I tried this problem at first as its subject is welcome, however, I had a really hard time to solve this problem. My approach is as below.
First, I assumed that it has a hidden message so I used steganography decoder right away. BUT, it has no hidden message. Afterward, I simply used fundamental forensics tools such as file and binwalk.
1) file command
$ file welcome.jpeg
welcome.jpeg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 271x186, frames 3
It seems like legit a JPEG image, however, I moved on using binwalk command to carve the image data. Also, the problem's instruction says dig deeper to find out more.
2) binwalk command
$ binwalk welcome.jpeg
DECIMAL HEXADECIMAL DESCRIPTION--------------------------------------------------------------------------------0 0x0 JPEG image data, JFIF standard 1.0110600 0x2968 Zip archive data, at least v2.0 to extract, uncompressed size: 9886, name: d.zip
20483 0x5003 End of Zip archive
Yeah!!! It has some files so I extracted them. (binwalk -e welcome.jpeg)
/CTF/_welcome.jpeg.extracted$ ls
2968.zip d.zip
I extracted d.zip and I got secret.bmp as below.
CTF/_welcome.jpeg.extracted/_d.zip.extracted$ ls
0.zip _a.zip.extracted a.zip secret.bmp
CTF/_welcome.jpeg.extracted/_d.zip.extracted
$ file secret.bmp
secret.bmp: ASCII text
CTF/_welcome.jpeg.extracted/_d.zip.extracted
$ strings secret.bmp
okdq09i39jkc-evw.;[23760o-keqayiuhxnk42092jokdspb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!@{%pb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!?@{%&{:keqay^IFG{wfdoiajwlnh[8-7.=p54.b=dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE==
It is just a gibberish string except for the part starting b=. I used Base64 decoder and I got the password.
> the password is: h3110_th3r3!
Finally, I got a.png file after I extracted the 0.zip file using the aforementioned password.
And I uploaded this file to the steganography decoding website to find out a hidden message in it.
I used this website (https://osric.com/chris/steganography/decode.html)
And, I got the below image, however, I couldn't reckon the flag. So I had to use different website.
I used this website for the second trial (https://incoherency.co.uk/image-steganography/#unhide)
Flag : pctf{st3gs0lv3_1s_u53ful}
Reference site : http://159.89.166.12:8000/challenges#Welcome
'<개인공부> - IT > [CTF (Write up)]' 카테고리의 다른 글
| TAMUctf '19 Write-up (I heard you like files) (0) | 2019.03.24 |
|---|---|
| TAMUctf '19 Write-up (Hello World) (0) | 2019.03.24 |
| UTCTF 19' Write-up / Low Sodium Bagel (0) | 2019.03.15 |
| UTCTF 19' Write-up / [basics] forensics (0) | 2019.03.15 |
| UTCTF 19' Write-up / [basics] re (0) | 2019.03.15 |
