DeadPixelSec Image Challenge 2021

·4 mins

Background #

This was a one off challenge that was posted in the DeadPixelSec discord. There was some sweet prizes generously donated by an anonymous community member.

For the challenge we are provided a link to the following google drive file

It contains the following image. Just for some fun background, this is from the movie “Sneakers” which is a hacker classic. In this specific scene they are examining some secret NSA tool that can supposedly “crack all encryption”. Love the theme <3


File Information #

  • SHA256 Sum (For comparisons sake)

6fcbb1d8c94d2cdd6384d73945cddcc5c9b09d1eee68c16ec5eda4755984a76f whistler.jpg

  • Exif Data Output
[email protected]:~$ exiftool whistler.jpg
ExifTool Version Number         : 10.80
File Name                       : whistler.jpg
Directory                       : .
File Size                       : 37 kB
File Modification Date/Time     : 2021:06:03 15:46:55+00:00
File Access Date/Time           : 2021:06:03 15:47:09+00:00
File Inode Change Date/Time     : 2021:06:03 15:46:55+00:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 620
Image Height                    : 349
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 620x349
Megapixels                      : 0.216
  • Binwalk output
[email protected]:~$ binwalk whistler.jpg
0             0x0             JPEG image data, JFIF standard 1.01

Steganography #

After checking through binwalk and exiftool, there isn’t anything that sticks out. This most likely means that there is some sort of steganography at play here.

With that in mind, the first thing I always check is steghide. It is an incredibly powerful tool that allows the user to embed files into JPGs, WAVs, etc. The syntax for it is pretty self explanatory and for a more detailed explanation hit up the man page. But for this problem…

  • steghide just calling the cool
  • extract extract a hidden file from the source file
  • -sf specify the source file (original file) you want to extract from
  • whistler.jpg the name of the source file
[email protected]:~$ steghide extract -sf whistler.jpg
Enter passphrase:
wrote extracted data to "2e53686172652e20456475636174652e2042652e.txt".

Just my luck, steghide worked! One of the quirks of steghide is that sometimes it will prompt for a password even if there isn’t one, so you can just hit enter and it will try and extract the information (like this case). We can see there was a .txt file produced with a weird name.

The filename is actually hex which decodes to “.Share. Educate. Be.”. <3

Let’s look into what this file actually is using cat. From the looks of it this is some base64 encoded somethin'. The dead giveaway is that there is an = at the end, which in base64 (and other encoding algorithms), is used for padding.

[email protected]:~$ cat 2e53686172652e20456475636174652e2042652e.txt

Since we have the base64 gunk, we need to decode it to see what’s going on here! Luckily for us, encoding ≠ encryption, so the process is very easily reversible. There’s actually a tool built right into Linux that can do this for us very easily (there are also a million decoders avaliable online as well). To breakdown this command, we are just reading the file with cat, and then piping (redirecting the output) to the base64 tool with the -d parameter which specifies decode.

[email protected]:~$ cat 2e53686172652e20456475636174652e2042652e.txt | base64 -d
$ljDAp  = ")''nIOj-]2,11,3[emAn.)'*RDM*' vg((& | )43]rAHC[,'LOh'  EcaLPERc-29]
rAHC[,'1km'ECalpER-)'tx'+'t.galf1'+'kmpmt'+'1k'+'m:c'+' > LOh}l'+'zbabegfn_g'+'
pr'+'gr'+'f{:t'+'n'+'ysLO'+'h'(("; . ((Gv '*mDr*').NAME[3,11,2]-jOin'')
 ([StrinG]::jOiN( '' ,( vaRiablE ('ljd'+'ap')  -vaLU )[ - 1 .. - 
 	( ( vaRiablE ('ljd'+'ap')  -vaLU ).lEngth) ] ) )

Interesting! We have what looks like some obfuscated powershell! The only reason I knew it was powershell was the weird syntactic things I don’t see commonly in other languages (e.g [String]::join(...).

Now… I don’t know powershell, and I really don’t want to fix mangled powershell. Luckily for me, I don’t need to! In my quest to not have to reverse this, I figured “hey, this obfuscated code must work somehow without human interaction, can’t i just run it? \O_O/”.

As it turns out, we can just run it! On Windows I opened up a powershell session and just copy pasted the obfuscated code into the interpreter.

PS C:\Users\birch\Downloads> $ljDAp  = ")''nIOj-]2,11,3[emAn.)'RDM' vg((& | )43]rAHC[,'LOh'  EcaLPERc-29]rAHC[,'1km'ECalpER-)'tx'+'t.galf1'+'kmpmt'+'1k'+'m:c'+' > LOh}l'+'zbabegfn_g'+'pr'+'gr'+'f{:t'+'n'+'ysLO'+'h'(("; . ((Gv 'mDr').NAME[3,11,2]-jOin'') ([StrinG]::jOiN( '' ,( vaRiablE ('ljd'+'ap')  -vaLU )[ - 1 .. - ( ( vaRiablE ('ljd'+'ap')  -vaLU ).lEngth) ] ) )
out-file : Could not find a part of the path 'C:\tmp\flag.txt'.
At line:1 char:1
+ "synt:{frgrpg_nfgebabzl}" > c:\tmp\flag.txt <==== OOOOOOO FLAG MAYB???????
+ ~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Out-File], DirectoryNotFoundException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

We got an error (boo) but we can see it tried to save a string to c:\tmp\flag.txt and it looks like it’s in the format that was given for the flag. The letters don’t seem to repeat in an unrealistic way, so we should try out some basic encryption schemes. First one to always go after is ROTXX (most commonly ROT13).

Awoogah, we have our flag!