Oceanic - Steganography

Task

The flag is somewhere in the deep.

Solution

We get the following file:

szczygielka@hacks$ file challenge.tar                                            
challenge.tar: POSIX tar archive (GNU)

Let's unpack the archive:

szczygielka@hacks$ tar -xvf challenge.tar 
clue.jpg
peaceful.wav

After unpacking the archive, we get two files: clue.jpg and peaceful.wav. The first one probably shows the ocean:

Let's check this file with exiftool whether it contains any interesting metadata:

szczygielka@hacks$ exiftool clue.jpg  
ExifTool Version Number         : 12.57
File Name                       : clue.jpg
Directory                       : .
File Size                       : 20 kB
File Modification Date/Time     : 2024:01:04 06:25:01-05:00
File Access Date/Time           : 2024:02:10 14:40:18-05:00
File Inode Change Date/Time     : 2024:02:10 14:40:18-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Comment                         : 8qQd3iMYmtsyto7aXUuw1KVRpQFCRxqRtJiRgP85e36y
Image Width                     : 612
Image Height                    : 344
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 612x344
Megapixels                      : 0.211

There is a string in the Comment field that appears to be encoded. Let's try to decode it using CyberChef:

It turns out that the string was encoded using Base58. The decoded string seems to be a hint for the task:

theoceanisactuallyreallydeeeepp

Let's look at the second file, peaceful.wav. The audio recording contains the sound of waves.

After analyzing the hint contained in the clue.jpg file, as well as the information found on HackTricks, we can assume that another file has been hidden in the audio file, and to unpack it we have to use the DeepSound tool. After uploading the file, we are asked for a password. Let's try to use the decoded hint from the clue.jpg file as a password:

After entering the password, we can see that the peaceful.wav contains the flag.png file:

Let's extract the flag.png file. The file content looks like this:

After checking the strings in the flag.png file, we find the flag:

szczygielka@hacks$ strings -a flag.png | grep "KCTF{"
KCTF{mul71_l4y3r3d_57360_ec4dacb5}

Flag:

KCTF{mul71_l4y3r3d_57360_ec4dacb5}