🚩
Capture the Flag
  • Capture the Flag
  • PicoCTF
    • PicoCTF 2023
      • General Skills
        • chrono
        • money-ware
        • Permissions
        • repetitions
        • useless
        • Special
        • Specialer
      • Cryptography
        • HideToSee
        • ReadMyCert
        • rotation
        • PowerAnalysis: Warmup
      • Reverse Engineering
        • Ready Gladiator 0
        • Reverse
        • Safe Opener 2
        • timer
        • Ready Gladiator 1
      • Forensics
        • PcapPoisoning
        • hideme
        • who is it
        • FindAndOpen
      • Binary Exploitation
        • two-sum
      • Web Exploitation
        • MatchTheRegex
        • findme
Powered by GitBook
On this page
  • Description
  • Solution
  • Flag
  1. PicoCTF
  2. PicoCTF 2023
  3. Forensics

hideme

Author: Geoffrey Njogu | 100 points

PreviousPcapPoisoningNextwho is it

Last updated 1 year ago

Description

Every file gets a flag.

The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here.

Solution

For this challenge we are given a PNG file named flag.png. 

% file flag.png 
flag.png: PNG image data, 512 x 504, 8-bit/color RGBA, non-interlaced

For image forensics, there are a few tools that come to mind that are similarly used for reverse engineering. These being strings, exiftool, binwalk and probably some others I'm forgetting to mention.

After performing using the strings command on the file, we get a few strings that seem of interest. 

% strings flag.png 
...
secret/flag.pngUT
... 
secret/UT
... 
secret/flag.pngUT

This seems to hint to the fact of there being an embedded file in the PNG. Therefore, my next approach uses binwalk, a "fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images." 

% binwalk flag.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, compressed
39739         0x9B3B          Zip archive data, at least v1.0 to extract, name: secret/
39804         0x9B7C          Zip archive data, at least v2.0 to extract, compressed size: 2869, uncompressed size: 3024, name: secret/flag.png
42908         0xA79C          End of Zip archive, footer length: 22

We can see the zip archive "secret/" that we saw above using the strings program. Now we use the -e flag to extract the archive from the file.

The output of this command generates a _flag.png.extracted directory with our results.

% binwalk -e flag.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, compressed
39739         0x9B3B          Zip archive data, at least v1.0 to extract, name: secret/
39804         0x9B7C          Zip archive data, at least v2.0 to extract, compressed size: 2869, uncompressed size: 3024, name: secret/flag.png
42908         0xA79C          End of Zip archive, footer length: 22

% cd _flag.png.extracted 
% ll
total 48
-rw-r--r--. 1 matthew matthew     0 May 18 11:08 29
-rw-r--r--. 1 matthew matthew 42889 May 18 11:08 29.zlib
-rw-r--r--. 1 matthew matthew  3191 May 18 11:08 9B3B.zip
drwxr-xr-x. 1 matthew matthew    16 Mar 15 22:01 secret
% cd secret 
% ll
total 4
-rw-r--r--. 1 matthew matthew 3024 Mar 15 22:01 flag.png

Once we open the flag.png file in the secret/ directory we are given the flag.

Flag

The flag is a little hard to make out but picoCTF{Hiddinng_An_imag3_within_@n_ima9e_cda72af0}

flag.png
secret/flag.png