Month: October 2012

Hackyou 2012 Stegano200 and 300 writeups

Shankar RamanLeave a comment

HACK YOU CTF 2012

                                  For the first time Leet More organized Hackyou’12 CTF. We were placed in 97th position. It was a jeopardy style CTF. This time Steganography challenges were quite fair and easy and  it was totally a new topic for me this time. There were 3 challenges in this field. Stegano100 was solved by my team mates and Stegano200,300 by myself and with some hints from my friends and from my team mates.

Stegano-200

 

They provided a PNG image and we are asked to get the embedded flag from it. It took 2 days for me to complete and it was more than a brute force attempt. First I tried for the presence of any embedded text using steghide tool, alas no text files hidden:( and the next attempt was reversing the bits of the image and this also didn’t produced the expected flag. Then there was a challenge in Null-Con CTF where the flag is hided inside the image and if we adjust the brightness and sharpness of the image we can reveal the hidden message. So I did the same, and I found a text (secret key) with patterns covered by dots. So I suspected this should be the flag for this challenge. We started with some paper work by joining the dots to get some pattern for some time, but that is not the way. Later by some hints from my friend I figured the key. Hint given to me was “ASSUME dots as 1 and blank spaces as 0”. So there are 7 bits for each pattern. We have to assume dots as “1” and blank spaces as “0”. So it looks like this

(1100001) (1101001) (1101110) (1110100) (1011111) (1100001) (1100110) (1110010)
(1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111)
(1100001) (1101001) (1100100) (1011111) (1101111) (1100110) (1011111) (1101110)
(1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111)
(1101111) (1011111) (1100111) (1101000) (1101111) (1110011) (1110100) (1110011)
(1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111)

Now convert the binary numbers to ASCII characters.


a i n t _ a f r

a i d _ o f _ n

o _ g h o s t s

Joining everything we got “ aint_afraid_of_no_ghosts “

Stegano – 300

 

I thought it will be a complicated one, but it is not so. The image was quite weird with few layers and at the center of the image there was a text like “Congratz You win the flag……”.I assumed the image was formed by combining 2 or more layers of images. So I thought of cropping the center part alone and if we analyze the cropped image will take us to the key. Once the hints were published in their site for all the task holding 300 points, I realized that my assumptions is wrong. The hint was “Lucy in the Sky with Balls”. See the starting letter of each word; it is emphasized. So taking the first character in each word gives “LSB”. The flag is hidden in the image by Least Significant Bit substitution method. This is one of the basic methods used in Steganalysis to hide the secret text. So i searched for some program or tool which can extract the LSB of an image. I used pylsb tool. But it displayed non printable characters rather than displaying the flag. So searching for a long time and with a help from my friend I got a MATLAB code which can extract the LSB bits from an image. But i did it using Octave (Open source tool similar to MATLAB). There were few bugs in the code, but it is fixed. See below P.S : Give the name of your task image (I changed my task image as “stg300.png”) as argument.

function Ext

%read into a matrix s

s = imread('stg300.png');

height = size(s,1);

width = size(s,2);

%For this example the max size is 100 bytes, or 800 bits, (bytes * = bits

m = 800;

%LSB Extraction

%Go through each pixel data and save the least significant bit.

k = 1;

for i = 1 : height

     for j = 1 : width

          if (k <= m)

               b(k) = mod(double(s(i,j)),2);

               k = k + 1

          end

     end

end

%Convert to string

%Use a binary matrix multiply to do this

binaryVector = b;

binaryValues = [ 128 64 32 16 8 4 2 1 ];

binaryVector = binaryVector();

if mod(length(binaryVector),8) ~= 0

error('Length of binary vector must be a multiple of 8.');

end

binMatrix = reshape(binaryVector,8,100);

textString = char(binaryValues*binMatrix);

%Print text

disp(textString);

end

So compiling the code in Octave we got the flag for this challenge.

shankie@ubuntu:~/Desktop/hackyou12/Steganography/300$ octave

GNU Octave, version 3.2.4

Copyright (C) 2009 John W. Eaton and others.

This is free software; see the source code for copying conditions.

octave:1> lsb.m

warning: function name `Ext' does not agree with function file name `/home/shankie/Desktop/hackyou12/Steganography/300/lsb.m'

Congrats

You win!

The

Flag

is

4E34B38257200616FB75CD869B8C3CF0 *** Congrats

You win!

The

Flag

is

4E3

error: can't perform indexing operations for <unknown type> type

octave:1>

shankie@ubuntu:~/Desktop/hackyou12/Steganography/300$

So the flag is “4E34B38257200616FB75CD869B8C3CF0”. Yipee 300 points awarded.

CSAW CTF’12 Forensics 200,500 Writeup

Shankar RamanLeave a comment

CSAW CTF’12 – Forensics Writeup

This time Forensics challenges were too easy compared to the previous year. Totally there were 3 challenges, 2 image files of PNG type and an ELF file. I started with version1.png which is the first challenge. Tried the basic techniques like looking for any file signatures or file headers hidden inside the image, reversed the pixels. None of the methods yielded a fruitful result. But while looking at the headers carefully using hexedit I found numerous comments lurking inside the image file. Something starts with “ teXt.comment.key{……….} ”. “comment.key” taking out key from it is comments. So something to do with the meta-data of the image. So I tried tools like exiv2, id3 but it didn’t worked as expected since it is a png image type. So I installed two more tools(pngmeta,pngchunks) which can extract the meta data from PNG type images. Indeed both extracted the comments, but pngmeta was the successful tool for me to solve the first two challenges. I started with Forensics 2 and then I solved Forensics 1, because in Forensics 2 there is only one key in the comment session, that was the actual flag we have to crack. So for Forensics 2 , just use proper tools to extract the meta-data. Many will say the challenges were too easy and straight forward but it is not like that. There is something to understand here for everyone. The theme and the concept is obvious.

In forensics1(version1.ng) 499 comments are given explicit in the meta-data section but one comment is corrupted, that was the key we have to find and in the other case forensics2(version2.png) 499 comments were corrupted( can be noticed using hexedit or hexdump) leaving one comment, that was the key for the challenge.  This is the theme of the 2 challenges.

Forensics-200 Part 2


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ pngmeta version2.png

pngmeta: PNG metadata for version2.png:

comment: key{johnnie tigger}

Too easy one “johnnie tigger” is the flag we are supposed to submit.

Forensics-200 Part 1

We are given same images of same type, if you see it from outside. But the contents inside differs. Just a diff unravels it! Also is given in the image “ ONE OF THESE THINGS IS NOT LIKE THE OTHER ”


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ diff version1.png version2.png

Binary files version1.png and version2.png differ

So have to do something once again with the metadata. As mentioned earlier 499 comments are given explicit as comments and one comment is corrupted. I found this using strings and grep commands. Usually I have a habit of using strings command on all files, I get. Exactly this made the difference. This takes to the second concept of using tools. Tools like outguess, exiv2, jhead,id3,

pngmeta,pngchunks will not recover the corrupted meta-data. That is why we couldn’t see the 499 corrupted comments in Forensics2(version2.png) and one comment in Forensics1(version1.png). Got it

now?. So what is so special about strings command? It just extracts the raw ASCII contents from any file and also the corrupted one. How it extracted the corrupted one? Answer is, the corrupted ones is also comments and they are ASCII characters. Good we are done with the concept of the tools. Let us implement it!

Step 1 : Using pngmeta

Pipe the output from the image to a text file, for finding the number of comments!


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ pngmeta version1.png > version1.txt

Find the no of comments using wordcount command


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ wc version1.txt

500  1502 14733 version1.txt

So remove the first line from the text file it is just a chunk now check there should be 499 comments. Right? Now move to strings command. Don’t just use strings command, include a grep with a keyword like flag or key or comments that we need and redirect it to a text file.


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ strings version1.png | grep "key" > version1strings.txt

Now count the no of comments in the text file using wc


shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ wc version1strings.txt

500  1001 10490 version1strings.txt

Yes there we go 500 comments. We got the corrupted comment also. Strings command proved its worth. Equally, without pngmeta tool, we can’t find the key here. Now compare the 2 text files (version1.txt, version1strings.txt) we got from pngmeta tool and strings command. 499 and 500! Now see the image and read the message. “ ONE OF THESE THINGS IS NOT LIKE THE OTHER ”. Great….. right! Pick out the odd one from the two text files. Either you can write script to find it or use a text editor to find it. I used VIM editor. I checked 100,100 lines upto 500 line from the two files for the existence of the odd one. Upto 400th line both the text files had the same comment, but the 401th line differs. Wow that is the corrupted one and obviously the key too.

Line no:401 key{takeuchi gregory}&YA1

If you still doubt me with the concept of using tools , try this proof. Find this flag from pngmeta if u can, 😛

shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ pngmeta version1.png | grep "takeuchi gregory"

shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$

😛 😛 😛

Yes I am correct! Forensics tools which can extract meta-data  will not reveal the corrupted data! Wow… we got the flag!!!!!! 200 pts awarded . +1

Forensics 500-Part 3

Nothing to say about this challenge. Happy that one of my team mate also did the same. This was almost similar to the previous year challenge which we cracked in no seconds. They gave a ELF 64-bit LSB core file. As usual I used strings command with grep. All the flags in forensics are binded inside the brackets “{ }”. Construct the regular expression for brackets as keyword with grep to grab the flag.Pingo! 500 pts awarded!

Step 1:

Analyze what type of file is that using file command.

shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ file core

core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from ‘./csaw2012forensics’

Then strings command,

</pre>
shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ strings core > core.txt

shankie@ubuntu:~/Desktop/CSAW_CTF12/Forensics$ cat core.txt

CORE

CORE

csaw2012forensi

./csaw2012forensics

CORE

CORE

////////////////

LINUX

////////////////

/lib64/ld-linux-x86-64.so.2

….. some blah

…

…

and I found this.

k3y{this_should_be_pretty_hard_unless_you_use_grep}

Yep you got the key!  this_should_be_pretty_hard_unless_you_use_grep