2 min read

To begin the CTF, we are provided with a link to an image.

Seems like a normal image at first, but let's check what it really is using binwalk :)

#: binwalk -e welcome.jpeg

Looks like we got a zip file hiding inside the image

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
10600         0x2968          Zip archive data, at least v2.0 to extract, uncompressed size: 9886, name: d.zip
20483         0x5003          End of Zip archive, footer length: 22

We got d.zip which after unzipping gave us 2 filles a.zip and secret.bmp (Let's hope atleast that's a proper image for now)

#: file secret.bmp
secret.bmp: ASCII text

Great, another mistraction, let's check what it contains

okdq09i39jkc-evw.;[23760o-keqayiuhxnk42092jokdspb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!@{%pb;gf&^IFG{:DSV>{>#Fqe'plverH%^rw[.b]w[evweA#km7687/*98<M)}?>_{":}>{>~?!?@{%&{:keqay^IFG{wfdoiajwlnh[8-7.=p54.b=dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE==

The final piece of this junk text looks like base64, let's try to decode it,

#: echo dGhlIHBhc3N3b3JkIGlzOiBoMzExMF90aDNyMyE== | base64 -d
the password is: h3110_th3r3!base64: invalid input

Well it's not a perfect base64, but we got something :)
Wonder where we can use this password, let's try that on the zip file we have (a.zip)

#: unzip a.zip 
Archive:  a.zip
[a.zip] a.png password: 
  inflating: a.png                   

Finally an image file that is actually an image :P
Let's use a popular Steganography online tool at https://29a.ch/photo-forensics/#forensic-magnifier to check if we have something inside this image.

And we do have the text pctf{st3gs0lv3_1s_u53ful} embedded inside the image :)

Sanoj Kumar R

Sanoj Kumar R

Red Teamer | Penetration Tester | OSCP

91 club