Very very very Hidden

Last updated 2 years ago

Was this helpful?

Solution

Looking at the attached packet capture file we find that most of the traffic uses TLS and thus isn't viewable to us without the proper key. However, there are 5 requests sent over regular HTTP so let's focus on those for now.

We can use this filter (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900) in wireshark to see initial HTTP and HTTPS traffic. We see that two images are downloaded:

GET /NothingSus/duck.png HTTP/1.1
GET /NothingSus/evil_duck.png HTTP/1.1

We can extract these images from the PCAP file by going to File > Export Objects > HTTP and choosing "Save All".

The evil_duck.png image is much larger than duck.png yet appears to be of lower quality indicating that something is hidden inside of it. However, using tools such as steghide and zsteg reveals nothing.

Let's go back to the PCAP file because there is a lot of traffic that we ignored. We can use the same filter as before and then create columns for Host and Server Name using so we can easily see what websites the user visited. HTTPS hides the content and exact location of the request but it does not hide the server name.

The user searches something on Google, goes to /NonthingSus on an AWS instance, visits GitHub, goes to docs.microsoft.com, gets the evil_duck.png image from the AWS instance, logins in to Micosoft Teams, and finally goes to powershell.org.

I tried a lot of searching on GitHub and looking around on the Microsoft documentation (I even found the source of the image in the ), but what succeeded was a search for "powershell steganography" which revealed the GitHub repository. This PowerShell script encodes a different PowerShell script in the pixels of a PNG file. The least significant 4 bits of 2 color values in each pixel are used to hold the payload. While we could write a script to extract this information, I used , which I found from the aforementioned search. The executable that provides is in this directory: .

We can open the evil_duck.png image in the program to get the following output:

$out = "flag.txt"
$enc = [system.Text.Encoding]::UTF8
$string1 = "HEYWherE(IS_tNE)50uP?^DId_YOu(]E@t*mY_3RD()B2g3l?"
$string2 = "8,:8+14>Fx0l+$*KjVD>[o*.;+1|*[n&2G^201l&,Mv+_'T_B"

$data1 = $enc.GetBytes($string1)
$bytes = $enc.GetBytes($string2)

for($i=0; $i -lt $bytes.count ; $i++)
{
    $bytes[$i] = $bytes[$i] -bxor $data1[$i]
}
[System.IO.File]::WriteAllBytes("$out", $bytes)

This script xors the bytes of string1 with string2 to get the flag.

Pasting this output into PowerShell creates a file called flag.txt with the flag in it.

Flag

picoCTF{n1c3_job_f1nd1ng_th3_s3cr3t_in_the_im@g3}

Solution

We can use this filter (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900) in wireshark to see initial HTTP and HTTPS traffic. We see that two images are downloaded:

GET /NothingSus/duck.png HTTP/1.1
GET /NothingSus/evil_duck.png HTTP/1.1

We can extract these images from the PCAP file by going to File > Export Objects > HTTP and choosing "Save All".

We can open the evil_duck.png image in the program to get the following output:

$out = "flag.txt"
$enc = [system.Text.Encoding]::UTF8
$string1 = "HEYWherE(IS_tNE)50uP?^DId_YOu(]E@t*mY_3RD()B2g3l?"
$string2 = "8,:8+14>Fx0l+$*KjVD>[o*.;+1|*[n&2G^201l&,Mv+_'T_B"

$data1 = $enc.GetBytes($string1)
$bytes = $enc.GetBytes($string2)

for($i=0; $i -lt $bytes.count ; $i++)
{
    $bytes[$i] = $bytes[$i] -bxor $data1[$i]
}
[System.IO.File]::WriteAllBytes("$out", $bytes)

This script xors the bytes of string1 with string2 to get the flag.

Pasting this output into PowerShell creates a file called flag.txt with the flag in it.

Flag

picoCTF{n1c3_job_f1nd1ng_th3_s3cr3t_in_the_im@g3}

Very very very Hidden

Very very very Hidden

Problem

Solution

Flag

Problem

Solution

Flag