m15tery_Box
Category: Reverse
100 points
I keep losing my “keys”. Can you help me find it?
Author: AyushVatsa
file: LSBmy5t3ry80x.png
Solution
Given file is png with zip archive appended at the end. Archive is protected with password. The password was hidden
in LSB of the image, it was easy to retrieve with zsteg as below.
(ctf) luc@slon:~/tmp$ zsteg LSBmy5t3ry80x.png [?] 8458 bytes of extra data after image end (IEND), offset = 0x9fa
extradata:0 .. file: Zip archive data, at least v2.0 to extract
00000000: 50 4b 03 04 14 03 00 00 00 00 ab 81 b3 52 00 00 |PK...........R..|
00000010: 00 00 00 00 00 00 00 00 00 00 08 00 00 00 4d 79 |..............My|
00000020: 35 74 33 72 59 2f 50 4b 03 04 14 03 00 00 00 00 |5t3rY/PK........|
00000030: f5 73 ae 52 00 00 00 00 00 00 00 00 00 00 00 00 |.s.R............|
00000040: 12 00 00 00 4d 79 35 74 33 72 59 2f 2e 6e 6f 74 |....My5t3rY/.not|
00000050: 20 68 65 72 65 2f 50 4b 03 04 33 03 01 00 63 00 | here/PK..3...c.|
00000060: 0c 8e b0 52 00 00 00 00 65 00 00 00 63 00 00 00 |...R....e...c...|
00000070: 1a 00 0b 00 4d 79 35 74 33 72 59 2f 2e 6e 6f 74 |....My5t3rY/.not|
00000080: 20 68 65 72 65 2f 66 6c 61 67 2e 74 78 74 01 99 | here/flag.txt..|
00000090: 07 00 02 00 41 45 01 08 00 ce f1 2c b5 57 fa e9 |....AE.....,.W..|
000000a0: 76 d9 cc 1b 47 7e 86 75 30 d9 18 43 0c 85 2e b9 |v...G~.u0..C....|
000000b0: 39 b3 cc a0 11 c8 c2 8e 47 cc 47 af 42 20 17 6d |9.......G.G.B .m|
000000c0: d2 66 ea cd 0b d7 fb 19 5d 2f ae 1c e0 2c 74 92 |.f......]/...,t.|
000000d0: 16 57 13 10 c2 8c 71 c5 a2 79 73 4f dc 29 ec 4d |.W....q..ysO.).M|
000000e0: 55 67 a5 b8 1a 29 d7 78 20 7c a2 cc 94 a1 9b ec |Ug...).x |......|
000000f0: 88 63 6c 08 24 5b 3e e1 30 01 db bc 28 d8 50 4b |.cl.$[>.0...(.PK|
imagedata .. file: Windows Precompiled iNF, version 0.1, InfStyle 1, flags 0xff01ff, unicoded, has strings, src URL, volatile dir ids, verified, digitally signed, at 0xff000000 "", WinDirPath "", OsLoaderPath "", LanguageID 100, at 0xffff0000 SourcePath "", at 0x100 InfName ""
b1,rgb,lsb,xy .. text: "Pr1v4cY15@MytH"
b1,rgba,lsb,xy .. text: ["U" repeated 41 times]
b1,abgr,msb,xy .. file: PGP Secret Key -
b2,r,msb,xy .. text: "WUUUUUUUUUUUUUUUUUUUU"
b2,g,lsb,xy .. text: ["U" repeated 20 times]
b2,bgr,lsb,xy .. file: PEX Binary Archive
b2,abgr,msb,xy .. text: ["c" repeated 83 times]
b3,bgr,lsb,xy .. file: StarOffice Gallery theme \222, 0 objects
b4,r,lsb,xy .. file: PDP-11 UNIX/RT ldp
b4,r,msb,xy .. text: "nfffffffffffffffffffffffffffffffffffffffff"
b4,g,lsb,xy .. file: 0420 Alliant virtual executable not stripped
b4,b,lsb,xy .. file: raw G3 (Group 3) FAX, byte-padded
b4,rgb,lsb,xy .. file: PDP-11 UNIX/RT ldp
b4,bgr,lsb,xy .. file: Windows Precompiled iNF, version 0.1, InfStyle 1, flags 0x101101, unicoded, at 0x16798006 "", OsLoaderPath "", LanguageID 6881, at 0x16688116 SourcePath "", at 0x81166881 InfName ""So, I’ve used the Pr1v4cY15@MytH as a password and get the content of the archive.
7z x LSBmy5t3ry80x.png7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=pl_PL.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (306C3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 11012 bytes (11 KiB)
Extracting archive: LSBmy5t3ry80x.png
--
Path = LSBmy5t3ry80x.png
Type = zip
Offset = 2554
Physical Size = 8458
Enter password (will not be echoed):
Everything is Ok
Folders: 16
Files: 17
Size: 20574
Compressed: 11012I didn’t want to wander thru all the files, so I’ve used below approach.
grep -ir '.*' *here/not here/.confirmation.txt:You might be on the right track.
here/not here/.confirmation.txt:Just keep in mind that when people say yes they may mean to say "no".
here/not here/yes/roll:ggcf://ovg.yl/VdG6mg
here/not here/yes/roll:
here/not here/yes/roll:Try this hint
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:ROT
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:------------
grep: here/not here/yes/.DS_Store: binary file matches
here/not here/no/maybe not:is something rotting in here?
here/not here/no/maybe not:
here/not here/no/maybe not:
here/not here/no/maybe not:{Qrsvargyl abg lbhe ubabhe} Olr
here/not here/no/maybe not:
here/not here/no/maybe:[part 2] XD
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:X1RocjMzXw==
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:this is the flag, but it isn't. Keep this in mind.
grep: here/not here/.DS_Store: binary file matches
here/nope/.nope.txt:Hard day isn't it? We can give you a hint. The flag is in 3 parts.
here/nope/.nope.txt:But sadly, not here.
here/.nope/part1?.txt:Didn't you see the question mark? Better luck next time sir.
grep: here/.DS_Store: binary file matches
hint:Things are often "hidden".
hint:
hint:.....
grep: or here/don't know/.chain.zip: binary file matches
or here/don't know/Not telling/not again:%5:1}jb5'/>0?-`"((brzx>"
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:KEY to life is MANAGE
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:--------------
or here/.Noob/Are you/.still a noob:nak? Nanananak Naknak naknaknak Naknaknak Nananak Naknaknak Nananak Naknaknak Naknak. Nananak nak. Nananak Nak nak? Naknaknak Naknaknak Nananak Naknak naknaknak Naknak nak. Naknak Naknaknak Nananak Nak Naknak Naknak Naknak naknaknak Naknak naknak Naknak Nak? Naknak nak? Naknaknak Nananak Nananak nak. Nananak Nak nak? Nak? Naknaknak Nananak Naknaknak Naknak. Nananak Nak Naknak Nanak Naknak Naknaknak Naknak Nanak Naknak Naknak. Naknak nak. Nananak nak.
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:-----------------
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:VGhpcyBpcyB0aGUgbGFzdCBiaXQuCgoKW1BhcnQzXQoKCnBBciFzfQo=
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:----------------
or here/Don't ask me/OKAY/if you insist:OKAY. I may tell you. But you'll be a ".noob" if you need this hint.
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:And
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:BAABA AABBB ABAAA BAAAB ABAAA BAAAB ABAAA BAABB BAAAB BAABA BAABA ABBAB BABAA AAAAA BAAAB BAABA AABAA BABBA ABBAB BAABB BAAAA BAABA ABAAA ABABB AABAA
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:------------
or here/.something:you may need this
or here/.something:
or here/.something:"cuteCAT"
or here/.something:
or here/.something:
or here/.something:---------------Between all the trolling there were some flag parts.
echo X1RocjMzXw== | base64 -d_Thr33_echo VGhpcyBpcyB0aGUgbGFzdCBiaXQuCgoKW1BhcnQzXQoKCnBBciFzfQo= | base64 -dThis is the last bit.
[Part3]
pAr!s}First part was hidden in the or here/don't know/.chain.zip archive. Once again, it was protected by password.
But this time password was in the hints from or here/.something file. With cuteCAT password I’ve extracted the
archive with encrypted last part of flag.
cat Users/vatsa/Desktop/wtfCTF/2/start\ copy/or\ here/don\'t\ know/zipped/meow Kmmmmm. Czmz tjp cvqz ocz admno Kvmo
roaXOA{diIt’s a ROT13 encrypted:
Prrrrr. Here you have the first Part
wtfCTF{inAll parts of flag combined together gave wtfCTF{in_Thr33_pAr!s}.
Flag
wtfCTF{in_Thr33_pAr!s}