Pragyan CTF 19' Write-up / Welcome

I tried this problem at first as its subject is welcome, however, I had a really hard time to solve this problem. My approach is as below.

 

 

First, I assumed that it has a hidden message so I used steganography decoder right away. BUT, it has no hidden message. Afterward, I simply used fundamental forensics tools such as file and binwalk.
1) file command
$ file welcome.jpeg

 

welcome.jpeg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 271x186, frames 3
It seems like legit a JPEG image, however, I moved on using binwalk command to carve the image data. Also, the problem's instruction says dig deeper to find out more.
2) binwalk command
$ binwalk welcome.jpeg
DECIMAL       HEXADECIMAL     DESCRIPTION--------------------------------------------------------------------------------0             0x0             JPEG image data, JFIF standard 1.0110600         0x2968          Zip archive data, at least v2.0 to extract, uncompressed size: 9886, name: d.zip

 

20483         0x5003          End of Zip archive
Yeah!!! It has some files so I extracted them. (binwalk -e welcome.jpeg)
/CTF/_welcome.jpeg.extracted$ ls

 

2968.zip  d.zip
I extracted d.zip and I got secret.bmp as below.

CTF/_welcome.jpeg.extracted/_d.zip.extracted$ ls

0.zip  _a.zip.extracted  a.zip  secret.bmp

CTF/_welcome.jpeg.extracted/_d.zip.extracted

$ file secret.bmp

 

secret.bmp: ASCII text

CTF/_welcome.jpeg.extracted/_d.zip.extracted

$ strings secret.bmp

 

okdq09i39jkc-evw.;[23760o-keqayiuhxnk42092jokdspb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!@{%pb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!?@{%&{:keqay^IFG{wfdoiajwlnh[8-7.=p54.b=dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE==
It is just a gibberish string except for the part starting b=. I used Base64 decoder and I got the password.
> the password is: h3110_th3r3!
Finally, I got a.png file after I extracted the 0.zip file using the aforementioned password.

 

And I uploaded this file to the steganography decoding website to find out a hidden message in it.

I used this website (https://osric.com/chris/steganography/decode.html)

 

And, I got the below image, however, I couldn't reckon the flag. So I had to use different website.

 

I used this website for the second trial (https://incoherency.co.uk/image-steganography/#unhide)

 

 

 

Flag : pctf{st3gs0lv3_1s_u53ful}

Reference site : http://159.89.166.12:8000/challenges#Welcome