on the phrack article page, but it’s still an interesting read nonetheless.

Having a close peek at the long string that’s been commented out on the HTML page, we can see that it ends with an = sign. Let’s load up trusty CyberChef and see if we can base64 decode the string.

It looks like a PNG file, so let’s save our output as download.png and see what it is!

Oh great, got rolled :(

Back to the drawing board.

Let’s have a look at some of the TCP streams, the first stream seems to be associated with the HTTP request and response. The second steam is way more interesting, we have two base64 encoded strings.

Time to boot up trusty ol’ CyberChef again. The first base64 decoded string gives us a Youtube URL and based on the video ID, a video that we should all be aware and wary of.

Here’s the link for your viewing pleasure: https://www.youtube.com/watch?v=dQw4w9WgXcQ

All I can say is that you won’t get me twice RITSEC!

Now let’s have a look at the second string.

The output looks like gibberish, but there are curly braces in the output which could mean that our flag is in there somewhere. Let’s download it and find out what we’re dealing with.

Running the file command tells us that the file we downloaded is a gzip file. When we rename, extract and cat the file, we get our flag!

Quite a fun challenge, was very interesting :)