diff --git a/content/writeups/google-ctf/2021/beginners-quest/5.md b/content/writeups/google-ctf/2021/beginners-quest/5.md index fa43b64..66e9fa9 100644 --- a/content/writeups/google-ctf/2021/beginners-quest/5.md +++ b/content/writeups/google-ctf/2021/beginners-quest/5.md @@ -39,7 +39,7 @@ Gökhan is pointing at a parked vehicle. He tells you that you will have to try Gökhan exits the crate, and makes a quick sprint for the car. The tough guys spot him, and they approach. As he enters the car he tries to start it, and the car makes an ominous sound, as the bad guys are closing in. He looks back through the rear window, and sees that the bad guys are about to jump on the back of the car, and they are pulling out guns. He tries to start the car furiously one more time and... IT WORKS! Gökhan disappears off in the distance. You overhear the tough guys when they are talking about a person, “Mesut”, that got classified information. You quickly send a message to the boss to look up the person. After a short wait you receive a response that he is currently on his private yacht in Croatia. Looks like it is time for some travel again. -#### Come with Gökhan ([8](#)) +#### Come with Gökhan ([8]({{< ref "8.md" >}})) As you and Gökhan are leaving the crates to enter a car, you spot the tough guys coming after you, and they are pulling out weapons. Gökhan starts the car and the two of you take off. After a decent distance outside of the city, he gives you an invitation to a private conference that will take place in Buenos Aires. diff --git a/content/writeups/google-ctf/2021/beginners-quest/6.md b/content/writeups/google-ctf/2021/beginners-quest/6.md index e7f461d..b8daedb 100644 --- a/content/writeups/google-ctf/2021/beginners-quest/6.md +++ b/content/writeups/google-ctf/2021/beginners-quest/6.md @@ -35,7 +35,7 @@ This one is a doozie. We found this weird file on a memory stick with a post-it "Great job! Let’s look into the device itself then. Well, I can’t say that I recognise this piece of hardware-" Before the manager completes the sentence, you spot a reflection of a dagger in his shades. You turn around and see a mysterious assassin that is almost piercing you with the dagger, but you manage to move away at the last moment and disarm the assassin with one strike. The mysterious assassin takes off. Do you? -#### Run after ([8](#)) +#### Run after ([8]({{< ref "8.md" >}})) The manager shouts after you to come back, but you don’t listen. You are uncompromisingly determined to hunt down the assassin. The assassin turns over trash bins and chairs through the corridor, and you manage to dodge them. The assassin climbs up using a ladder, you follow. You come to a rooftop, and the assassin has nowhere to flee. You shout: "Reveal yourself, tell me who you’re working for, and I will do you no harm."The assassin comes out from behind a ventilation exhaust. They hand you a note with coordinates to a spot in the mediterranean. When you look again, the assassin is gone. diff --git a/content/writeups/google-ctf/2021/beginners-quest/8.md b/content/writeups/google-ctf/2021/beginners-quest/8.md new file mode 100644 index 0000000..462523a --- /dev/null +++ b/content/writeups/google-ctf/2021/beginners-quest/8.md @@ -0,0 +1,142 @@ ++++ +author = "Maik de Kruif" +title = "Hide and seek" +subtitle = "Beginners Quest 8 - Google CTF" +date = 2021-09-28T23:21:00+01:00 +description = "A writeup for challenge 8 of the beginners quests of the Google CTF." +cover = "img/writeups/google-ctf/2021/beginners-quest/8/cover.png" +tags = [ + "Google CTF", + "Beginners Quest", + "ctf", + "hacking", + "writeup", + "misc", +] +categories = [ + "ctf", + "writeups", + "hacking", + "misc", +] ++++ + +## Story line + +### Croatia - Yacht + +You arrive at the location through the coordinates that you got from the assassin, a luxurious yacht. A fat, bald man lies on a puma couch. He sips on a dry martini, smokes the biggest cigar you've ever seen and when he smiles, a golden tooth is revealed. You can’t help but smile back at him, although you think the place seems shady. "Welcome to my yacht, Johnson, finally you show us your face. Have you killed the AGENT now? Good! You’re here to collect your reward I presume? I’ll have my guy finalize the transaction but before you leave I need a small favour from you." It seems that he is mistaking you for the assassin but you don’t mind. + +#### Challenge: Hide and seek (misc) + +The man hands you a pendrive which you reluctantly connect to your laptop. He says he got it from a partner, and the partner claims that he hid valuable information in that PNG there. The problem is, it looks empty. See if you can find anything. + +### After solving + +I see you are a person of many qualities. I must say I am impressed. One last thing, I just have to ask, see you always struck me as a fan of sports, I don’t know why. What do you prefer? Basketball or Soccer? + +#### Basketball ([10](#)) + +"Well then, if you are hungry for more missions, I got a thing in NYC for you. The person who wanted the AGENT dead, also owns this office complex, and needs a guy to guard a certain event that will take place there tomorrow. I'm sorry that I can’t reveal more information than that, but at least it is well paid, and perhaps you can watch a game of basketball on your way home, deal?." + +#### Soccer? Do you mean football? ([11](#)) + +"Well then, if you are hungry for more missions, I got a thing in London for you. The person who wanted the AGENT dead, also owns this warehouse near Heathrow, and needs a guy to guard a certain event that will take place there tomorrow. I'm sorry that I can’t reveal more information than that, but at least it is well paid, and perhaps you can watch a game of football on your way home, deal?." + +## Attachment + +[attachment.zip](/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip) + +{{< figure class="small" src="/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png" title="hideandseek.png" >}} + +_Note: The image is supposed to look like half is missing._ + +## Recon + +The attachment contains one file: `hideandseek.png`. + +It is an image of 1000x1000 pixels with a size of 15KB. + +## Solving + +Upon opening the image we don't really see anything, depending on the image viewer we only get a black image. So first thing I thought of was regular stenography. + +### Basic stenography + +After playing with the image a bit and using tools like [`zsteg`](https://github.com/zed-0xff/zsteg) and `steghide`, I found it to not be your standard stenograpy. + +So I started looking a the hex representation of the image (using `hexdump` or `hexyl`), and found some PNG data chunks. I didn't know anything about PNG files though. + +### PNG specification + +When reading through [the PNG specification](http://libpng.org/pub/png/spec/iso/index-object.html), I found that it was actually pretty huge. We (probably) don't need to know everything though, so let's skip to [the datastream specification](http://libpng.org/pub/png/spec/iso/index-object.html#4Concepts.Format). Here we find the following text: + +> There are 18 chunk types defined in this International Standard. Chunk types are four-byte sequences chosen so that they correspond to readable labels when interpreted in the ISO 646.IRV:1991 character set. The first four are termed critical chunks, which shall be understood and correctly interpreted according to the provisions of this International Standard. These are: +> +> - [IHDR](http://libpng.org/pub/png/spec/iso/index-object.html#11IHDR): image header, which is the first chunk in a PNG datastream. +> - [PLTE](http://libpng.org/pub/png/spec/iso/index-object.html#11PLTE): palette table associated with indexed PNG images. +> - [IDAT](http://libpng.org/pub/png/spec/iso/index-object.html#11IDAT): image data chunks. +> - [IEND](http://libpng.org/pub/png/spec/iso/index-object.html#11IEND): image trailer, which is the last chunk in a PNG datastream. +> +> The remaining 14 chunk types are termed ancillary chunk types, which encoders may generate and decoders may interpret. +> +> - Transparency information: [tRNS](http://libpng.org/pub/png/spec/iso/index-object.html#11tRNS) (see 11.3.2: [Transparency information](http://libpng.org/pub/png/spec/iso/index-object.html#11transinfo)). +> - Colour space information: [cHRM](http://libpng.org/pub/png/spec/iso/index-object.html#11cHRM), [gAMA](http://libpng.org/pub/png/spec/iso/index-object.html#11gAMA), [iCCP](http://libpng.org/pub/png/spec/iso/index-object.html#11iCCP), [sBIT](http://libpng.org/pub/png/spec/iso/index-object.html#11sBIT), [sRGB](http://libpng.org/pub/png/spec/iso/index-object.html#11sRGB) (see 11.3.3: [Colour space information](http://libpng.org/pub/png/spec/iso/index-object.html#11addnlcolinfo)). +> - Textual information: [iTXt](http://libpng.org/pub/png/spec/iso/index-object.html#11iTXt), [tEXt](http://libpng.org/pub/png/spec/iso/index-object.html#11tEXt), [zTXt](http://libpng.org/pub/png/spec/iso/index-object.html#11zTXt) (see 11.3.4: [Textual information](http://libpng.org/pub/png/spec/iso/index-object.html#11textinfo)). +> - Miscellaneous information: [bKGD](http://libpng.org/pub/png/spec/iso/index-object.html#11bKGD), [hIST](http://libpng.org/pub/png/spec/iso/index-object.html#11hIST), [pHYs](http://libpng.org/pub/png/spec/iso/index-object.html#11pHYs), [sPLT](http://libpng.org/pub/png/spec/iso/index-object.html#11sPLT) (see 11.3.5: [Miscellaneous information]()). +> - Time information: [tIME](http://libpng.org/pub/png/spec/iso/index-object.html#11tIME) (see 11.3.6: [Time stamp information](http://libpng.org/pub/png/spec/iso/index-object.html#11timestampinfo)). + +When reading through the hex representation of the image, I could find the mandatory `IHDR`, `IDAT` and `IEND` chucks. However, I also found some `eDIH` chunks. When looking around on the internet I could not find anything about it, so it had to be something to do with the challenge. + +Firstly, I had to find out how chunks actually work. + +### Chunk specification + +When looking at [the chunk layout documentation](http://libpng.org/pub/png/spec/iso/index-object.html#5Chunk-layout), it says a chunk consists of four field; `LENGTH`, `CHUNK TYPE`, `CHUNK DATA` and `CRC`. + +So I grabbed one `eDIH` chunk and verified/decoded it. + +```text +00 00 00 01 65 44 49 48 31 95 B3 B3 32 +``` + +| Part | HEX | Decoded | +| ------ | ------------- | ------- | +| Length | `00 00 00 01` | `1` | +| Type | `65 44 49 48` | `eDIH` | +| Data | `31` | `1` | +| CRC | `95 B3 B3 32` | `....` | + +Now we have to get all the `eDIH` chunks. + +### eDIH chunks + +The flag is probably stored in the data fields of the `eDIH` chunks, so I wrote a little script to get all these fields and decode them. + +```py +import re +import base64 + +with open("hideandseek.png", 'rb') as file: + image_data = file.read() + +occurrences = (location.end() for location in re.finditer(b"eDIH", image_data)) + +print("".join(chr(image_data[index]) for index in occurrences)) +``` + +When running it, it returns the following: + +```text +Q1RGe0RpZFlvdUtub3dQTkdpc1Byb25vdW5jZWRQSU5HP30= +``` + +This looks like some base64, so I decoded it using the following command: + +```sh +echo "Q1RGe0RpZFlvdUtub3dQTkdpc1Byb25vdW5jZWRQSU5HP30=" | base64 -d +``` + +## Solution + +After executing this command, we get the flag! It's `CTF{DidYouKnowPNGisPronouncedPING?}`. diff --git a/static/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip b/static/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip new file mode 100644 index 0000000..cb0acf8 Binary files /dev/null and b/static/files/writeups/google-ctf/2021/beginners-quest/8/attachment.zip differ diff --git a/static/img/writeups/google-ctf/2021/beginners-quest/8/cover.png b/static/img/writeups/google-ctf/2021/beginners-quest/8/cover.png new file mode 100644 index 0000000..15e459f Binary files /dev/null and b/static/img/writeups/google-ctf/2021/beginners-quest/8/cover.png differ diff --git a/static/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png b/static/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png new file mode 100644 index 0000000..9804fce Binary files /dev/null and b/static/img/writeups/google-ctf/2021/beginners-quest/8/hideandseek.png differ