Try   HackMD

Dode ascisCTF (Misc/Forensics)

tags: ctf exploits find information on image

Description: It is Doge, or not???

Attact: https://drive.google.com/file/d/118LNaIH6gzj1F7r0TPHv9VLB1v9rTet9/view?usp=sharing

First sight - Thinking
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • Yeah, on the first side i think it little bit about easily challenge but not
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • So typically, i do basic stego with that image like aprisolve, zsteg, binwalk, exiftool and moretool to stegography. But i receive zero information about that image. What the heck !!! i think.
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • So next step, i usually use steghide for extract something from image and i receive something already strange different from the others challenge stego and i know i need to explain this. The core item will bring my struggle away
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Exploit

  • First of all, i need so you something about strange i meet on using steghide
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    and watch out in the 0xc4 it will really dangerous position i will save it in bottom heart.
  • So i don't know Corrupt JPEG data: 3463 extraneous bytes before marker 0xc4 have what they mean it look like some thing bytes is added in front of byte 0xc4, so i try thinking it will be or should be relative with the hex header on the f dode picture
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    and i try reopen it with python because it will give me some strange thing i thinks it so try with basicly openCV is open and show that in the monitor.
import cv2

image = cv2.imread('6uecny.jpg')

cv2.imshow('image', image)

cv2.waitKey(0)
  • you think what i think, the processing open okay but warning return again and one time i meet it Corrupt JPEG data: 3463 extraneous bytes before marker 0xc4 so i need it to check header right now because it make cost much of time i have on contest to check what the instruction of image JPEG OR JPG. oh no my scared
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • So i use the basic hexeditor on window to open that with HxD for Windows and just hexeditor like xxd on the Linux.

That all of exploit for this image because importance we need to know what image say something

Google and Searching

  • The first thing u need to know something is finding the description or theory of it and it work with anysituation so i google and find jpeg construct so don't like me read to fast and skip importance thing cause effect on flag finding processing
  • Wiki is not make me disapointed it have enough to dig in with that.
  • So i continous to reach wrong way first and i will talk about my return on this challenge. It will relate some skill delete and recover the image.
  • So in the first time, i think it will be some kind we will replace or delete something in byte 0xc4 or cover that, so i don't know what the byte meaning so go wikitag and see and they said it DHT 0xFF, 0xC4 variable size Define Huffman Table(s) Specifies one or more Huffman tables. and it have meaning image have that to see what the image say so onething can be use we will not need to touch of that because the image will die
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • So basiclly look hex it contain 10 position 0xC4 and what the heck right position is similar with the corrupt talk
    • And i will talk about the magicbyte the byte you see on that 0xC4 is magic byte it is factor to construct the image. Image is series of magic byte and it alive on byte and it have start and end on the image, basically like that but some situation Author will custom that to change some thing effect on the magic byte and it will cause the changing in the image
    • And i will relate jpeg or jpg which structure of one will be like this
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      so it start with FF D8 for header and it first magic we need to know that be start postion of image and not be data and what the heck on that postion don't touch that i will be earase something u want
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      and more magic byte like that for each image or audio or anything building on the pc and internet
  • So long theory back again the challenge, will check it contain 10 magic byte 0xFF 0xC4 and not touch on that and we will find byte 0xFF 0xDA to see what we got and yet we got bunch of that
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    so like i say hecking wrong on the image why it contain to much readable thing
  • So i try erase series before byte 0xFF 0xDA and it not right what i think i image will contain in each of data with readable but i wrong the image i bunch of subsample of image - so it like they but the more and more image to bring some kind high resolution image like SRGAN in DEEP LEARNING.
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    No no i think a long way but the Symbiotic of my action is try put the corrupt thing because it thing we need or anyone will do because the warning is annoy me skip the first wrong way, reach to second wrong way
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • I find the method to pass this corrupt situation and i found it ImageMagick tool will be perfect with stego CTF or stego on real life because it such powerful tool and can do anything with that. So i am try using mogrify and done i do erase something importance like flag in image because of the image over come normally image so i contain magicbyte 0xC4, 0xC0 to change the size of image and data with such a one of that

Timeup and get the experience for next time
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Reach the true thing
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • Because thinking wrong way bring me to struggle and not find any kind thing so i hear that it relate some kind stretching image like change width and height of image but but it change in the hex not perform that in the image because you will not receive anything
  • So try again i read the doc of jpeg and finding the relate with new some doc useful for this situation - a new way exploit image but i not knowing is change the heigh and width of image to hide infomation
  • The blog is the thing talk which contain some kind of way to reach that hiding information and someking of that have on CTF in XmasCTF2018
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    and try on that on the image i have but it not have 0xC0 because if we i change 0xC0 will appear but on that situation it have not so i read again and find some kind like true ending for f*king game
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    and we have two kind of SOF is start of frame and with S0F0 it depend on the baseline DCT (idk what the heck this mean) but with S0F2 it progessive DCT (like it upgrade of S0F0) and it start with byte 0xFF 0xC2 and i found it
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    just 1 of that in the image so la la la we reach of the true.
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    because of same structure with S0F0 the upgrade S0F2 will similar and it just change that on 4 end of postion with 2 of front for height and other for width.
  • Using cyberChef - power tool - so convert image to hex and copy all on that in input and cho reverse covert to image will we do the action change the height of image
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    this is thing we need to change but don't touch first of five because it not be good so touch 02 6c on the hex so if you change 02 if you decrease that it will decrease the height of image but i don't have anything
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  • The image is being cut off but not anything behind of this so try to increase the high with increase byte 02 equal 06 and yeah we found it the hiding
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

flag: ASCIS{b47_Ng0_cHU4_b4_D4!!!}

So new way to exploit image the new experience with CTF on this challenge LOL. Now keeping cool your mind and see what we got
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
. It ain gonna fun challenge but you miss something and go wrong. Reach to next CTF
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
and write up will come
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
. Happy hacking !!!

Last changed by 
XeusNguyen
Stay humble and enthusiastic with passion. Follow me more on: https://wiki.xeusnguyen.xyz
0
2005

Read more

LFI and Path Traversal

In some scenarios, web applications are written to request access to files on a given system, including images, static text, and so on via parameters. Parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input. The following graph explains and breaking down the essential parts of the URL.

Mar 2, 2025
Snyk vs Sonarqube - Securing your code

Đây là công đoạn yêu cầu nhiều tài nguyên và cách tiếp cận khác nhau để khai thác trong suốt quá trình phát triển của sản phẩm phần mềm (SDLC)(Hình ảnh của Topdev)

Dec 21, 2024
Devops Training Session 16: Setup Observability for Kubernetes

helm-chart-grafana-values

Dec 21, 2024
Hackwekend Session 5 - Cloud Security (AWS IAM Policy)

First solve

May 5, 2024
Read more from XeusNguyen
Published on HackMD