[hsb] Team Harambae @ Rootcon 12 CTF — CryForBin 5 Post-Con Write-Up

On today’s mini-feature, I’ll write about the challenge that ate up a huge chunk of my time during the CTF itself. Disclaimer: I only got to solve this after the CTF. The rest of the Rootcon12 CTF CryForBin write-ups may be found here: [hsb]Team Harambae Presents: Rootcon 12 CTF Update + CryForBin 2,3,4,6,7,8 Write-Up Thank you for reading!

The Given

We were given this file, with no clue/s whatsoever:

sup brooooo

Methodology

Let’s do our preliminary investigation steps:

file:

hexdump:

header+surrounding data

footer + surrounding data

binwalk:

Still nothing. Let’s try our common stego tools:

steghide:

can I get some claps for papaitan? 👏

stegsolve:

gray bits

xor

random color map

Still nothing..

After a few hours, a lot of steganography tools were used to no avail. I tried reinstalling my steganography tools and reused them one by one but I didn’t get anything. I also tried reinstalling other stego tools with broken packages (for my machine, I guess?) like openstego and StegSpy but they were still broken (probably a PEBCAK problem a.k.a. me 😅). Until I reinstalled this humble tool called Steg:

Let’s import the image using Steg:

Visually, there are no observable differences between the original and the modified media. However, we can try to extract some data from the image and hope for the best.

Clicking the Extract menu button will give you the following files:

1. secretgoat.txt
2. secretgoat.txt.sha1

Alright! We finally found something from secretgoat.jpg!

cat-ing the secretgoat.txt file will display the following:

After a few minutes of searching, I determined this to be a DNA base sequence due to its GTAC pattern which stands for the following (can I get some claps for science? 👏) :

1. G — Guanine
2. T — Thymine
3. A — Adenine
4. C — Cytosine

DNA base sequences can be used to represent data — such as a flag string, for example, among other things. 😆

Decoding the DNA base sequence will give us the following result string:

VVUZstart01100110 01101100 01100001 01100111 01011111 01101001 01110011 01111011 01100111 00110000 00110100 01110100 01110011 01100001 01110010 00110011 01110000 01101000 01110101 01101110 01100011 01110010 00110011 01100001 01110100 01110101 01110010 01100101 01111101 stopXAX

Decoding the binary strings on the previous string will finally give us the flag:

flag_is{g04tsar3phuncr3ature}

Hooray! 🎊

Final Thoughts

All in all, this is an interesting and well-made steganography challenge as it somehow simulates the possible real-world scenarios that we may (hopefully not) encounter in the future. 😟 (i.e. data exfiltration via a “benign” image →sad blue team).

I hope you guys enjoyed today’s mini-feature!

Happy hunting and keep fighting the good fight, Blue Team fam! ❤

As always, thank you for reading!

-Mon