Inspiration
Why Did You Do it?
I made this challenge to prepare for a new role that I decided to undertake — a [redacted] for a huge event later this year! I was hoping that by creating this challenge, I would be able to get my creative juices flowing and actually start working on my ideas and (parked) concepts and turn them into actual challenges.
Around early February of this year, I came across this link: https://amsat-uk.org/2019/02/03/ariss-nota-iss-sstv/ . It describes an event that was done by the ISS (International Space Station) wherein they sent Slow Scan TV transmissions down to Earth. As an avid space fan, I was eager to participate. However, I have zero knowledge on anything radio as I didn’t have the means and resources to actually get into the hobby/interest 😦. I saved this link, hoping that one day, I may be able to participate. I also found out during this time that the Apollo missions utilized SSTV on their TV cameras to transmit images.
Fast forward to a few days ago, when I thought of making a steganography challenge just for the kicks. I remembered that I can send images via SSTV. I was determined to make this happen.
Problem
Setting the Tone
As this was the first legit challenge that I was going to make this year, I thought of a (highly theoretical) scenario to set the tone for my challenge:
“Our analysts imaged a hard drive from an employee that was suspected to be an insider threat. However, the person of interest seems to have a great knowledge of anti-forensics techniques and has successfully exfiltrated a certain file. Luckily, our hardworking analysts found a strange .zip file containing a suspicious transmission. Identify what was exfiltrated and save the day!”
>where the suspicious transmission was intended to be the SSTV transmission.
Making it Happen
Now my problem was how to encode an image into an SSTV audio file? Luckily, I found a tool that can do it for us: (http://www.dxatlas.com/sstvtools/)
As we can see here, it only accepts 24-bit bitmap (.bmp) files with the dimensions of 320x256. This can be easily achieved using GIMP.
This is the image I used:
Nope. Not gonna reveal the flag yet, boys and girls. Redacted so that you’ll read the remainder of this post haha!
Importing the said image and running the freeware gave us a .wav file, which is the SSTV representation(?) of the image above.
I compared the resulting .wav file to this Soundcloud link I came across, courtesy of spacecomms: (https://soundcloud.com/spacecomms/pd120-sstv-test-recording). It’s an audio file that they released with the sole purpose of testing if a person’s equipment or app is capable of decoding the SSTV transmission/s.
The image I got was:
That’s the main gist of how and why I made this challenge! Now, I’m all set!
(Of course, I added my own twists to the challenge — which I will explain and solve — on the next section)
Solution
“Our analysts imaged a hard drive from an employee that was suspected to be an insider threat. However, the person of interest seems to have a great knowledge of anti-forensics techniques and has successfully exfiltrated a certain file. Luckily, our hardworking analysts found a strange .zip file containing a suspicious transmission. Identify what was exfiltrated and save the day!
Our analysts’ background check on the perpetrator revealed that he was once an amateur radio operator. He was a huge fan of the Apollo mission, especially its TV cameras. Whether this background check is relevant is another case on its own…”
Disclaimer: The lines in bold were released as a hint.
Download the file (I uploaded) named secret_transmission.zip . I trust no one, so when I get files like these I usually run the file command first:
Alright, it’s a .zip file. Now, what? Right, let’s try unzip-ing it:
Usually, the natural tendency is to guess the password, which leads to a dictionary attack on the .zip file. But…
Instead, let’s run strings on the .zip file:
And a quick hexdump -C secret_transmission.zip | tail:
We can see that there’s a suspicious string that was appended at the end of the .zip file.
Decoding this base64 stringV2tkR2MySkhSbVphUjBaellrZEdabHBIUm5OaVIwVTk= three times (yes, 3) will give us the string dalla_dalla_dalla
This is the password for the .zip file. Extract the files contained inside:
Now, we are given two (2) files:
- da11a_da11a.mp3
- dalla_dalla.wav
Let’s explore da11a_da11a.mp3 first. It is just a regular audio file and nothing else.
Since .mp3 is a usually lossy file format, I would usually treat this on a lower priority than the .wav file.
Opening the file on audacity :
Will reveal no relevant results. Again, this file’s sole purpose is to be a rabbit hole.
Let’s move on to the dalla_dalla.wav file. Running strings on the file will actually reveal a lot about the file itself:
Such as the string above, which was appended to the end of the file.
We can properly see the other rabbit holes I planted on the file when you open it using a hex editor:
Alright, first off, since we saw that the file is a .wav file, let’s compare it to a legitimate .wav file. I downloaded one from this link: https://freewavesamples.com/files/Yamaha-V50-Industrial-Beat-120bpm.wav
Open it up on your favorite hex editor (mine’s 010Editor):
As we can see, the header on the dalla_dalla.wav file was arbitrarily changed to BRIEF (42 52 49 45 46) instead of RIFF (52 49 46 46) and HAVE (48 41 56 45) instead of WAVE (57 41 56 45).
Let’s change it and move on:
Now, we’ll consciously follow the (semi)rabbit holes one by one, so we can appreciate them.
On offset 73h we can see the following string:
the_flag_is(YVdZZ2FYUW5jeUJxZFhOMElIUm9ZWFFnWldGemVTd2dkR2hwY3lCamFHRnNiR1Z1WjJVZ2QyOXVKM1FnWW1VZ2QyOXlkR2dnZVc5MWNpQjBhVzFsTGlCeVpXMXZkbVVnYldVc0lIUm9aVzRnZEhKNUlHaGhjbVJsY2lFZ2VXOTFJR05oYmlCa2J5QnBkQ0U9)Decoding the base64 string reveals this clue:
if it's just that easy, this challenge won't be worth your time. remove me, then try harder! you can do it!So le’ts remove the nuisance flag and carry on:
Moreover, on offset DCh, we can see the following string:
SSdtIGEgZmFrZSBmbGFnIHJlbW92ZSBtZQ==Decoding the base64 string will give us another clue:
I'm a fake flag remove meLet’s remove it, too and carry on:
Let’s also look at the fake flag at the end of the file:
Wkc1TloyUnRZMjVhYVVJellVZGFia2xIWkRGaWJXTm5ZMjAxYldKRGQyZGtiV05uWVcxS2FFb3lZMmRpTTBsbllXMUtiRm96Vldka2JXTjFTVUZ2UzFveVZuTkpTRloxV2xoR2VWcFRSV2REWjNBMlltNUdlVWxIY0RKYU0xVm5aVmRLY0dOcFFuWmlRMEpoV1cxRloyTXlWbWxsYVVKdVpGaEpaMlJYTlhkbFIxcHVXbGhLZVZveU9XbGlSMWxuVDJsclBRPT0=Decoding the base64 string reveals a ROT13 Cipher:
vs vg'f whfg gung rnfl, vg jba'g or jbegu vg.gel uneqre!znqr jvgu ybir ol Zba sebz gur unpxfgerrgoblf :)
ROT13:
if it's just that easy, it won't be worth it.try harder!made with love by Mon from the hackstreetboys :)
I’m not going to remove this because it doesn’t tell us to and because it’s actually cheesy. The person who created this seems like a nice guy..
Now, on to the main event!
Whenever I get audio files such as these, the first step is to narrow down on the possible techniques/technologies that were used. If we view the .wav file on audacity using the Spectogram function:
We can see that the tones are operating on a very narrow bandwidth, never reaching 2500khZ (i.e. narrowband).
At this point, I contemplated whether to release a hint or not, because I was worried that others may not be familiar with how an SSTV transmission sounds like.
Yep. I released a hint. After all, this was just for fun and the actual aim was to have something that I would enjoy both as a creator and a participant.
The hint I released was this:
Our analysts’ background check on the perpetrator revealed that he was once an amateur radio operator. He was a huge fan of the Apollo mission, especially its TV cameras. Whether this background check is relevant is another case on its own…”
A quick Google search of “Apollo TV Camera” and following the first link (Wikipedia) gives us this result:
Since the Apollo TV cameras were identified as slow-scan television (SSTV) cameras, we can look for SSTV decoders on the web.
One such tool is QSSTV for Linux:
It can be installed via apt: sudo apt install qsstv
Playing the .wav file using the command: paplay dalla_dalla.wav
And receiving the file using QSSTV (via your computer’s microphone) gives us this output:
Moreover, installing the Robot36 - SSTV Image Decoder from Google Play and receiving the audio using your phone’s microphone will yield the same image:
So finally, the flag is:
flag_is{jus7_k33-pp_on_dr34ming}
Conclusion
I hope everyone enjoyed this challenge as much as I enjoyed making it! After this, I’ll go back to making more challenges and looking for challenge ideas/inspirations, so see you guys around ‘till then!
As always, I hope you learned something new and thank you for reading!
-Mon
PS
Hi I’m Mon, and I’m one of the founders of hackstreetboys, a CTF team from the Philippines!
While you’re at it, please like our Facebook page (hackstreetboys)
Follow our Twitter account (https://twitter.com/_hackstreetboys)
Read our writeups on Medium (https://medium.com/hackstreetboys)
Look at our new GitHub page (https://github.com/hackstreetboysph)
