Flag Hunt! - Steganography

Task

Hunt your way through the challenge and Capture The hidden Flag!!!

Flag Format: KCTF{S0m3th1ng_h3re}

Solution

We get the following file:

szczygielka@hacks$ file attch1.zip
attch1.zip: Zip archive data, at least v1.0 to extract, compression method=store

When trying to unpack the archive, we are asked to enter a password that we do not know:

szczygielka@hacks$ unzip attch1.zip
Archive:  attch1.zip
   creating: challenge/
[attch1.zip] challenge/img182.jpg password:

So we can try to brute force the password using the fcrackzip tool and rockyou.txt wordlist:

szczygielka@hacks$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt attch1.zip   
PASSWORD FOUND!!!!: pw == zippo123

The password has been cracked. So we can unpack the contents of the archive. The unpacked directory contains 1004 items:

szczygielka@hacks$ ls | wc -l
1004

All files in the extracted directory look the same at first glance:

Let's try to identify if some files are different from the others. So calculate the MD5 hashes for all files in the entire directory:

szczygielka@hacks$ md5sum *    
84cdb1714eaccd507ea088ed30d36df4  flag.txt
1f5ae0d1c2ef22462040c0c788355e51  img1.jpg
1f5ae0d1c2ef22462040c0c788355e51  img2.jpg
1f5ae0d1c2ef22462040c0c788355e51  img3.jpg
1f5ae0d1c2ef22462040c0c788355e51  img4.jpg
1f5ae0d1c2ef22462040c0c788355e51  img5.jpg
1f5ae0d1c2ef22462040c0c788355e51  img6.jpg
1f5ae0d1c2ef22462040c0c788355e51  img7.jpg
1f5ae0d1c2ef22462040c0c788355e51  img8.jpg
1f5ae0d1c2ef22462040c0c788355e51  img9.jpg
1f5ae0d1c2ef22462040c0c788355e51  img10.jpg
1f5ae0d1c2ef22462040c0c788355e51  img11.jpg
<SNIP>

We can see that the img725.jpg file has a different hash than the other images:

It turns out that this directory also contains files in other formats. These are: key.wav, n0t3.txt and nooope_not_here_gotta_try_harder.txt:

Let's display the contents of the files n0t3.txt and nooope_not_here_gotta_try_harder.txt:

szczygielka@hacks$ cat n0t3.txt                                     
The flag is here somewhere. Keep Searching..

Tip: Use lowercase only
                                                                                                                   
szczygielka@hacks$  cat nooope_not_here_gotta_try_harder.txt 
KCTF{f4k3_fl46}

Apparently, the flag is here somewhere and we should keep looking for it. Let's analyze what's inside the key.wav file. After listening to the recording, we can assume thekey.wav file contains a message encoded using Morse code. We can try to decode it using this website. After decoding the file contents, we receive the following message:

MORSECODETOTHERESCUE!!

Let's go back to the img725.jpg file. Visually, it does not seem to differ from other images. So we can use the steghide tool to check if another file is embedded in this image:

szczygielka@hacks$ steghide info img725.jpg
"img725.jpg":
  format: jpeg
  capacity: 8.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "flag.txt":
    size: 47.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

After entering morsecodetotherescue!! as the password, we can see that the flag.txt file is hidden in the img725.jpg file. Let's extract it using the following command:

szczygielka@hacks$ steghide extract -sf img725.jpg
Enter passphrase: 
wrote extracted data to "flag.txt".

Let's display the contents of the flag.txt file using the cat command:

szczygielka@hacks$ cat flag.txt                               
KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}

Flag:

KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}