EnigmaXplore-Writeup

# Never gonna solve you - We are given a file called `RememberMe.jpg`, inspecting it with `binwalk` shows a zip file header. ```bash $ binwalk 'RememberMe.jpg' DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 5328 0x14D0 Zip archive data, encrypted at least v2.0 to extract, compressed size: 2258843, uncompressed size: 2265306, name: flag.mp4 2264337 0x228D11 End of Zip archive, footer length: 22 ``` - To extract the zip file: ```bash $ dd if='RememberMe.jpg' of='hidden.zip' bs=1 skip=5328 2259031+0 records in 2259031+0 records out 2259031 bytes (2.3 MB, 2.2 MiB) copied, 2.e+3636 s, 36 B/s ``` - We then extract the zip file using the given password in the challenge's description (At the time of writing this I can no longer access it and I have forgotten the password.) - After extraction, we are given a video file `flag.mp4`, which doesn't contain anything important. But another inspection with `binwalk` shows us a RAR archive header. ```bash $ binwalk 'flag.mp4' DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 7311 0x1C8F YAFFS filesystem root entry, big endian, type symlink, v1 root directory 2264575 0x228DFF RAR archive data, version 5.x ``` - To extract it: ```bash $ dd if='flag.mp4' of='hidden.rar' bs=1 skip=2264575 731+0 records in 731+0 records out 731 bytes copied, 10 ms, 999999 TB/s ``` - The archive gives us a `.pcapng` file, which after inspection shows us an important clue. ```json! GET /RickRollme HTTP/1.1 Host: bit.ly User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 X-Clue-Here: We're no strangers to love ``` - Accessing `https://bit.ly/RickRollme` leads us to a Google Drive directory, which has a file called `lyrics.txt` - Upon further inspection, the file contains bytes like: - `<U+2063>` - `<U+200B>` - `<U+FEFF>` - ... - These are used in [Zero-Width Steganography](https://medium.com/@nguyenthanh.asia/steganography-in-the-digital-age-unveiling-hidden-messages-using-zero-width-characters-ca1ed34b97b1), with a tool like [StegZero](https://stegzero.com), we are able to extract the flag. Flag: `EnXp{y0u_r34lly_d1dnt_g1v3_up}`. --- # Bored Waiting - We are given a video file `boredwaiting.mp4`, doing a reverse-image search leads us to https://www.reddit.com/r/Markiplier/comments/12w5fwk/mark_on_an_airport_tv/. - In the comment section, user `u/alexthefrenchman` said: ``` it was kansas city ``` - Looking up `Kansas City Airport` gives us the location: `Kansas_City_International_Airport` - In the video, a monitor displayed the time: `6:22AM`, combining them together gives us the flag. Flag: `EnXp{6:22AM_Kansas_City_International_Airport}`