Writeup: Pragyan 2019 - Welcome

fam4r

10-03-2019 (Updated: 13-12-2020)

writeups

ctf, forensics, jeopardy, pragyan, writeups

Information

category: Forensics
points: 50

Description

Do you think this is a normal image? No! Dig deeper to find out more…..

Writeup

Given the file welcome.jpeg, nor stegsolve, strings or classic forensics
stuff output useful information.

Try with Binwalk:

$ binwalk welcome.jpeg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
10600         0x2968          Zip archive data, at least v2.0 to extract, uncompressed size: 9886, name: d.zip
20483         0x5003          End of Zip archive

So it may contain a zip file: let’s extract it (binwalk -e option).

We’re given a d.zip file, which contains two files: secret.bmp and a.zip.

a.zip is a password-protected archive. That password may be in the
secret.bmp file.

The latter file contains some random characters, but we can recognize a Base64
encoded string at the very end of the file:

1 2	echo "dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE==" \| base64 -d the password is: h3110_th3r3!

We can now unzip the a.zip file with the h3110_th3r3! password.

The extracted file a.png contains the following image:

With stegsolve we can obtain the flag using the “Blue plane 1” filter.

Flag

1	pctf{st3gs0lv3_1s_u53ful}