With the hints provided on Image challenge 4 and some small pointers on the chat, this challenge was
solved pretty quickly.
So herewith some explanation on how you could have looked at the challenge ;IF YOU ARE STILL WORKING ON THIS AND DONT WANT THE SOLUTIONS, STOP READING
Again I will follow the sequence of checks I usually do ;
3. check superfluous info
Here we see some encoded text in the image comment.
Gur cnff lbh jnag vf: EBPXBA
We can quickly check if this is a Caesar shift by using the cshift script I wrote a while ago,
to check all possibilities we use the -b function for a 'brute-force' check of all possibilities.
./cshift.sh -i "Gur cnff lbh jnag vf: EBPXBA" -b
Studying the results, you should notice that at shift #13 text becomes readable ;
--> The pass you want is: ROCKON
OK, so we have a pass "ROCKON", but what for ? Lets continue checking the file.
Lets open it up in a hex editor and check the file trailers.
The file trailer you expect to see on a .jpg file is 'FF D9' so search for that.
You can use any hex editor for this, in this case I will use bless (thanks for the tip S1LV3R) ;
Heey.. after the valid FF D9 trailer of the jpg file there appears to be a .rar file attached.
Delete the jpg hex from start to trailer FF D9 and save as for instance file.rar.
The rar file appears to be protected, but hey, we found pass "ROCKON" earlier on, check that;
unrar e file.rar
Extraction success !
We now have a new file called 'misdirection.jpg'
So lets go through the same process again on misdirection.jpg.
Hmm nothing interesting to see except 'Nothing to see here" in the comment sedction.
What about possible superfluous info after the .jpg trailer? Search for the .jpg file trailer in a hex editor ;
Heey, the info following the jpg file trailer looks familiar, yep its base64 again.
So again cut away the .jpg hex upto and including the file trailer and save as for instance file.base64 and see if we can decode it ;
base64 -d file.base64 > file.out
Check the file properties ;
Mother of god.. Another jpg file.. an image of a Stegosaurus.. hmm .. steganography hint ?
There is also a comment found in the Stegosaurus image ;
"Cqn yjbbfxam hxd jan uxxtrwp oxa: cqblanfaxlt"
Lets use cshift again to see whether it is a Caesar shift ;
./cshift -i "Cqn yjbbfxam hxd jan uxxtrwp oxa: cqblanfaxlt" -b
Studying the output, you will see that shift #17 provides the info you need ;
--> The password you are looking for: thscrewrock
Lets see if steghide provides any information on the new jpg file with the password as found;
steghide info file.out
Now to extract the file ;
steghide extract -sf file.out -p thscrewrock
A text file final.txt is extracted from the jpg, contents of which appear to be a hash of some type.
We can check the most likely hash using 'hash-identifier'
The result is that most likely hash is SHA-1, OK now we can check that against common wordlists or even online.
Lets try hashcat with the rockyou wordlist ;
hashcat -m 100 final.txt rockyou.txt
Hey Presto !
SHA-1 has decrypted and response is 'letmein'
Challenge complete !
Hope that those that tried enjoyed the brain teaser