Katycat

Category: Forensics

Points: 175

Description:

katycat trying to find the flag but she is lazy. will you help her to find the flag?

Author: cryptonic007

Given: katy.png

Writeup

Let’s take a peek at what we are working with: PNG file

Welp at least it’s a cute cat lol. Next step I like to do is check the contents of the PNG in a hex editor. I use HxD to do this.

Header:

89 50 4E 47 ---> ‰PNG

Footer:

49 45 4E 44 AE 42 60 82  ---> IEND®B`‚

Doesn’t look like anything is wrong so far. Next step I like to do is take it to the CLI and run a few different tools until something hits. I like to use binwalk and foremost to try to find hidden files. I also like to use zsteg and strings to try to find hidden info.

This time around, we get a hit on zsteg:

$ zsteg katy.png
b1,rgb,lsb,xy       .. text: "https://pastebin.com/hvgCXNcP"
b2,r,msb,xy         .. file: PGP Secret Key -
b2,rgb,msb,xy       .. text: "[email protected]"
b2,abgr,msb,xy      .. text: "WSSWCCCCSSWWCC"
b3,bgr,msb,xy       .. text: "(Z0-X0-H"
b4,r,lsb,xy         .. text: "DfffdDB\""
b4,r,msb,xy         .. text: "@\"fa\"DD$DD"
b4,g,lsb,xy         .. text: "D\"\"$\"D\"\"\" "
b4,g,msb,xy         .. text: "&b\"fa\"DD$D\"DDD"
b4,b,lsb,xy         .. text: "vPUFwDT!"
b4,b,msb,xy         .. text: "USUs33UU&\"Q3"
b4,rgb,lsb,xy       .. text: "hDdD\"B$\"\"\"\"dF\"b$$"
b4,rgb,msb,xy       .. text: "QU3sUS53337uSp"
b4,bgr,lsb,xy       .. text: "fdDDB$\"\"\"\"b&Db$\""
b4,bgr,msb,xy       .. text: "Su3S5U3335WsuP"
b4,abgr,msb,xy      .. text: "?U?U?5?5?"

Looks like we got a link. Following the trail leads us to a Paste Bin of:

UEsDBAoACQAAALq0vFDu3sG8JQAAABkAAAAIABwAZmxhZy50eHRVVAkAA+jvz179789edXgLAAEE
6AMAAAToAwAAt9tbOQhvceVTC9i83YoBgbIW5fmqoaO3mVwXSLOMqNulwvcwb1BLBwju3sG8JQAA
ABkAAABQSwECHgMKAAkAAAC6tLxQ7t7BvCUAAAAZAAAACAAYAAAAAAABAAAApIEAAAAAZmxhZy50
eHRVVAUAA+jvz151eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAdwAAAAAA

This seems to be in Base64 form. After a base64 decode I get:

PK......
         P%...flag.txt...........
         P%...flag.txt...........

I wasn’t familiar with this file header at first, but doing some research told me that this was the header for a ZIP file. I will put a link to file headers in the Resources section at the bottom.

I pasted the contents of what we got above and added the .zip extension. When trying to open it, we are prompted with a password. I try a few common passwords just to see, but no luck.

This is where John the Ripper comes in handy:

$ ~/tools/JohnTheRipper/run/zip2john enc2.zip > hash
ver 1.0 efh 5455 efh 7875 enc2.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=37, decmplen=25, crc=BCC1DEEE type=0

$ ~/tools/JohnTheRipper/run/john hash --show
enc2.zip/flag.txt:kitkat:flag.txt:enc2.zip::enc2.zip

1 password hash cracked, 0 left

Sweet. Cracked it. Goes with the name of the challenge a little bit too. Opening the zip file with this password

$ unzip enc2.zip
Archive:  enc2.zip
[enc2.zip] flag.txt password:
 extracting: flag.txt

$ cat flag.txt
K9bC_L`D?f0DEb8c?_06cDJN

Not there yet, but pretty close. After a little shuffling around with ciphers, I figured out this was a ROT-47 shift cipher. Similar to the ROT-13, but with a bigger charset. I wrote a script to do this, but there is an amazing online tool called CyberChef that can do this for us.

Here is my script:

from  pwn import *

ct = open("flag.txt", "r").read()

arr = []
for c in ct:
    arr.append(ord(c))

flag = ""
for a in arr:
    val = a + 47
    if val > 126:
        val = 32 + (val - 126)
    flag += chr(val)

log.success("Flag: {}".format(flag))

Output:

$ python3 shift.py
[+] Flag: zh3r0{1sn7_st3g4n0_e4sy}

Flag

zh3r0{1sn7_st3g4n0_e4sy}

Resources

File Headers - https://www.garykessler.net/library/file_sigs.html

John The Ripper Wiki - https://en.wikipedia.org/wiki/John_the_Ripper

John The Ripper Tips - https://www.varonis.com/blog/john-the-ripper/

CyberChef - https://gchq.github.io/CyberChef/


LSB Fun

Category: Forensics

Points: 230

Description:

have you ever heard of LSB :) ?

Author: h4x5p4c3

Given: chall.jpg

Writeup

For those who don’t know, LSB (Least Significant Bit) is the process of encoding data in images such as PNGs, JPG/JPEGs, BMPs, and more. I will provide links down below that explain LSB more if you haven’t quite grasped it.

To sum it all up, LSB is taking the pixels of the image and setting the last bit of either the Red, Green, or Blue values to 1. This will either change one of the color values of pixels in the image by 1 or by nothing at all. This ultimately doesn’t change the image in the slightest. You could encode the message in the image and the image would look the same as it did before.

For JPEG LSB encoding, jsteg is a nice tool that will reveal the hidden information.

Requirement: go (takes a little to install)

sudo apt install golang-go

Install Jsteg

go get lukechampine.com/jsteg

Running this on our image just straight up gives us our flag. How neat!

$ jsteg reveal chall.jpg
zh3r0{j5t3g_i5_c00l}

Flag

zh3r0{j5t3g_i5_c00l}

Resources

jsteg

LSB stego

Encodings