Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : European Cyber Week CTF Quals 2016
- Website : challenge-ecw.fr
- Type : Online
- Format : Jeopardy - Student
Description#
N.A.
Solution#
Donwload the mario music on the web page and let's analyse it with binwalk:
[noraj@rawsec]ββββββββββββββββββββββββββββββββββββββββββββββββββ[~/CTF/ECW/2016]
$ binwalk hurry-overworld.wav
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1288 0x508 YAFFS filesystem
16416 0x4020 YAFFS filesystem
137724 0x219FC MySQL ISAM compressed data file Version 1
432662 0x69A16 YAFFS filesystem
530464 0x81820 YAFFS filesystem
1631770 0x18E61A YAFFS filesystem
1749494 0x1AB1F6 MySQL MISAM index file Version 5
2335928 0x23A4B8 MySQL ISAM index file Version 1
4111020 0x3EBAAC MySQL MISAM compressed data file Version 2
9465612 0x906F0C YAFFS filesystem
11467052 0xAEF92C PNG image, 883 x 648, 8-bit/color RGBA, non-interlaced
11467151 0xAEF98F Zlib compressed data, best compression
Did you see the embed PNG? Let's extract it with foremost.
Now we can check the image file.
[noraj@rawsec]ββββββββββββββββββββββββββββββββββββββββββββββββββ[~/CTF/ECW/2016]
$ file mario-hidden.png
mario-hidden.png: PNG image data, 883 x 648, 8-bit/color RGBA, non-interlaced
Just by displaying it we have seen: ECW{3a2ef8a1
.
Now let's see where is the second part of the flag!
This challenge seems to be a steganography one. Let's check a classic: LSB.
Nothing in the picture so let's check the .wav
.
I found a writeup talking about LSB in a WAV file.
Perfect it's using my favorite scripting language (Ruby) and this ruby gem.
We used the same script as in the writup:
#!/usr/bin/env ruby
require 'wav-file'
wav = open("hurry-overworld.wav")
format = WavFile::readFormat(wav)
# puts format
chunk = WavFile::readDataChunk(wav)
wav.close
wavs = chunk.data.unpack('s*')
lsb = wavs.map{|sample| sample[0]}.join
flag = lsb[(lsb.index('1'))..-1]
puts [flag].pack('b*')
Here is what we retrived we the script:
[noraj@rawsec]ββββββββββββββββββββββββββββββββββββββββββββββββββ[~/CTF/ECW/2016]
$ ./mario-wav-lsb.rb > out
[noraj@rawsec]ββββββββββββββββββββββββββββββββββββββββββββββββββ[~/CTF/ECW/2016]
$ file out
out: PNG image data, 900 x 675, 8-bit/color RGBA, non-interlaced
Display the new image and get the second part of the flag: ccf280865a1ef96bdb0c901c}
.
Flag: ECW{3a2ef8a1ccf280865a1ef96bdb0c901c}
.