[Pragyan CTF] New Avenger

Standard

Description:

New Avenger | Stego 300 pts
The Avengers are scouting for a new member. They have travelled all around the world, looking for suitable candidates for the new position.
Finally, they have found the perfect candidate. But, they are in a bad situation. They do not know who the guy is behind the mask.
Can you help the Avengers to uncover the identity of the person behind the mask ?
Those of you who read my blog frequently are already know how much I’m into superheroes. Give me a challenge with superheroes and you bought me. Although I’m more DC guy, this challenge was with the Marvels and still it was awesome! We’re given with a gif file. I ran `binwalk` on it to find whether it contains another files within.
Megabeets$ binwalk avengers.gif

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
0               0x0             GIF image data, version 8"9a", 500 x 272
885278          0xD821E         Zip archive data, at least v2.0 to extract, compressed size: 13422, uncompressed size: 13780, name: "1_image.jpg"
898769          0xDB6D1         Zip archive data, at least v1.0 to extract, compressed size: 1796904, uncompressed size: 1796904, name: "image_2.zip"

Yep, the gif file contains two more files within, lets unzip the image:

Megabeets$ unzip ./avengers.gif
Archive:  avengers.gif
warning [avengers.gif]:  885278 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: 1_image.jpg
 extracting: image_2.zip

Nice! We now have two more files: image_2.zip and 1_image.jpg. Now lets try to unzip image_2.zip.

Megabeets$ unzip ./image_2.zip
Archive:  image_2.zip
[image_2.zip] 2_image.jpg password:

Oh-no, it requires a password. Lets have a look at 1_image.jpg.
Haha, funny image. Now I want to have a deeper look at this picture, I opened it in hex editor and found the password:

So the password is “sgtgFhswhfrighaulmvCavmpsb”, lets unzip the file:

Megabeets$ unzip ./image_2.zip
Archive:  image_2.zip
[image_2.zip] 2_image.jpg password: <em>sgtgFhswhfrighaulmvCavmpsb</em>
  inflating: 2_image.jpg
 extracting: image_3.zip

Again?! We got 2 more files, and the password to the new zip was at the end of the new image, and the new zip contained another zip and an image. Well, I see where it going to, so I opened python and automate the process:

from zipfile import ZipFile
import string

# list storing the passwords, it might help 
passwords =[]
i = 1

while True:
    # read the last line of the file
    f = reversed(open("%s_image.jpg"%i).readlines())
    passw = f.next()
    try:
        # extract the password from the last line, if failed - it's the last zip.
        passw = passw[passw.index(':- ')+3:passw.index(' \n')]
    except:
        break
    # extract the zip file using the password
    with ZipFile('image_%s.zip'%(i+1)) as zf:
        zf.extractall(pwd=passw)
    i+=1    # add the password to the list of passwords
    passwords.append(passw)

Ta-dah! We extracted all the zip files and gםt 16 images and 15 passwords. This was the last image:

lol.

So now we have 15 passwords, each contains 26 characters:

sgtgFhswhfrighaulmvCavmpsb
lppujmioEaynaqrctesAnztgib
lrphntGpzjhkswskepnilrwwjm
hmohAmgcomgpjjhLnqpkepuazi
qjqxzuSkiyjzazwwsqchiqvgoQ
ujinpqyghiulozjnyprZpnswnp
tsquviQwxtgpgarlxelvakaOpo
jljykvfZSycpvscqvzjwelKhok
cqjausmhroogiuabcbpRmsyzpo
qakrlxrGswfovmxhxpjzfyfrie
jyxbLszctbveelbgxtilzfbQng
heojthirkakqvvmxjgAWzuekcp
nkpbhyUmiabnymvzmcppejiisy
mIsmsmsmxpfvkolTbnkafkgvgx
tsYinxviqeykguqznjscomgqbh

The password looks like garbage, it’s not Base64 or some known encoding. The first thing to pop up is the capital letter inside each password. Every password contains one or two capital letters. I know that the English alphabet contains 26 letters, so maybe I can map the location of each capital to the matching letter in the alphabet. i.e, if ‘F’ is in passw[4] i’ll take alphabet[4] which is ‘e’ and so on. I added this code to my script:

locations = []
for p in passwords:
    for c in range(26):
        if p[c] in string.uppercase:
            locations.append(c)

map_result = ''
for l in locations:
    map_result += string.lowercase[l]

print "Result: ", map_result
#Result:  etitgepgztgxhiwthexstgbpc

I ran the script and got meaningless string: “etitgepgztgxhiwthexstgbpc”. Damn! I was so sure that the mapping is the solution, how can’t it be?! All the facts point towards mapping the alphabet. I decided not to give up and ran Caesar Cipher on the string:

YAY! I was so happy to find Spidey is the new Avenger!

Here’s the full script:

The flag was: pragyanctf{peterparkeristhespiderman}

[Pragyan CTF] Lost Friends

Standard

Description:

Lost Friends Stego 300

Moana and her friends were out on a sea voyage, spending their summer joyously.
Unfortnately, they came across Charybdis, the sea monster. Charybdis, furious over having
unknown visitors, wreaked havoc on their ship. The ship was lost.

Luckily, Moana survived, and she was swept to a nearby island. But, since then, she has not seen her
friends. Moana has come to you for help. She believes that her friends are still alive, and that you are the
only one who can help her find them

lost_friends.png

Moana has lost her friends and we need to help her find them. We are given with an image which is absolutely blank. I opened it in Photoshop and saw that it’s completely transparent. So I grabbed python and Pillow and canceled the alpha channel (which is responsible for transparency).

from PIL import Image
# convert from RGBA to RGB will cancel transparency
Image.open('lost_friends.png').convert('RGB').save('output.png')

I got this image:

Wooho, Chipmunks! It seems like every chipmunk is on another channel, lets split the channels:

import cv2
import numpy as n
img = cv2.imread('lost_friends.png',cv2.IMREAD_UNCHANGED)
b,g,r = cv2.split(img)
cv2.imwrite('b.png',b)
cv2.imwrite('g.png',g)
cv2.imwrite('r.png',r)

Now we have three images of chipmunks:

I played with them, trying to find the flag but found nothing. So I got back to the original image and opened it with Hex Editor. At the bottom of the file I found this hint: “Psssst, Director, maybe ??”. So the flag is probably the name of the director of chipmunks. According to Wikipedia, Chipmunks has 4 movies, I tried to submit with each director and found that the director of the third movie is the flag.

The flag was praganctf{MikeMitchell}

[H4CK1T 2016] 1magePr1son- Mozambique Writeup

Standard

Description:

Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip
h4ck1t{str(flag).upper()}
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip

For the start we are given with a wallpaper image named planet.png (2560×1850)

h4ck1t_mozambiqu1

Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.

h4ck1t_mozambiqu2

The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

from PIL import Image

original = Image.open("planet.png")
p_orig = original.load()
width, height = original.size
new_image = Image.new('RGBA',(width,height)) # The original image dimensions
p_flag = new_image.load()
cord_x, cord_y = 0, 0

# Collect the pixels and add them to the new image 
for j in range(0,height,24):
    for i in range(0,width,24):
        p_flag[cord_x,cord_y] = p_orig[i,j]
        cord_x+=1
    cord_y+=1
    cord_x=0
	
new_image.save('flag.png', 'PNG')

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:

h4ck1t_mozambiqu3

Flag: h4ck1t{SPACE_IS_THE_KEY}