December 15, 2017, 12:20:39 AM
Welcome, Guest. Please login or register.

If you are not part of the solution...You are part of the precipitate.

Author Topic: THS Image Challenge 4  (Read 2135 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
THS Image Challenge 4
« on: August 27, 2013, 05:21:08 AM »
So here's another one for you guys to have a look at, enough clues and some humour as well if you look at the file correctly :D

http://www.mediafire.com/download/87d73clnb47r74e/matryoshkaa.jpg

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: THS Image Challenge 4
« Reply #1 on: August 27, 2013, 02:46:11 PM »
Got it!

Sent email to TAPE for Verification! :)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS Image Challenge 4
« Reply #2 on: August 27, 2013, 10:45:13 PM »
You got it ;)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS Image Challenge 4
« Reply #3 on: August 30, 2013, 04:40:19 PM »
OK, so as this challenge completed by a couple of members, herewith a brief explanation on how you could have looked at it ;
IF YOU ARE STILL WORKING ON THIS AND DONT WANT THE SOLUTIONS, STOP READING :)


When looking at an image file, I usually follow a sort of sequence ;
1. Check image file with exiftool for any interesting info.
2. Check image file with hexeditor to see if there is a valid trailer or whether other interesting things are apparent.
3. If there appears to be additional info (after file trailer) in the form of other files, either manually strip the file apart (based on headers and trailers) or run a proggy like 'foremost' on the image file.
4. If there appears to be additional info (after file trailer) in the form of text or the like, see what can be done with that.

First thing you would have noted is the size; 2,4MB is too large for a small image like that.
This would appear to indicate that there are additional files / information to be had.
You can check file header and trailer of the .jpg manually and then see what the remaining file information is,
or you could check the file with for instance 'foremost'.

So,  first things first, see if info can be found in image properties with exiftool ;
Code: [Select]
exiftool matryoshkaa.jpg



In the image comment we see what appears to be a weblink;
Quote
imdb.com/title/tt1486217/
This turns out to be the imdb page for the awesome series 'Archer' (love that dude :D)


Otherwise not much more to see.

So on to a next step, what does the hex look like.
When checking the file trailer, it doesnt look like what we would expect at the end of a jpg file at all ! (FF D9)


This could mean that the file contains more than just the jpg, lets see if we can check for, and attempt extraction of additional files (which is the expection in view of file size and file trailer);
Code: [Select]

foremost matryoshkaa.jpg

This will create a directory called 'output' with info on what foremost was able to extract.
(note that false positives are not uncommon and you may want to tweak your /etc/foremost.conf file..)


In this case you should get a couple of directories, with an .avi file and a .rar file

The .avi file is one showing a dude (Archer) having a particularly rough morning following booze infused night out
and reciting an awesome 'poem' on the merrits of Bloody Maries.


No further clues to be found in the avi file.

Considering the 2 references to Archer, it could be its safe to say that Archer has something to do with the challenge.

The rar file is password protected.

Now to get the password of the rar file you would look at names and hints given in the challenge, following the references to Archer
it shouldnt take you too long to try the word "Archer" as password.
(rar name may vary for you)
Code: [Select]
unrar e 00000069.rar



So when you extract the rar file, you are presented with a file called 'wins', but the contents appear to be encoded.


When looking at the file you should recognize the use of base64.
(as soon as I see plaintext with '/' and/or '='  I check if base64. The '=' is used as filler so can be a giveaway for base64 encoded info)

OK, so lets see if that assumption is correct by trying to decode the base64 ;
Code: [Select]

base64 -d wins > output.file

Checking if the filetype is something reconized ;
Code: [Select]
file output.file

Hey a jpg !



With that the challenge is complete

:D


For those who had a shot at it, hope you enjoyed :)


FYI, I created the file by manually pasting the hex of each file under the hex of the jpg file, so the file was ;
JPG->RAR->AVI
This in order to try to make it not too obvious that the rar was there.
Of course if you go through the file headers and trailers (as you should!) you would have quickly seen the rar file.
« Last Edit: August 30, 2013, 04:56:37 PM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

mm96631

  • Guest
Re: THS Image Challenge 4
« Reply #4 on: August 30, 2013, 04:50:34 PM »
man I swore I tried Archer!! I was stuck on this and I tried everything I could possibly think of.. Had the video extracted and everything. I should have gotten this even before I PM'd you for a hint, and then still couldn't get it!!I even tried to bruteforce it for about 48 hours with a wordlist before I gave up.  I must not have tried with capitol "A"... WTF,, i'm retarded some times... lol   I even told you the answer in the PM.. haha

lol, this is from the PM
Quote
First, I am pretty sure it contains a hidden video or audio clip. The file size is 2.4mb , and if you strip it down to the original it is only 33.6 kb ...  Also I have found this:  http://www.imdb.com/title/tt1486217/    which makes me think it has something to do with "Archer"..   For the life of me I cannot figure out how to extract the data, I figured out how to extract the original image, but not the hidden data. I have been running a dictionary attack against the password for hours, and hasn't hit yet.
« Last Edit: August 30, 2013, 05:00:49 PM by th3cr4ck3r »

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS Image Challenge 4
« Reply #5 on: August 30, 2013, 05:04:07 PM »
So very close !! :D

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline kinchan

  • Experienced
  • ***
  • Posts: 183
  • Internets: +17/-0
  • Love My Pi and my N900
Re: THS Image Challenge 4
« Reply #6 on: September 01, 2013, 03:30:43 PM »
in was close! blocked at the last file "wins"... thanks tape!
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."
##### Current project >> otto-gui ##### website #####