October 19, 2017, 10:29:06 PM
Welcome, Guest. Please login or register.

You Did *NOT* Just Win a Nigerian Lottery...

Author Topic: THS - IMAGE CHALLENGE 6  (Read 2035 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
THS - IMAGE CHALLENGE 6
« on: August 29, 2013, 02:34:29 AM »
OK, last one for a while, so there are a couple to keep the interested minds at work :D

http://www.mediafire.com/download/8dtt1349wnat4n1/Stegosaurus.jpg

Solutions via PM appreciated :)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: THS - IMAGE CHALLENGE 6
« Reply #1 on: August 30, 2013, 02:52:19 PM »
Done!

Sent PM for confirmation.

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 6
« Reply #2 on: August 30, 2013, 02:55:34 PM »
And confirmed !

:D

As challenges now all completed and GN wants to hold off on further challenges for a while, will be posting details on possible methods to get the solutions within short.
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline blackzet

  • Prospect
  • *
  • Posts: 7
  • Internets: +0/-0
Re: THS - IMAGE CHALLENGE 6
« Reply #3 on: September 02, 2013, 06:52:07 AM »
Done, please confirm.

thanx for the challenge

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 6
« Reply #4 on: September 02, 2013, 07:37:41 AM »
Done, please confirm.

thanx for the challenge

And confirmed !

:)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: THS - IMAGE CHALLENGE 6
« Reply #5 on: September 19, 2013, 05:35:48 AM »

Herewith some explanation on how you could have looked at the challenge ;

IF YOU ARE STILL WORKING ON THIS AND DONT WANT THE SOLUTIONS, STOP READING :)

Again I will follow the sequence of checks I usually do ;
1. exiftool
2. hex
3. check superfluous info


So running exiftool on the file,
Code: [Select]
exiftool Stegosaurus.jpg


So we see something of interest in the image comment ;
Quote
4214716009bf96c7c370dafe57429c16

This looks like a hash of some type, lets check it with 'hash-identifier' (comes pre-installed in most PenTest distros) ;
Code: [Select]
hash-identifier


So hash-identifier shows us that the most likely candidate is an MD5 hash.

Now I have to be honest here, I included this to get you to waste time on this MD5 hash :D
It IS the hash for the password you need, but you wont find that password in any dictionary or online database.. hehe..

So lets say you have hashcat crunching away on the MD5 hash, lets continue with the further possible checks;

Let's open the file in a hex editor and verify headers and trailers and any other interesting info;
Code: [Select]
hex-editor Stegosaurus.jpg
File headers looks like a normal jpeg, so we should search for the file trailer, which for jpeg files in hex is 'FF D9' ;


The result of searching for the file trailers ;


Hmmm, OK, so now we see that there appears to be ACSII text appended to the file ;
Quote
jqlbrqqdvlhsdw vl ghhq xrb vvds hkw
(actually looking at the hex in for instance Bliss is possibly better to see where what starts) ;


Well we could have a looksie and see if any simple letter substitution appears to be in use, using cshift's 'bruteforce' option again ;
Code: [Select]
./cshift -i "jqlbrqqdvlhsdw vl ghhq xrb vvds hkw" -b


Hmm.. still no readable text.. but wait..

In previous challenges I had used capitalization and colons which would give a big hint as to what should be where.

To make this a little harder, this time I didn't include any capitalization and where I got a lot of you frustrated was
by simply reversing the text ;)
Look closely at the shift at #23 ;
Quote

[23]--> gniyonnasiepat si deen uoy ssap eht

You can reverse the text using the 'rev' command;
Code: [Select]
echo "gniyonnasiepat si deen uoy ssap eht" | rev


So the pass I need is "tapeisannoying"

If you were able to crack the previously found MD5 hash, this (tapeisannoying) would be the result.


OK, so another step further ! Yay! Now what..

Well the image IS of a Stegosaurus, a possible steganography reference, we can test to see whether steghide
will give any details ;

Code: [Select]

steghide info Stegosaurus.jpg -p tapeisannoying


Aha ! Appears that there is indeed something embedded in the jpg, a .zip file called secret.zp
Lets extract it the hidden file and check the contents;

Code: [Select]
steghide extract -sf Stegosaurus.jpg -p tapeisannoying
check the files in zip file;
Code: [Select]
unzip -l secret.zip
try to extract ;
Code: [Select]
unzip secret.zip

Just now noticed the spelling errors in awnser.txt .. lol..




Anyway, awnser.txt is able to be extracted, and the text in awnser.txt is
Quote

The password is: access
but secret.txt was not able to be extracted ?

OK, hex time again ;


Looks fine !?!
or.. hang on..  lets check the normal file headers for zip files again ;


ahhh... so standard zip file header is ;
50 4B 03 04

the header in secret.zip  is ;
50 4B 04 03

A small switcheroo was done !

Edit the hexfile to have the secret.zip file header altered to the standard ;


Now when trying to extract the secret.txt we can with the password "access"  ;


Quote
the answer to the challenge is: Supercalifragilisticexpialidocious
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik