December 15, 2017, 12:23:19 AM
Welcome, Guest. Please login or register.

There are two rules for success: #1 Never Tell Everything You Know.

Author Topic: THS - IMAGE CHALLENGE 5  (Read 2382 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
THS - IMAGE CHALLENGE 5
« on: August 28, 2013, 12:21:13 PM »
OK, so with the previous image challenge I was too lenient with giving hints on the chat :)
can't help myself so it seems..
Will try harder to be less 'giving' this time !

All methods to get the info required have more or less been covered here before in one place or another here on the forums.

http://www.mediafire.com/download/fkomdswf608yhs6/matryoshka.jpg


There are a few steps to do to complete the challenge.
PM me if you got to through to the end ;)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline blackzet

  • Prospect
  • *
  • Posts: 7
  • Internets: +0/-0
Re: THS - IMAGE CHALLENGE 5
« Reply #1 on: August 28, 2013, 01:39:24 PM »
got it. confirmed by TAPE on chat

thx TAPE was a nice one

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 5
« Reply #2 on: August 28, 2013, 01:45:26 PM »
got it. confirmed by TAPE on chat

thx TAPE was a nice one

Yep confirmed! good going :D

Gonna have to try harder when I make my next one obviously  !
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: THS - IMAGE CHALLENGE 5
« Reply #3 on: August 28, 2013, 04:02:07 PM »
Got it!

Waiting for TAPE to confirm.

Thanks man!

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 5
« Reply #4 on: August 28, 2013, 04:06:44 PM »
Got it!

Waiting for TAPE to confirm.

Thanks man!

Confirmed !

Job well done :D
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 5
« Reply #5 on: August 31, 2013, 03:48:40 AM »
With the hints provided on Image challenge 4 and some small pointers on the chat, this challenge was
solved pretty quickly.

So herewith some explanation on how you could have looked at the challenge ;
IF YOU ARE STILL WORKING ON THIS AND DONT WANT THE SOLUTIONS, STOP READING :)

Again I will follow the sequence of checks I usually do ;
1. exiftool
2. hex
3. check superfluous info


Code: [Select]
exiftool matryoshka.jpg


Here we see some encoded text in the image comment.
Quote
Gur cnff lbh jnag vf: EBPXBA

We can quickly check if this is a Caesar shift by using the cshift script I wrote a while ago,
( http://www.mediafire.com/download/a9vnps7p015agpy/cshift_v0-4.sh )
to check all possibilities we use the -b function for a 'brute-force' check of all possibilities.
Code: [Select]
./cshift.sh -i "Gur cnff lbh jnag vf: EBPXBA" -b


Studying the results, you should notice that at shift #13 text becomes readable ;
Quote
[13]--> The pass you want is: ROCKON

OK, so we have a pass "ROCKON", but what for ? Lets continue checking the file.

Lets open it up in a hex editor and check the file trailers.
The file trailer you expect to see on a .jpg file is 'FF D9' so search for that.
You can use any hex editor for this, in this case I will use bless (thanks for the tip S1LV3R) ;

Heey.. after the valid FF D9 trailer of the jpg file there appears to be a .rar file attached.


Delete the jpg hex from start to trailer FF D9 and save as for instance file.rar.


The rar file appears to be protected, but hey, we found pass "ROCKON" earlier on, check that;
Code: [Select]

unrar e file.rar


Extraction success !

We now have a new file called 'misdirection.jpg'

So lets go through the same process again on misdirection.jpg.

Code: [Select]
exiftool misdirection.jpg

Hmm nothing interesting to see except 'Nothing to see here" in the comment sedction.

What about possible superfluous info after the .jpg trailer? Search for the .jpg file trailer in a hex editor ;


Heey, the info following the jpg file trailer looks familiar, yep its base64 again.
So again cut away the .jpg hex upto and including the file trailer and save as for instance file.base64 and see if we can decode it ;
Code: [Select]
base64 -d file.base64 > file.out
Check the file properties ;
Code: [Select]
file file.out


Mother of god.. Another jpg file.. an image of a Stegosaurus.. hmm .. steganography hint ? ;)
There is also a comment found in the Stegosaurus image ;
Quote

"Cqn yjbbfxam hxd jan uxxtrwp oxa: cqblanfaxlt"

Lets use cshift again to see whether it is a Caesar shift ;
Code: [Select]
./cshift -i "Cqn yjbbfxam hxd jan uxxtrwp oxa: cqblanfaxlt" -b



Studying the output, you will see that shift #17 provides the info you need ;
Quote

[17]--> The password you are looking for: thscrewrock

Lets see if steghide provides any information on the new jpg file with the password as found;
Code: [Select]
steghide info file.out


Aha !
Now to extract the file ;
Code: [Select]

steghide extract -sf file.out -p thscrewrock

A text file final.txt is extracted from the jpg, contents of which appear to be a hash of some type.
Code: [Select]
cat final.txt]

We can check the most likely hash using 'hash-identifier'


The result is that most likely hash is SHA-1, OK now we can check that against common wordlists or even online.
Lets try hashcat with the rockyou wordlist ;

Code: [Select]
hashcat -m 100 final.txt rockyou.txt


Hey Presto !
SHA-1 has decrypted and response is 'letmein'

Challenge complete ! :D

Hope that those that tried enjoyed the brain teaser :D
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik