> For the complete documentation index, see [llms.txt](https://szczygielka.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://szczygielka.gitbook.io/writeups/ctfs-writeups/knightctf-2024/flag-hunt-steganography.md).

# Flag Hunt! - Steganography

## Task

Hunt your way through the challenge and Capture The hidden Flag!!!

Flag Format: KCTF{S0m3th1ng\_h3re}

## Solution

We get the following file:

```
szczygielka@hacks$ file attch1.zip
attch1.zip: Zip archive data, at least v1.0 to extract, compression method=store
```

When trying to unpack the archive, we are asked to enter a password that we do not know:

```
szczygielka@hacks$ unzip attch1.zip
Archive:  attch1.zip
   creating: challenge/
[attch1.zip] challenge/img182.jpg password:
```

So we can try to brute force the password using the `fcrackzip` tool and `rockyou.txt` wordlist:

```
szczygielka@hacks$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt attch1.zip   
PASSWORD FOUND!!!!: pw == zippo123
```

The password has been cracked. So we can unpack the contents of the archive. The unpacked directory contains 1004 items:

```
szczygielka@hacks$ ls | wc -l
1004
```

All files in the extracted directory look the same at first glance:

<figure><img src="/files/0iadq6MQ23ZK2AzRcHkT" alt=""><figcaption></figcaption></figure>

Let's try to identify if some files are different from the others. So calculate the MD5 hashes for all files in the entire directory:

```
szczygielka@hacks$ md5sum *    
84cdb1714eaccd507ea088ed30d36df4  flag.txt
1f5ae0d1c2ef22462040c0c788355e51  img1.jpg
1f5ae0d1c2ef22462040c0c788355e51  img2.jpg
1f5ae0d1c2ef22462040c0c788355e51  img3.jpg
1f5ae0d1c2ef22462040c0c788355e51  img4.jpg
1f5ae0d1c2ef22462040c0c788355e51  img5.jpg
1f5ae0d1c2ef22462040c0c788355e51  img6.jpg
1f5ae0d1c2ef22462040c0c788355e51  img7.jpg
1f5ae0d1c2ef22462040c0c788355e51  img8.jpg
1f5ae0d1c2ef22462040c0c788355e51  img9.jpg
1f5ae0d1c2ef22462040c0c788355e51  img10.jpg
1f5ae0d1c2ef22462040c0c788355e51  img11.jpg
<SNIP>
```

We can see that the `img725.jpg` file has a different hash than the other images:

<figure><img src="/files/Ujf96HHd8bfiaQa004wN" alt=""><figcaption></figcaption></figure>

It turns out that this directory also contains files in other formats. These are: `key.wav`, `n0t3.txt` and `nooope_not_here_gotta_try_harder.txt`:

<figure><img src="/files/LCfbGJi4tqA9XLaz88dj" alt=""><figcaption></figcaption></figure>

Let's display the contents of the files `n0t3.txt` and `nooope_not_here_gotta_try_harder.txt`:

```
szczygielka@hacks$ cat n0t3.txt                                     
The flag is here somewhere. Keep Searching..

Tip: Use lowercase only
                                                                                                                   
szczygielka@hacks$  cat nooope_not_here_gotta_try_harder.txt 
KCTF{f4k3_fl46}
```

Apparently, the flag is here somewhere and we should keep looking for it. Let's analyze what's inside the `key.wav` file. After listening to the recording, we can assume the`key.wav` file contains a message encoded using Morse code. We can try to decode it using [this](https://morsecode.world/international/decoder/audio-decoder-expert.html) website. After decoding the file contents, we receive the following message:

```
MORSECODETOTHERESCUE!!
```

Let's go back to the `img725.jpg` file. Visually, it does not seem to differ from other images. So we can use the `steghide` tool to check if another file is embedded in this image:

```
szczygielka@hacks$ steghide info img725.jpg
"img725.jpg":
  format: jpeg
  capacity: 8.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "flag.txt":
    size: 47.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
```

After entering `morsecodetotherescue!!` as the password, we can see that the  `flag.txt` file is hidden in the `img725.jpg` file. Let's extract it using the following command:

```
szczygielka@hacks$ steghide extract -sf img725.jpg
Enter passphrase: 
wrote extracted data to "flag.txt".
```

Let's display the contents of the `flag.txt` file using the cat command:

```
szczygielka@hacks$ cat flag.txt                               
KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}
```

Flag:

```
KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://szczygielka.gitbook.io/writeups/ctfs-writeups/knightctf-2024/flag-hunt-steganography.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
