Image Editing - CTFLearn (Crypto/Hard)

tags: ctf forensic

Description

I sent a couple of images to my friend, Leslie S. Brown, to edit. The only problem is that she only sent back 1 image! Can you help me figure out what happened to the other image? Also, for whatever reason, the image has a red tinge to it. Image: https://mega.nz/#!nGg2DIxA!zL1BLCoPpRB6KPTBrDqHWXyphBn-SRl1qs_kpcyIS4k

Step 1: Analysis

Hello, i am back for cool WU and it cost my noron too much but it so easy

• So what i do, read a description firstly and yeah onething i have to doubt which is refer on last of sentence on description -red tingle-
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  but ignore at that time we need download image and look it has relate between image and description that i what target author want
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Download and the image like this:
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  cute dog huh
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• And one again the description don't relate anything with description but it on float of file so we need to go next step to check deeping on that image

Step 2: Exploit

• So i have somekind tool u need to know about solve that:
  • file : it not a tool but ever linux or windows contain that using this for check the file properties
  • zsteg: tool for analysis the image base on byte, algorithm (LSB/MSB), Color(R/G/B), Postion (xy) and any kind text or file on that using that to know more information
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • stegsolve: tool for exploit image
  • binwalk: tool for exploit image
  • exiftool: meta data analysis
• So that all arsenal we need to prepare and check image with that tool, let first with file and it just return final.png: PNG image data, 1546 x 1213, 8-bit/color RGB, non-interlaced and you know that have some helpful info from image like it png img and resolution blah …
• So reach binwalk, i usually check that image with that tool after file, because it analysis image on the byte and let me know if the image contain anything kind like compressdata or textfile, another images but after i use this it just return some kind zlib
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • so with that infomation if it useful u can using binwalk -e <FILE> command to extract/uncompress data from image so binwalk can do with another file not just image so try first
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • So after i extract the data from img i receive zlib file have name 29.zlib
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    and yup it just all try open that with another hexeditor on linux like hexeditor or windows u can try HxD an it not useful on that
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    , so i try to extract zlib because if i lucky i can exploit somekind on that
  • Method to extract the zlib so i try this command zlib-flate -uncompress < IN_FILE > OUT_FILE so if u want to do this command, u need download qpdf package => bum it not useful
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    the output of file zlib is not have somekind strange to exploit
  • Forensic is way to reach target but not going wrong way
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    , u need turn back right now and read the description again -red tingle-. And calmdown reach to exiftool, stegsolve and zsteg to continuing exploit
• So using exiftool with image and return not useful
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Reach zsteg try that (it have some kind refer description -red tingle- ) so run zsteg u need ruby module find method on internet and try that
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  the first time i just ignore info is importance on zsteg is file png 161x29 file with method b1,r,lsb,xy
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  so i pass that so it cost my time too much but 2 minute i just focus zsteg and yup i see that basic kind like this and to knowing that we reach stegsolve
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  and go to true fact

Step 3: Reach True Fact

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

• Open stegsolve it need java to run that, install that and enjoy
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Reach to analyse tab and choose the Data Extract
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Choose the what option we need by basing on zsteg return on that image b1,r,lsb,xy (b1 for the byte, r is red color, lsb algorithm, xy position of image we can receive) and yeah just choose that option on the tab extract
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So what should we do next save that with png because look on the text of the hex file and PNG is the firsthing we see and yup we got the image
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• But what we do next, you can see the some kind strange on upper of text on the image and that is target we need it will be flag we need to file so we can get that if we don't know how to extract that using the zsteg again
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  and you will exploit that image
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  ah hah we get that the text is flag: 1_kn3W_tH3_r3D_w4s_0ff wrapthis with CTFlearn{} and you get the flag
• But if you want harder you just try the Data Extract option on stegsolve if will be cost you some time to reach that LOL

Flag: CTFlearn{1_kn3W_tH3_r3D_w4s_0ff}

So look that cool stuff on that challenge, i think so kind on that will be helpful for you and yeah for me

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

. Happy hacking and i will be back soon on the next Challenge or WU

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →