Waseem Akram

Steganography for Beginners - Data Hiding Techniques πŸ”

By Waseem Akram on 2/7/2019

The basename command in Linux is used to extract the last element of a file path. This is particularly helpful in bash scripts where you only need the...

Steganography for Beginners - Data Hiding Techniques πŸ”

Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination... The word steganography is derived from the Greek words steganos (meaning hidden or covered) and the Greek root graph (meaning to write) - Wikipedia.

In this post, we are going to describe solutions to the KRACK-JIIT CTF 2019 Organized by JIIT Open Dev Circle (jodc). This was a very interesting and beginner friendly capture-the-flag event.

capture_Vietnam β€” Packets

Challenge Description: We sniffed some packets on the traffic. Who knows what you'll find.

Type: flag

Category: Easy

Point: 50

Solution: Provided with the captured packets, we can check for the flag in pcap dumps. Opening the packet dump in Wireshark, we found 31 packets captured and we don't mind to go packet by packet to get flag within 31 packets only.

After 4–5 packets the count, we see a username logging in with username as Jerry and password as saymynameheisenberg

Thus! the password is our flag

Flag: KJ_CTF{saymynameheisenberg}

capture_Romania β€” Amnesic

Challenge Description: Information privacy, or data privacy, is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.

Type: flag

Category: Easy

Point: 50

Solution: Given was an amnesic.txt which we were unable to open with a text editor taking us to first challenge that it was not a text file.

with "file amnesic.txt" we came to know that it was an Image file. Renaming it with amnesic.jpeg gives us an image.

Binwalk the image to get tor/secret.txt embedded inside the image. with binwalk -e amnesic.jpeg to extract known filetype embedded in the image, we got a secret.txt with the file.

FLAG: KJ_FLAG{3984G43GF43873897875GF4UI5ERIUVB7GVIGBIVBIUEB7GEV487}

capture_Poland β€” Hexadecimal

Challenge Description: This will be really fun for you as well You have hex encoded string XOR'd against a single character. Find the key, decrypt the message.

NOTE Flag looks like KJ_CTF{ here-is-your-key }

Type: flag

Category: Easy

Point: 50

Ciphertext:

2e2f3a2631231e1c2a10450d241320452445022a0a2145210c06112c0a0b24171c18

Solution: Consider this as an example:

The ciphertext was hex encoded string to be decrypted

With the Description, we came to know that it is a Single byte XOR which was encrypted using a key

plaintext

53454352455420444154412057452057414e5420544f20454e4352595054

xor

4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b

ciphertext

180e08190e1f6b0f0a1f0a6b1c0e6b1c0a051f6b1f046b0e050819121b1f

Hence get K thus receiving the key and the same key is used to decrypt rest of string.

exploit.py

import binascii
print(“ENTER THE STRING”)
input_string = raw_input()
str1 = binascii.unhexlify(input_string)
for i in range(0,255):
str2=""
for j in range(len(str1)):
str2 += chr(ord( str1[j] ) ^ i)
if "KJ_CTF{" in str2:
print(str2)

Flag: KJ_CTF{yOu hAvE A gOoD DictIonAry}

capture_Mali β€” Bang Bang!

Challenge Description: NOTE Flag looks like KJ_CTF{ here-is-your-key }

Type: flag

Category: Easy

Point: 50

Solution: The URL in the description of challenge took us to a website which was a login portal for routers.

Cracking password always taught us to try default credentials for the fields.

user: admin
password: admin

we got the flag

Flag: KJ_CTF{gG_wP_so_thiCcK}

capture_Greece β€” Decipher

Challenge Description: NOTE Flag looks like KJ_CTF{ here-is-your-key }

Type: flag

Category: Easy

Point: 50

Solution: The ciphertext in enc.txt was only provided with jumbled text, neither of the keys was available to us nor the algorithm was known.

Which makes us conclude it maybe Base64 encoding, Caeser cipher or Rot13 encoding.

The cipher text was not having alphanumeric characters and the = padding at end of the string was also missing which makes base64 out of guess.

Caesar cipher was tested with all possible 26 keys but none of the outcomes were meaningless, not fruitful.

Coming to Rot13, when we decode the ciphertext, we get another set of meaningless ciphertext but when you search for KJ_CTF, you can find the flag in the decoded text.

Flag — KJ_CTF{crypto_first_flag}

capture_Croatia β€” Last Challenge

Challenge Description:

Cipher1: TGFzdCBjaGFsbGVuZ2Ugb2YgS1JBQ0stSklJVC0xLjAg
Plain1: Last challenge of KRACK-JIIT-1.0
Cipher2: VEhBTksgWU9VIEZPUiBQTEFZSU5H
Plain2: THANK YOU FOR PLAYING
Cipher3: S0otQ1RGe0tJTkRMWU1BSUxZT1VSRkVFREJBQ0tUT0FOS0s5OEBHTUFJTC5DT019

Plain: flag

Note: It is the easiest challenge.

Type: flag

Category: Easy

Point: 50

Solution: Mentioned that it was the easiest challenge for KJ CTF, we decoded the base64 to plain text.

*PS: all the base64 encoding doesn't have = padding at the end.

Flag: KJ-CTF{KINDLYMAILYOURFEEDBACKTOANKK98@GMAIL.COM}

capture_Chile β€” Decode it

Challenge Description: The author who made this Question Hates JS.

NOTE Flag looks like KJ_CTF{ here-is-your-key }

Type: flag

Category: Easy

Point: 50

Solution: Given is the ciphertext which is base64 encoded(padding with = at the end)

Decoding that gives us another program which was a jsfuck program as the author hates JS.

jsfuck_code.png

PS: Figured out JS Fuck by google search "[][(![]+[]) JS"

You can further run the code in JS console or on jsfuck.com to get an alert for the flag.

Flag: KJ_JIIT{well_js_really_sucks}

capture_Azerbaijan β€” In the front of you.

Challenge Description: Find the flag out of the image herewith

Type: flag

Category: Medium

Point: 100

BBB.jpg Solution: Viewing the image gave no hits all red.

Converting a string of image resulted in nothing.

Binwalking image gave no flag either.

Finally checking the metadata of the image, we got the flag.

Metadata of image can be checked with exiftool in Linux or there are various online web applications to check the metadata of files.

Here the website I used to get metadata. http://metapicz.com/#landing

Flag — KJ_CTF{h3R3_1_4M}

capture_Egypt β€” Read it again

Type: flag

Category: Easy

Point: 50

Solution: After opening the flag.pdf file, we noticed "Can you krack it?" was written in text.

After converting that flag.pdf into text format we noticed this:

which gave us a hint that some type of file is embedded inside this pdf.

we tried a very popular steghide tool but no success.

After a few minutes, a tool name qpdf got into my mind. This tool is mostly used by CTF players for pdf-related challenges.

qpdf — qdf — object-streams=disable flag.pdf out.pdf
binwalk -Me out.pdf

Flag: KJ_CTF{THISISKRACKJIIT}

capture_Turkmenistan β€” I am not what i look like

Type: flag

Category: Medium

Point: 100

Solution: After opening this challenge link we got a .gif format file.

iamnotwhatilooklike.gif This image was looking like a QR code but colorful.

This challenge took us less than 1 minute to crack.

I don't know why this challenge was in Medium Category. It was super easy.

Just open images.google.com and upload that image.

And after uploading that image we got the flag. SERIOUSLY WTF!!!!!!!!

It was written "Hello, world!" in Piet programming language

Flag: KJ_CTF{Hello, world!}

capture_Bolivia β€” Gotta Catch 'Em All!

Type: flag

Category: Medium

Point: 100

Solution: After opening the link we noticed that a sound was playing

checked source code of the page and got this sound file

I have solved a lot of these type of challenges before.

That sound was "morse code".

I remember when I was a kid, I visit the police station where my dad works and they showed me the machine which exactly creates a sound like that for communication between departments.

So searched on google: "Morse sound to text converter" and uploaded that file on https://morsecode.scphillips.com/labs/audio-decoder-adaptive/

Result: PIKAPIKACHUU

Got the result from that sound file, But that was not a flag and value adminwas not editable. So tried to intercepting the request with Burp Suite.

Entered the output of morse code in pass= parameter and forward the request.

Achieved flag on the next page.

Flag: KJ_CTF{truST_iS_daNgeRs_G@me}

capture_Portugal β€” "Can you krack it?"

Challenge Description: In this challenge, a zip file was given with named "Krack-it.zip" which was locked with a password.

Type: flag

Category: Easy

Points: 50

Solution: So seeing that the challenge is categorized as easy there is nothing much to think after reading the name of the challenge and the name of the zip file, it was sure that we have to crack the zip file to reveal the flag, now the thing was how to do it?? For this, we used a tool called "fcrackzip" and used rockyou.txt as our wordlist as its most common wordlist being used in CTFs,

SYNTAX:

fcrackzip -u -D -p ‘rockyou.txt’ ‘krack-it.zip’

After which we got our flag!!!!

Flag: KJ_CTF{OWEI843TYINFO8HVNWR8Y43FIN3W48FINV3W89Y4FV43INV384V34WH983NO}

capture_Madagascar β€” "YouTube"

Challenge Description: In this challenge, we were provided a link and nothing more than that.

Type: flag

Category: Easy

Points: 50

Solution: The first thing done was visiting the link provided to us, it was a basic webpage with a link given Watch Me! of a youtube video.

But since we were playing the CTF I thought why not see the source code of the website before enjoying some youtube videos? And voila!!! we got our flag!!!

After that, I opened the video and guess what?? the link was of the trailer of the movie "Source Code".

Flag: KJ_CTF{n00bs_lOvees_b00}

capture_Honduras: "Recognize Me!"

Challenge Description: This challenge was categorized under Cryptography, the description provided was nothing but what is the meaning of cryptography? Other than that an image was provided (can we call it a cipher?).

Link of the image: Google Drive

Type: flag

Category: Easy

Points: 50

Solution: The solution was easy as f@#k but the thing is, it was a tricky one (kind of!), after wasting my time trying to decode it, understanding the cipher, trying all sort of steganography on the image, analyzing the image for some compressed data nothing worked!? the reason was that the text displayed in the image was not the cipher!! But it was the flag (-_-) (answer to my question was, hell no!!! it can't be called a ciphertext).

Flag:KJ_CTF{aima0AiwahsidupaiToehoong1PhieruqueivahphieKah7uceetair9aiGae1eSsaedoo4becooShohhu8eifahXi7EJoh2gaephechei5chiP9}

Thanks for reading this post, if you like my work you can support by buying me a coffee. β˜•οΈ Read other posts

Happy Hacking!!!

Other Posts You Might Like

11/14/2024
Β·
Waseem Akram

Complete Wifi Hacking Course 2024

This course is designed to be hands-on and beginner-friendly, so even if you’re new to the world of network security, you’ll be able to follow along with ease. By the end, you'll have a

Read More
11/8/2024
Β·
Waseem Akram

Malware Development 5 - Malware analysis evasion via Api Hashing (Golang)

Today we’re going to see how real malware protect themselves from being analyzed using a technique called Api Hashing. First of all we should...

Read More
10/17/2024
Β·
Waseem Akram

Malware Development 4 - Dump lsass.exe process + AV/EDR evasion (Golang)

Today we’ll dump LSASS.EXE process memory to obtain credentials and we also will be using some evasion techniques. During red team...

Read More
10/15/2024
Β·
Waseem Akram

Malware Development 3 - Persistence via Recycle Bin (Golang)

Today we’re gonna see an effective technique to mantain access in Windows systems during red team operations just by modifying a registry key...

Read More
10/14/2024
Β·
Waseem Akram

Malware Development 2 UuidFromString shellcode injection (Golang)

Today we’ll learn an advanced shellcode injection technique used by Lazarus group which uses UuidFromStringA API call. In this technique, the malware..

Read More
10/5/2024
Β·
Waseem Akram

How Hackers Target Instagram Accounts & How to Protect Yourself in 2024

Instahack is a security tool officially designed to test the password strength of Instagram accounts using termux and kali with a brute force attack...

Read More