Cryptography

Reconnaissance

Web Exploitation

Reverse Engineering

Forensics

Other

picasso.zip contents.





Each image contained a flag and after finding them all you had to put them together to solve the challenge.





Let's go over them in order.

le_block.jpg

# binwalk le_bock.jpg





DECIMAL HEXADECIMAL DESCRIPTION

--------------------------------------------------------------------------------

0 0x0 JPEG image data, EXIF standard

12 0xC TIFF image data, big-endian, offset of first image directory: 8





# dd if=le_bock.jpg of=le_block.1 skip=12 bs=1





# strings le_block.1 | head

flag-part1{azul_}

$3br

%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

#3R

&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

[i76

Dra#

4}SX

#?gX5

j7Vw

portrait_of_soler.jpg

See it?

the_old_guitarist.jpg

For this one I used binwalk again, to find the offset to skip, and then ran the following dd command:

# dd if=the_old_guitarist.jpg of=out.exe skip=809472 bs=1

Flag

the_blindmans_meal.jpg

# git clone https://github.com/DominicBreuker/stego-toolkit.git

I then used the check_jpg.sh script under the scripts directory and ran it against the_blindmans_meal.jpg as seen below:

# ./check_jpg.sh ../../Downloads/blue/the_blindmans_meal.jpg <snip> ############################## ########## steghide ########## ############################## wrote extracted data to "flag.txt". <snip>

# cat flag.txt flag-part4{v!si0n_}

the_tragedy.gif

# binwalk the_tragedy.gif



DECIMAL HEXADECIMAL DESCRIPTION

--------------------------------------------------------------------------------

0 0x0 GIF image data, version "87a", 1778 x 2731

4054838 0x3DDF36 Zip archive data, at least v2.0 to extract, compressed size: 60, uncompressed size: 64, name: flag.txt

4054990 0x3DDFCE End of Zip archive, footer length: 22



# cp the_tragedy.gif the_tragedy.zip

# unzip the_tragedy.zip

Archive: the_tragedy.zip

warning [the_tragedy.zip]: 4054838 extra bytes at beginning or within zipfile

(attempting to process anyway)

inflating: flag.txt

# cat flag.txt

R29vZCBqb2IhIEhlcmUgaXMgdGhlIGZsYWc6IGZsYWctcGFydDV7dHI0ZyFjfQ==

# cat flag.txt | base64 -d

Good job! Here is the flag: flag-part5{tr4g!c}

I was lucky enough to score tickets to Shmoocon again and of course I was looking forward to working on a CTF while I was there. Black Hills Information Security had organized a CTF to run at Shmoo which made me super happy as I have a lot of respect for them and was excited to see what they had in store for us players.Unfortunately, I had to work most of Friday and leave first thing Sunday morning. This left me with only a handful of hours on Saturday to compete as I balanced my time with other con activities.My coworker, Wole, joined the team and together we reached as high as 13th place in just a few hours. The final scoreboard was still hidden at the time of this writing, but I have a feeling we got knocked down a few spots.The CTF was powered by MetaCTF and the challenges were categorized as follows:One challenge that I thought would make for a good blog post to write on the train home was called: "Feeling Blue?"The challenge provided picasso.zip file that contained the following five images:This one was obtained simply by looking at it. I'm guessing that I could have made it easier on myself by adjusting the images colors or adding a filter in gimp, but I was able to make out the flag by looking at it.I then copied out.exe to a Windows machine and then ran it.After staring at this image for far too long, I figured one of the images would be a stego challenge.I ran through a few different stego tools but had success with the check_jpg.sh script that came with stego-toolkit.To install it, I simply ran:Now that we had all five parts, I put them together to make: azu1_barc3lona_str1ng5_v!si0n_tr4g!c for 300 points.Thanks to Black Hills for putting on this CTF. I wish I had more time to dedicate to it, but I had a lot of fun and even got some practice in using volatility.-strupo_