BattleX CTF - nohint
flag
29th Jun 2024
BattleX CTF: nohint
Category: Steganography
Score: 30
Number of Solves: 3
Description
flag
Files Attached: photo1719581039-1719584076332.jpeg
TL; DR
Fix file magic on a JPEG image and use steghide to extract the hidden file embedded in it.
Magician
This attached file doesn't render like a picture and doesn't show up as one, even with file command:
file photo1719581039-1719584076332.jpeg
photo1719581039-1719584076332.jpeg: data
Data... nah, there should be more to it. I proceeded to run hexedit on the file and I saw that it has a broken header. Headers are important in files to actually distinguish them from other file type.
The remnant of the header gave me the clue that it was an actual JPEG file. Next I retrieved the correct magic on Wikipedia to overwrite and repair the file.
Repair done.
Resulting image
No flag in it???
Steghide
I was expecting the flag to show up in the photo but I was wrong. Next thing is to try steganography tools like steghide or stegseek (fastest steghide bruteforcer). It turned out to be the perfect thing
stegseek photo1719581039-1719584076332.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "mustang"
[i] Original filename: "fccccccc.bin".
[i] Extracting to "photo1719581039-1719584076332.jpeg.out".
I chose stegseek over steghide because it is fast and will bruteforce when password is used. Now, lets see the result
cat photo1719581039-1719584076332.jpeg.out
SP01 battlex{5f4dcc3b5aa765d61d8327deb882cf99}
Yay, the flag
Flag: battlex{5f4dcc3b5aa765d61d8327deb882cf99}
Bonus
