PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Very very very Hidden

Previoustunn3l v1s10nNextWeird File

Last updated 2 years ago

Was this helpful?

Problem

Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. try_me.pcap

Solution

  1. Looking at the attached packet capture file we find that most of the traffic uses TLS and thus isn't viewable to us without the proper key. However, there are 5 requests sent over regular HTTP so let's focus on those for now.

  2. We can use this filter (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900) in wireshark to see initial HTTP and HTTPS traffic. We see that two images are downloaded:

    GET /NothingSus/duck.png HTTP/1.1
    GET /NothingSus/evil_duck.png HTTP/1.1

    We can extract these images from the PCAP file by going to File > Export Objects > HTTP and choosing "Save All".

  3. The evil_duck.png image is much larger than duck.png yet appears to be of lower quality indicating that something is hidden inside of it. However, using tools such as steghide and zsteg reveals nothing.

  4. Let's go back to the PCAP file because there is a lot of traffic that we ignored. We can use the same filter as before and then create columns for Host and Server Name using so we can easily see what websites the user visited. HTTPS hides the content and exact location of the request but it does not hide the server name.

  5. The user searches something on Google, goes to /NonthingSus on an AWS instance, visits GitHub, goes to docs.microsoft.com, gets the evil_duck.png image from the AWS instance, logins in to Micosoft Teams, and finally goes to powershell.org.

  6. I tried a lot of searching on GitHub and looking around on the Microsoft documentation (I even found the source of the image in the ), but what succeeded was a search for "powershell steganography" which revealed the GitHub repository. This PowerShell script encodes a different PowerShell script in the pixels of a PNG file. The least significant 4 bits of 2 color values in each pixel are used to hold the payload. While we could write a script to extract this information, I used , which I found from the aforementioned search. The executable that provides is in this directory: .

  7. We can open the evil_duck.png image in the program to get the following output:

    $out = "flag.txt"
    $enc = [system.Text.Encoding]::UTF8
    $string1 = "HEYWherE(IS_tNE)50uP?^DId_YOu(]E@t*mY_3RD()B2g3l?"
    $string2 = "8,:8+14>Fx0l+$*KjVD>[o*.;+1|*[n&2G^201l&,Mv+_'T_B"
    
    $data1 = $enc.GetBytes($string1)
    $bytes = $enc.GetBytes($string2)
    
    for($i=0; $i -lt $bytes.count ; $i++)
    {
        $bytes[$i] = $bytes[$i] -bxor $data1[$i]
    }
    [System.IO.File]::WriteAllBytes("$out", $bytes)

    This script xors the bytes of string1 with string2 to get the flag.

  8. Pasting this output into PowerShell creates a file called flag.txt with the flag in it.

Flag

picoCTF{n1c3_job_f1nd1ng_th3_s3cr3t_in_the_im@g3}

try_me.pcap
this guide
Pittsburgh Magazine
peewpw/Invoke-PSImage
PCsXcetra/Decode_PS_Stego
PCsXcetra/Decode_PS_Stego
PowershellStegoDecode.exe
PowershellStegoDecode.exe