Incognito wtfCTF 2021: m15tery_Box

m15tery_Box

Category: Reverse

chal

100 points

I keep losing my “keys”. Can you help me find it?

Author: AyushVatsa

file: LSBmy5t3ry80x.png

Solution

Given file is png with zip archive appended at the end. Archive is protected with password. The password was hidden in LSB of the image, it was easy to retrieve with zsteg as below.

(ctf) [email protected]:~/tmp$ zsteg LSBmy5t3ry80x.png 
[?] 8458 bytes of extra data after image end (IEND), offset = 0x9fa
extradata:0         .. file: Zip archive data, at least v2.0 to extract
    00000000: 50 4b 03 04 14 03 00 00  00 00 ab 81 b3 52 00 00  |PK...........R..|
    00000010: 00 00 00 00 00 00 00 00  00 00 08 00 00 00 4d 79  |..............My|
    00000020: 35 74 33 72 59 2f 50 4b  03 04 14 03 00 00 00 00  |5t3rY/PK........|
    00000030: f5 73 ae 52 00 00 00 00  00 00 00 00 00 00 00 00  |.s.R............|
    00000040: 12 00 00 00 4d 79 35 74  33 72 59 2f 2e 6e 6f 74  |....My5t3rY/.not|
    00000050: 20 68 65 72 65 2f 50 4b  03 04 33 03 01 00 63 00  | here/PK..3...c.|
    00000060: 0c 8e b0 52 00 00 00 00  65 00 00 00 63 00 00 00  |...R....e...c...|
    00000070: 1a 00 0b 00 4d 79 35 74  33 72 59 2f 2e 6e 6f 74  |....My5t3rY/.not|
    00000080: 20 68 65 72 65 2f 66 6c  61 67 2e 74 78 74 01 99  | here/flag.txt..|
    00000090: 07 00 02 00 41 45 01 08  00 ce f1 2c b5 57 fa e9  |....AE.....,.W..|
    000000a0: 76 d9 cc 1b 47 7e 86 75  30 d9 18 43 0c 85 2e b9  |v...G~.u0..C....|
    000000b0: 39 b3 cc a0 11 c8 c2 8e  47 cc 47 af 42 20 17 6d  |9.......G.G.B .m|
    000000c0: d2 66 ea cd 0b d7 fb 19  5d 2f ae 1c e0 2c 74 92  |.f......]/...,t.|
    000000d0: 16 57 13 10 c2 8c 71 c5  a2 79 73 4f dc 29 ec 4d  |.W....q..ysO.).M|
    000000e0: 55 67 a5 b8 1a 29 d7 78  20 7c a2 cc 94 a1 9b ec  |Ug...).x |......|
    000000f0: 88 63 6c 08 24 5b 3e e1  30 01 db bc 28 d8 50 4b  |.cl.$[>.0...(.PK|
imagedata           .. file: Windows Precompiled iNF, version 0.1, InfStyle 1, flags 0xff01ff, unicoded, has strings, src URL, volatile dir ids, verified, digitally signed, at 0xff000000 "", WinDirPath "", OsLoaderPath "", LanguageID 100, at 0xffff0000 SourcePath "", at 0x100 InfName ""
b1,rgb,lsb,xy       .. text: "[email protected]"
b1,rgba,lsb,xy      .. text: ["U" repeated 41 times]
b1,abgr,msb,xy      .. file: PGP Secret Key -
b2,r,msb,xy         .. text: "WUUUUUUUUUUUUUUUUUUUU"
b2,g,lsb,xy         .. text: ["U" repeated 20 times]
b2,bgr,lsb,xy       .. file: PEX Binary Archive
b2,abgr,msb,xy      .. text: ["c" repeated 83 times]
b3,bgr,lsb,xy       .. file: StarOffice Gallery theme \222, 0 objects
b4,r,lsb,xy         .. file: PDP-11 UNIX/RT ldp
b4,r,msb,xy         .. text: "nfffffffffffffffffffffffffffffffffffffffff"
b4,g,lsb,xy         .. file: 0420 Alliant virtual executable not stripped
b4,b,lsb,xy         .. file: raw G3 (Group 3) FAX, byte-padded
b4,rgb,lsb,xy       .. file: PDP-11 UNIX/RT ldp
b4,bgr,lsb,xy       .. file: Windows Precompiled iNF, version 0.1, InfStyle 1, flags 0x101101, unicoded, at 0x16798006 "", OsLoaderPath "", LanguageID 6881, at 0x16688116 SourcePath "", at 0x81166881 InfName ""

So, I’ve used the [email protected] as a password and get the content of the archive.

7z x LSBmy5t3ry80x.png
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=pl_PL.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (306C3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 11012 bytes (11 KiB)

Extracting archive: LSBmy5t3ry80x.png
--
Path = LSBmy5t3ry80x.png
Type = zip
Offset = 2554
Physical Size = 8458

    
Enter password (will not be echoed):
Everything is Ok                   

Folders: 16
Files: 17
Size:       20574
Compressed: 11012

I didn’t want to wander thru all the files, so I’ve used below approach.

grep -ir '.*' *
here/not here/.confirmation.txt:You might be on the right track. 
here/not here/.confirmation.txt:Just keep in mind that when people say yes they may mean to say "no".
here/not here/yes/roll:ggcf://ovg.yl/VdG6mg
here/not here/yes/roll:
here/not here/yes/roll:Try this hint
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:ROT
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:
here/not here/yes/roll:------------
grep: here/not here/yes/.DS_Store: binary file matches
here/not here/no/maybe not:is something rotting in here?
here/not here/no/maybe not:
here/not here/no/maybe not:
here/not here/no/maybe not:{Qrsvargyl abg lbhe ubabhe} Olr
here/not here/no/maybe not:
here/not here/no/maybe:[part 2] XD
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:X1RocjMzXw==
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:
here/not here/no/maybe:this is the flag, but it isn't. Keep this in mind. 
grep: here/not here/.DS_Store: binary file matches
here/nope/.nope.txt:Hard day isn't it? We can give you a hint. The flag is in 3 parts.
here/nope/.nope.txt:But sadly, not here.
here/.nope/part1?.txt:Didn't you see the question mark? Better luck next time sir.
grep: here/.DS_Store: binary file matches
hint:Things are often "hidden".
hint:
hint:.....
grep: or here/don't know/.chain.zip: binary file matches
or here/don't know/Not telling/not again:%5:1}jb5'/>0?-`"((brzx>"
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:KEY to life is MANAGE
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:
or here/don't know/Not telling/not again:--------------
or here/.Noob/Are you/.still a noob:nak? Nanananak Naknak naknaknak Naknaknak Nananak Naknaknak Nananak Naknaknak Naknak. Nananak nak. Nananak Nak nak? Naknaknak Naknaknak Nananak Naknak naknaknak Naknak nak. Naknak Naknaknak Nananak Nak Naknak Naknak Naknak naknaknak Naknak naknak Naknak Nak? Naknak nak? Naknaknak Nananak Nananak nak. Nananak Nak nak? Nak? Naknaknak Nananak Naknaknak Naknak. Nananak Nak Naknak Nanak Naknak Naknaknak Naknak Nanak Naknak Naknak. Naknak nak. Nananak nak.
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:
or here/.Noob/Are you/.still a noob:-----------------
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:VGhpcyBpcyB0aGUgbGFzdCBiaXQuCgoKW1BhcnQzXQoKCnBBciFzfQo=
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:
or here/.Noob/a noob?/hehe noob:----------------
or here/Don't ask me/OKAY/if you insist:OKAY. I may tell you. But you'll be a ".noob" if you need this hint.
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:And
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:BAABA AABBB ABAAA BAAAB ABAAA BAAAB ABAAA BAABB BAAAB BAABA BAABA ABBAB BABAA AAAAA BAAAB BAABA AABAA BABBA ABBAB BAABB BAAAA BAABA ABAAA ABABB AABAA
or here/Don't ask me/OKAY/if you insist:
or here/Don't ask me/OKAY/if you insist:------------ 
or here/.something:you may need this
or here/.something:
or here/.something:"cuteCAT"
or here/.something:
or here/.something:
or here/.something:---------------

Between all the trolling there were some flag parts.

echo X1RocjMzXw== | base64 -d
_Thr33_
echo VGhpcyBpcyB0aGUgbGFzdCBiaXQuCgoKW1BhcnQzXQoKCnBBciFzfQo= | base64 -d
This is the last bit.


[Part3]


pAr!s}

First part was hidden in the or here/don't know/.chain.zip archive. Once again, it was protected by password. But this time password was in the hints from or here/.something file. With cuteCAT password I’ve extracted the archive with encrypted last part of flag.

cat Users/vatsa/Desktop/wtfCTF/2/start\ copy/or\ here/don\'t\ know/zipped/meow 
Kmmmmm. Czmz tjp cvqz ocz admno Kvmo


roaXOA{di

It’s a ROT13 encrypted:

Prrrrr. Here you have the first Part


wtfCTF{in

All parts of flag combined together gave wtfCTF{in_Thr33_pAr!s}.

Flag

wtfCTF{in_Thr33_pAr!s}

Privacy Policy
luc © 2021