Writeup: PEA 2019 - Song of my people
Information
- category: Forensics
- points: 800
Description
A specific soundcloud rapper needs help getting into his password protected zipped file directory. The initial password is in the title. You just have to know your memes, and pick the right instrument! We were on the fence on giving you an image to go along with this puzzle, but the loincloth was too scandalous. Alternatively, you could bruteforce. Song of My People
Writeup
First of all mumbling on and searching
You just have to know your memes, and pick the right instrument!
I found this, so the password for the zip archive isviolin
In the archive we can find 3 files:
- README.txt:
1
2
3one of the three files is a red herring, but a helpful one at that.
does any of this ADD up? This is a LONG problem. - Ice Cube - Check Yo Self Remix (Clean).mp3: Great song, but I don’t think it will be useful because
one of the three files is a red herring
- a lengthy issue.png: A damaged PNG image,
libpng error: PLTE: chunk data is too large
- README.txt:
does any of this ADD up? This is a LONG problem
+libpng error: PLTE: chunk data is too large
= ThePLTE
chunk of the image has a wrong lengthI found this image very helpful:
Opening the image with
xxd a_lengthy_issue.png
will produce something like this; something’s wrong! The length of thePLTE
chunk (HELP
group of bytes), as expected, isn’t correct (HELP
is equal to 1212501072)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
3100000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 0500 0000 02d0 0803 0000 018f a41d ................
00000020: f200 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 4845 ..gAMA......a.HE
00000040: 4c50 504c 5445 ffff fff7 f7f7 4040 4000 LPPLTE......@@@.
00000050: 0000 3232 32f5 f5f5 7272 722d 2d2d c9c9 ..222...rrr---..
00000060: c9a2 a2a2 b8b8 b87f 7f7f dede de11 1111 ................
00000070: 5050 50e6 e6e6 3f3f 3f8c 8c8c bdbd bd61 PPP...???......a
00000080: 6161 fbfb fb47 4747 2828 285d 5d5d d0d0 aa...GGG(((]]]..
00000090: d01e 1e1e d4d4 d4a7 a7a7 9d9d 9d4d 4d4d .............MMM
000000a0: c3c3 c3e2 e2e2 6d6d 6d06 0606 0b0b 0bea ......mmm.......
000000b0: eaea 7979 79af afaf 6262 6297 9797 3333 ..yyy...bbb...33
000000c0: 333a 3a3a 5959 5966 6666 4444 44c8 c8c8 3:::YYYfffDDD...
000000d0: b3b3 b3d7 d7d7 5151 5154 5454 5a5a 5a92 ......QQQTTTZZZ.
000000e0: 9292 adad ada6 a6a6 e5e5 e57b 7b7b d3d3 ...........{{{..
000000f0: d388 8888 8686 866b 6b6b 7373 73e1 e1e1 .......kkksss...
00000100: dfdf dfb2 b2b2 8b8b 8b67 6767 4c4c 4c18 .........gggLLL.
00000110: 1818 c1c1 c183 8383 ecec eccc cccc fffb ................
00000120: fbff 4d4d ff0b 0bff d4d4 ffde deff 1111 ..MM............
00000130: ff50 50ff 3232 fff5 f5ff e6e6 ff72 72ff .PP.22.......rr.
00000140: 0000 ffa7 a7ff c3c3 ffea eaff 0606 ffc9 ................
00000150: c9ff f7f7 ff1e 1eff 6d6d ff2d 2dff 7f7f ........mm.--...
00000160: ffa2 a2ff bdbd ff40 40ff 6262 ff47 47ff .......@@.bb.GG.
00000170: 3f3f ffe2 e2ff 9797 ff7b 7bff d3d3 ffb8 ??.......{{.....
00000180: b8ff 3333 ff28 28ff 8888 ff5d 5dff 7979 ..33.((....]].yy
00000190: ff9d 9dff 5a5a ff66 66ff 5959 ff6b 6bff ....ZZ.ff.YY.kk.
000001a0: 6161 ff8b 8bff c8c8 ffa6 a6ff dfdf ff73 aa.............s
000001b0: 73ff b3b3 ffb2 b2ff e1e1 ff4c 4cff c1c1 s..........LL...
000001c0: ffec ecff 8c8c ffd0 d0ff cccc e7e7 e7bf ................
000001d0: bfbf 8f8f 8fef efef cfcf cf9f 9f9f c7c7 ................
000001e0: c738 3838 2020 2030 3030 b7b7 b760 6060 .888 000...000001f0: 6868 6810 1010 0808 0870 7070 5858 5887 hhh……pppXXX.
00000200: 8787 4848 4878 7878 0000 0034 97e2 a800 ..HHHxxx…4….
00000210: 0000 9774 524e 53ff ffff ffff ffff ffff …tRNS………
…1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16* Now it's time to calculate the correct lenght of the `PLTE` chunk. Looking at the explanation image about `PLTE` we can see that first group of 4 bytes of the segment are about the length, as we already know, the second group is the chunk header, and then there is a "data" chunk; last group of 4 bytes is the CRC-32 hash of the data chunk. The length is just about the data chunk. So:
+ `46` = Data segment's first byte's offset
+ `20b` = Data segment's last byte's offset
+ `20b - 46 = 1c5` = `PLTE` lenght
* To substitute `48 45 4c 50 (HELP)` with `00 00 01 c5` we'll use our best friend Vim:
1. `vim a_lengthy_issue.png`
2. `:%!xxd`: Use xxd to show the content of the file
3. Navigate through the hex dump and edit the target bytes
4. `:%!xxd -r`: Come back to Vim normal visualization
5. `:wq`
- The recovered image:
![alt text](./song-of-my-people/song-of-my-people-extracted/a_lengthy_issue_solved.png "Recovered image.")
* Reading the content of the image the flag should be like `{A_thousand_spaces_B}` where:
+ `A` = Thousands of seats left at the most recent concert of [redacted]
+ `B` = Page number of the concert archive
* The hex string under the flag hint, converted to ASCII (to bypass rewriting everythin by hand you could use [OCR softwares](https://en.wikipedia.org/wiki/Optical_character_recognition)):The Library of Babel:
(with new addition of all the possible diss tracks to ever be made and ever could be made)1
* The SoundCloud's [link](https://soundcloud.com/lil-redacted/live-concert-audio) points to a morse code encrypted [message](./song-of-my-people/res/3thBuDeJ4bul.128.mp3) that decrypted (using [this](https://morsecode.scphillips.com/labs/audio-decoder-adaptive/)) will result in:
SUP YALL ITS YA BOI LIL ICE CUBE MELTING OUT HERE IN THE HAWAII HEAT FOR ALL OF YOU. YOU GUESSED IT THIS IS LIVE AUDIO FROM MY WORLD TOUR. I REPEAT LIL ICE CUBES WORLD TOUR MAYBE A LIBRARY WILL HELP
1
+ Song's descryption:
this concert is part of a larger tour that is archived completely in some kind of hexagonal library. The archive is named between "maybe" and a "repeat". Should be on the 371st page. I would give you an mp3 of this audio, but I don't know how to navigate those sketchy websites. ```
The Library of Babel
+I REPEAT LIL ICE CUBES WORLD TOUR MAYBE A LIBRARY WILL HELP
+this concert is part of a larger tour that is archived completely in some kind of hexagonal library
= Lybrary of Babel- Searching for
LIL ICE CUBES WORLD TOUR
this is the result:
This, like the song’s descryption points to the page 371; this probably is ourB
element.
- Searching for
The
A
object is the last missing. To find it I searched EVERYWHERE but i couldn’t find it. I found a lot of things about [redacted] and Ice Cube but I don’t know if what i found is something or just trash. So i thought thatN thousand seats left
means that probably 0 <N
< 20 or 30 whereA
=N
, then i manually tried 3 cominations (1,2,3). And that’s it,{3_thousand_spaces_371}
is the flag. I’m really sorry to delude you; if you could send me an email (myasnik@disroot.org
) if you find the explanation I’ll be very happy about this.
Flag
{3_thousand_spaces_371}