I recently started building an open community for cyber security enthusiasts and professionals, The White Circle, no it's not a cult. One of our member and supporter, Sincera released his very own CTF challenge yesterday, an awesome journey full of twists and turns with both steganography and ciphers. Let's solve it!
Where is the Challenge
Sincera recently launched his website NoShitSecurity. you can find the challenge here : Sincera's Au5 Album Release Challenge along with other challenges created by the community.
Let's Begin
Challenge is the album art of a new album release, Answers by Au5. I started off with file command...
$ file theanswers.jpg
theanswers.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2], comment: "01100111 01110000 01101010 00101110 01101110 01101111 01110011 01100010 01101001 01100111 01100101 01101000 01110100 00101111 ", baseline, precision 8, 1084x1100, components 3
Take a look at that comment, we can also get this information from exiftool...
$ exiftool theanswers.jpg
ExifTool Version Number : 12.00
File Name : theanswers.jpg
Directory : .
File Size : 382 kB
.
.
.
Profile CMM Type : Apple Computer Inc.
Primary Platform : Apple Computer Inc.
Device Manufacturer : Apple Computer Inc.
.
.
.
Comment : 01100111 01110000 01101010 00101110 01101110 01101111 01110011 01100010 01101001 01100111 01100101 01101000 01110100 00101111 01110010 01110010 01100100 01010111 01110001 01110100 01101101 00101111 01101111 01100011 00101110 01100010 01100010 01101001 00101110 01101001 00101111 00101111 00111010 01110011 01110000 01110100 01110100 01101000
And we can also see that file command did not display the complete comment so exiftool is a winner here, lets convert this binary into text using Cyber Chef
Another image, The Gibson this time, another creation by Sincera, you can take a look at it on his website. This one took a bit of time as I forgot about blank passwords in steghide :(
$ steghide extract -sf thegibson.jpg
Enter passphrase:
wrote extracted data to "followthemusic.txt".
$ cat followthemusic.txt
aHR0cHM6Ly9zb3VuZGNsb3VkLmNvbS9lbmhhbmNlZC9hdTUtYW5zd2VycwoKCmRXOTVJR1J1WVNCbGJTQm1ieUJmWDE5ZlgxOWZYMTlmSUhNbmNtVjNjMjVoSUdWb2RBb0thM2g0WldFNkx5OWpjMkYzYVdWdGNpNXlkM292VVZBeVozazNhbllLQ2xZPQo=
$ base64 -d followthemusic.txt
https://soundcloud.com/enhanced/au5-answers
dW95IGRuYSBlbSBmbyBfX19fX19fX19fIHMncmV3c25hIGVodAoKa3h4ZWE6Ly9jc2F3aWVtci5yd3ovUVAyZ3k3anYKClY=
Interesting a soundcloud link of the new album and another base64 string, lets decode it...
$ echo dW95IGRuYSBlbSBmbyBfX19fX19fX19fIHMncmV3c25hIGVodAoKa3h4ZWE6Ly9jc2F3aWVtci5yd3ovUVAyZ3k3anYKClY= | base64 -d
uoy dna em fo __________ s'rewsna eht
kxxea://csawiemr.rwz/QP2gy7jv
V
First string looks reversed and then there is some cipher text along with a V at the end...
$ echo "uoy dna em fo __________ s'rewsna eht" | rev
the answer's __________ of me and you
At this point I pulled up the lyrics of the song and the missing words are : deep inside, now let's take a look at the cipher text, V? Vigenere cipher? It can be decrypted using a key...so I tried deepinside (removed the space) as the key...
And we have a pastebin link here which contains just a link...
https://www.noshitsecurity.com/theanswer.jpg
At a quick glance it looks like we are going back to the starting point but the file name is actually different! This one took some time as it did not use a blank password and other tools got exhausted as well and I finally reached to my last resort, bruteforce, although you can even guess the password but I don't like guesswork...
$ time stegcracker theanswer.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.7 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)
Counting lines in wordlist..
Attacking file 'theanswer.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: meandyou
Tried 2716 passwords
Your file has been written to: theanswer.jpg.out
meandyou
real 0m10.096s
user 0m20.175s
sys 0m14.120s
$ cat theanswer.jpg.out
Defcon Gurugram
https://discord.gg/YdKfh5Q
StellarSec
https://discord.gg/jpy9QP4
CrackMyHash
https://discord.gg/CS3CQK
TeamSkull
https://discord.gg/JWUkn9
Threathounds
https://discord.gg/jGGnyYt
But what is the answer?
p;> 91V 5:2;?1/ C-? @41 -:?C1>X
m;:3>-@A8-@5;:?V @45? /;9<81@1? E;A> /4-881:31X
#18/;91 @; ~#mX y:1 8-?@ 4A:@V @4;A34X
%;A> >1C->0? ->1 45001: 5: M>1?;A>/1?X
4@@0X/;9Y5:B5@1Yk\p!B7w
W?5:/1>-
And we cracked it successfully. Now there are multiple discord server urls present along with some cipher text, let's try variations of ROT cipher...
It was ROT42 cipher, now let us take a look at the plain text...
Forme,infosecwastheanswer.
Congratulations,thiscompletesyourchallenge.
WelcometoTWC.
Onelasthunt,though.
Yourrewardsarehiddenin#resources.
https://discord.gg/UM92zUn
-sincera
And we have reached the end. Thank you Sincera for creating this amazing challenge for the community!