[picoCTF] CanYouSee

This one from picoCTF was fairly easy, so I was unsure about uploading it. However, there was a part that I wasn’t familiar with, and I learned something new. So, why not?


Description

How about some hide and seek?


As usual, I started by downloading the provided file to my local machine by using the wget command.

 1──(kali㉿kali)-[~/Desktop/pico]
 2└─$ wget https://artifacts.picoctf.net/c_titan/128/unknown.zip
 3--2024-07-09 16:33:45--  https://artifacts.picoctf.net/c_titan/128/unknown.zip
 4Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 54.230.253.65, 54.230.253.91, 54.230.253.20, ...
 5Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|54.230.253.65|:443... connected.
 6HTTP request sent, awaiting response... 200 OK
 7Length: 2252108 (2.1M) [application/octet-stream]
 8Saving to: ‘unknown.zip’
 9
10unknown.zip                            100%[============================================================================>]   2.15M  11.2MB/s    in 0.2s
11
122024-07-09 16:33:47 (11.2 MB/s) - ‘unknown.zip’ saved [2252108/2252108]
13
14
15┌──(kali㉿kali)-[~/Desktop/pico]
16└─$ ls
17unknown.zip

Unzipped the unknown.zip file.

1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ unzip unknown.zip
3Archive:  unknown.zip
4  inflating: ukn_reality.jpg
5
6┌──(kali㉿kali)-[~/Desktop/pico]
7└─$ ls
8ukn_reality.jpg  unknown.zip

Inside the zip file, there was a .jpg file named ukn_reality.jpg and it looked like the following:

alt text


Since this was the only file given to me, I knew I had to look up the file’s info to capture the flag. So the first thing I tried was to run a file command. However, nothing useful was found.

1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ file ukn_reality.jpg
3ukn_reality.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 4308x2875, components 3

Then I asked chatGPT for ways to view information about an image and it provided some commonly used methods:

  1. file command
  2. identify from ImageMagick
  3. exiftool
  4. exiv2

I further looked into the commands and thought the exiftool would give me the most information about the image.

 1┌──(kali㉿kali)-[~/Desktop/pico]
 2└─$ exiftool ukn_reality.jpg
 3ExifTool Version Number         : 12.76
 4File Name                       : ukn_reality.jpg
 5Directory                       : .
 6File Size                       : 2.3 MB
 7File Modification Date/Time     : 2024:03:11 20:05:51-04:00
 8File Access Date/Time           : 2024:07:09 16:33:57-04:00
 9File Inode Change Date/Time     : 2024:07:09 16:33:51-04:00
10File Permissions                : -rw-r--r--
11File Type                       : JPEG
12File Type Extension             : jpg
13MIME Type                       : image/jpeg
14JFIF Version                    : 1.01
15Resolution Unit                 : inches
16X Resolution                    : 72
17Y Resolution                    : 72
18XMP Toolkit                     : Image::ExifTool 11.88
19Attribution URL                 : cGljb0NURntNRTc0RDQ3QV9ISUREM05fM2I5MjA5YTJ9Cg==
20Image Width                     : 4308
21Image Height                    : 2875
22Encoding Process                : Baseline DCT, Huffman coding
23Bits Per Sample                 : 8
24Color Components                : 3
25Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
26Image Size                      : 4308x2875
27Megapixels                      : 12.4

If you look closely the value for Attribution URL is not in the expected form. It looks like it’s encoded or hashed. I tried decoding the given URL with the base64 command.

1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ echo cGljb0NURntNRTc0RDQ3QV9ISUREM05fM2I5MjA5YTJ9Cg== | base64 -d
3picoCTF{ME74D47A_HIDD3N_3b9209a2}

And we got the flag!

flag: picoCTF{ME74D47A_HIDD3N_3b9209a2}

#picoCTF