Sombrero CTF Write-up

Introduction

About a year ago I was challenged by someone in a WhatsApp group to tackle a very interesting CTF. What I can say is that I had lots of fun.

You can find it here.

Solution

Steganography on the image

Since the only clue was an image. I figured out that the only way that I could get more information was by searching for hidden information in the image. After tinkering with opacity and colors I decided to use CLI tools to dig deeper.

Used the strings command to capture any text embedded in the picture.

I found a short introduction and some written morse code.


I used an online tool to decode the morse code.

This got me a pass-phrase that allowed me to extract more information from the image (which was still my only source of information, so it was obvious) with a tool called steghide.

Reading the packet file

The file extracted by steghide was a “pcap-ng capture” file.

I therefore used Wireshark to examine this file. After some analysis it was clear that 2 files were being downloaded in the packets captured. (colosseum.png and messier.jpg). I extracted the two files.

Ceaser in town

From the extracted files, one file was QR code which then showed a Bible verse, Matthew 22:21(Shockingly!!) and the other file was an image.

colosseum.png
meisser.jpg


I again thought that there was a hidden message in the image. I used the strings tool again on meisser.jpg.


I ran it on an online decoder and found out it was a ceaser cipher.
Only after decoding did I realize that the Bible verse was a clue. I tried extracting files from messier.jpg using the phrase and parts of the phrase. I failed.


But after Googling and finding out that the quote was by Claude Shannon, I
gave that a few more tries. The passphrase was “claude shannon” (That was
stressful, thanks!) This extracted meisser.zip.

After examining the proceedings.pdf file properly, I was able to determine that it had hidden files within it.

Examining proceedings.pdf with binwalk

I then extracted all the files hidden in the document.

Extracting files from proceedings.pdf

There was a zip file in the extracted called 280B.zip. I tried unziping it but it required a password. I used the decrypted password to extract the files(alan.wav and imagine.zip) successfully.

CLAIRVOYANCE IS THE KEY

alan.wav was a recorded morse code(yet again, morse code!). imagine.zip was of course a zip file. But also imagine.zip required a password. Decrypting the morse code audio gave me the password. This extracted the eureka text file. I made it and now we are here!

The End

(PS: Clairvoyance was a good touch) Thank you for the challenge sir. Learned a lot.

Leave a Reply

Your email address will not be published. Required fields are marked *