Add challenge 8 of the google ctf beginners quest

alternate-navbar
Maik de Kruif 3 years ago
parent c1ec90149a
commit 5a51d582f9
Signed by: maik
GPG Key ID: 44A55AD1F0673FA6
  1. 2
      content/writeups/google-ctf/2021/beginners-quest/5.md
  2. 2
      content/writeups/google-ctf/2021/beginners-quest/6.md
  3. 142
      content/writeups/google-ctf/2021/beginners-quest/8.md
  4. BIN
      static/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip
  5. BIN
      static/img/writeups/google-ctf/2021/beginners-quest/8/cover.png
  6. BIN
      static/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png

@ -39,7 +39,7 @@ Gökhan is pointing at a parked vehicle. He tells you that you will have to try
Gökhan exits the crate, and makes a quick sprint for the car. The tough guys spot him, and they approach. As he enters the car he tries to start it, and the car makes an ominous sound, as the bad guys are closing in. He looks back through the rear window, and sees that the bad guys are about to jump on the back of the car, and they are pulling out guns. He tries to start the car furiously one more time and... IT WORKS! Gökhan disappears off in the distance. You overhear the tough guys when they are talking about a person, “Mesut”, that got classified information. You quickly send a message to the boss to look up the person. After a short wait you receive a response that he is currently on his private yacht in Croatia. Looks like it is time for some travel again.
#### Come with Gökhan ([8](#))
#### Come with Gökhan ([8]({{< ref "8.md" >}}))
As you and Gökhan are leaving the crates to enter a car, you spot the tough guys coming after you, and they are pulling out weapons. Gökhan starts the car and the two of you take off. After a decent distance outside of the city, he gives you an invitation to a private conference that will take place in Buenos Aires.

@ -35,7 +35,7 @@ This one is a doozie. We found this weird file on a memory stick with a post-it
"Great job! Let’s look into the device itself then. Well, I can’t say that I recognise this piece of hardware-" Before the manager completes the sentence, you spot a reflection of a dagger in his shades. You turn around and see a mysterious assassin that is almost piercing you with the dagger, but you manage to move away at the last moment and disarm the assassin with one strike. The mysterious assassin takes off. Do you?
#### Run after ([8](#))
#### Run after ([8]({{< ref "8.md" >}}))
The manager shouts after you to come back, but you don’t listen. You are uncompromisingly determined to hunt down the assassin. The assassin turns over trash bins and chairs through the corridor, and you manage to dodge them. The assassin climbs up using a ladder, you follow. You come to a rooftop, and the assassin has nowhere to flee. You shout: "Reveal yourself, tell me who you’re working for, and I will do you no harm."The assassin comes out from behind a ventilation exhaust. They hand you a note with coordinates to a spot in the mediterranean. When you look again, the assassin is gone.

@ -0,0 +1,142 @@
+++
author = "Maik de Kruif"
title = "Hide and seek"
subtitle = "Beginners Quest 8 - Google CTF"
date = 2021-09-28T23:21:00+01:00
description = "A writeup for challenge 8 of the beginners quests of the Google CTF."
cover = "img/writeups/google-ctf/2021/beginners-quest/8/cover.png"
tags = [
"Google CTF",
"Beginners Quest",
"ctf",
"hacking",
"writeup",
"misc",
]
categories = [
"ctf",
"writeups",
"hacking",
"misc",
]
+++
## Story line
### Croatia - Yacht
You arrive at the location through the coordinates that you got from the assassin, a luxurious yacht. A fat, bald man lies on a puma couch. He sips on a dry martini, smokes the biggest cigar you've ever seen and when he smiles, a golden tooth is revealed. You can’t help but smile back at him, although you think the place seems shady. "Welcome to my yacht, Johnson, finally you show us your face. Have you killed the AGENT now? Good! You’re here to collect your reward I presume? I’ll have my guy finalize the transaction but before you leave I need a small favour from you." It seems that he is mistaking you for the assassin but you don’t mind.
#### Challenge: Hide and seek (misc)
The man hands you a pendrive which you reluctantly connect to your laptop. He says he got it from a partner, and the partner claims that he hid valuable information in that PNG there. The problem is, it looks empty. See if you can find anything.
### After solving
I see you are a person of many qualities. I must say I am impressed. One last thing, I just have to ask, see you always struck me as a fan of sports, I don’t know why. What do you prefer? Basketball or Soccer?
#### Basketball ([10](#))
"Well then, if you are hungry for more missions, I got a thing in NYC for you. The person who wanted the AGENT dead, also owns this office complex, and needs a guy to guard a certain event that will take place there tomorrow. I'm sorry that I can’t reveal more information than that, but at least it is well paid, and perhaps you can watch a game of basketball on your way home, deal?."
#### Soccer? Do you mean football? ([11](#))
"Well then, if you are hungry for more missions, I got a thing in London for you. The person who wanted the AGENT dead, also owns this warehouse near Heathrow, and needs a guy to guard a certain event that will take place there tomorrow. I'm sorry that I can’t reveal more information than that, but at least it is well paid, and perhaps you can watch a game of football on your way home, deal?."
## Attachment
[attachment.zip](/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip)
{{< figure class="small" src="/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png" title="hideandseek.png" >}}
_Note: The image is supposed to look like half is missing._
## Recon
The attachment contains one file: `hideandseek.png`.
It is an image of 1000x1000 pixels with a size of 15KB.
## Solving
Upon opening the image we don't really see anything, depending on the image viewer we only get a black image. So first thing I thought of was regular stenography.
### Basic stenography
After playing with the image a bit and using tools like [`zsteg`](https://github.com/zed-0xff/zsteg) and `steghide`, I found it to not be your standard stenograpy.
So I started looking a the hex representation of the image (using `hexdump` or `hexyl`), and found some PNG data chunks. I didn't know anything about PNG files though.
### PNG specification
When reading through [the PNG specification](http://libpng.org/pub/png/spec/iso/index-object.html), I found that it was actually pretty huge. We (probably) don't need to know everything though, so let's skip to [the datastream specification](http://libpng.org/pub/png/spec/iso/index-object.html#4Concepts.Format). Here we find the following text:
> There are 18 chunk types defined in this International Standard. Chunk types are four-byte sequences chosen so that they correspond to readable labels when interpreted in the ISO 646.IRV:1991 character set. The first four are termed critical chunks, which shall be understood and correctly interpreted according to the provisions of this International Standard. These are:
>
> - [IHDR](http://libpng.org/pub/png/spec/iso/index-object.html#11IHDR): image header, which is the first chunk in a PNG datastream.
> - [PLTE](http://libpng.org/pub/png/spec/iso/index-object.html#11PLTE): palette table associated with indexed PNG images.
> - [IDAT](http://libpng.org/pub/png/spec/iso/index-object.html#11IDAT): image data chunks.
> - [IEND](http://libpng.org/pub/png/spec/iso/index-object.html#11IEND): image trailer, which is the last chunk in a PNG datastream.
>
> The remaining 14 chunk types are termed ancillary chunk types, which encoders may generate and decoders may interpret.
>
> - Transparency information: [tRNS](http://libpng.org/pub/png/spec/iso/index-object.html#11tRNS) (see 11.3.2: [Transparency information](http://libpng.org/pub/png/spec/iso/index-object.html#11transinfo)).
> - Colour space information: [cHRM](http://libpng.org/pub/png/spec/iso/index-object.html#11cHRM), [gAMA](http://libpng.org/pub/png/spec/iso/index-object.html#11gAMA), [iCCP](http://libpng.org/pub/png/spec/iso/index-object.html#11iCCP), [sBIT](http://libpng.org/pub/png/spec/iso/index-object.html#11sBIT), [sRGB](http://libpng.org/pub/png/spec/iso/index-object.html#11sRGB) (see 11.3.3: [Colour space information](http://libpng.org/pub/png/spec/iso/index-object.html#11addnlcolinfo)).
> - Textual information: [iTXt](http://libpng.org/pub/png/spec/iso/index-object.html#11iTXt), [tEXt](http://libpng.org/pub/png/spec/iso/index-object.html#11tEXt), [zTXt](http://libpng.org/pub/png/spec/iso/index-object.html#11zTXt) (see 11.3.4: [Textual information](http://libpng.org/pub/png/spec/iso/index-object.html#11textinfo)).
> - Miscellaneous information: [bKGD](http://libpng.org/pub/png/spec/iso/index-object.html#11bKGD), [hIST](http://libpng.org/pub/png/spec/iso/index-object.html#11hIST), [pHYs](http://libpng.org/pub/png/spec/iso/index-object.html#11pHYs), [sPLT](http://libpng.org/pub/png/spec/iso/index-object.html#11sPLT) (see 11.3.5: [Miscellaneous information]()).
> - Time information: [tIME](http://libpng.org/pub/png/spec/iso/index-object.html#11tIME) (see 11.3.6: [Time stamp information](http://libpng.org/pub/png/spec/iso/index-object.html#11timestampinfo)).
When reading through the hex representation of the image, I could find the mandatory `IHDR`, `IDAT` and `IEND` chucks. However, I also found some `eDIH` chunks. When looking around on the internet I could not find anything about it, so it had to be something to do with the challenge.
Firstly, I had to find out how chunks actually work.
### Chunk specification
When looking at [the chunk layout documentation](http://libpng.org/pub/png/spec/iso/index-object.html#5Chunk-layout), it says a chunk consists of four field; `LENGTH`, `CHUNK TYPE`, `CHUNK DATA` and `CRC`.
So I grabbed one `eDIH` chunk and verified/decoded it.
```text
00 00 00 01 65 44 49 48 31 95 B3 B3 32
```
| Part | HEX | Decoded |
| ------ | ------------- | ------- |
| Length | `00 00 00 01` | `1` |
| Type | `65 44 49 48` | `eDIH` |
| Data | `31` | `1` |
| CRC | `95 B3 B3 32` | `....` |
Now we have to get all the `eDIH` chunks.
### eDIH chunks
The flag is probably stored in the data fields of the `eDIH` chunks, so I wrote a little script to get all these fields and decode them.
```py
import re
import base64
with open("hideandseek.png", 'rb') as file:
image_data = file.read()
occurrences = (location.end() for location in re.finditer(b"eDIH", image_data))
print("".join(chr(image_data[index]) for index in occurrences))
```
When running it, it returns the following:
```text
Q1RGe0RpZFlvdUtub3dQTkdpc1Byb25vdW5jZWRQSU5HP30=
```
This looks like some base64, so I decoded it using the following command:
```sh
echo "Q1RGe0RpZFlvdUtub3dQTkdpc1Byb25vdW5jZWRQSU5HP30=" | base64 -d
```
## Solution
After executing this command, we get the flag! It's `CTF{DidYouKnowPNGisPronouncedPING?}`.

Binary file not shown.

After

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Loading…
Cancel
Save