This one from picoCTF was fairly easy, so I was unsure about uploading it. However, there was a part that I wasn’t familiar with, and I learned something new. So, why not?
Description
How about some hide and seek?
As usual, I started by downloading the provided file to my local machine by using the wget
command.
1──(kali㉿kali)-[~/Desktop/pico]
2└─$ wget https://artifacts.picoctf.net/c_titan/128/unknown.zip
3--2024-07-09 16:33:45-- https://artifacts.picoctf.net/c_titan/128/unknown.zip
4Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 54.230.253.65, 54.230.253.91, 54.230.253.20, ...
5Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|54.230.253.65|:443... connected.
6HTTP request sent, awaiting response... 200 OK
7Length: 2252108 (2.1M) [application/octet-stream]
8Saving to: ‘unknown.zip’
9
10unknown.zip 100%[============================================================================>] 2.15M 11.2MB/s in 0.2s
11
122024-07-09 16:33:47 (11.2 MB/s) - ‘unknown.zip’ saved [2252108/2252108]
13
14
15┌──(kali㉿kali)-[~/Desktop/pico]
16└─$ ls
17unknown.zip
Unzipped the unknown.zip file.
1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ unzip unknown.zip
3Archive: unknown.zip
4 inflating: ukn_reality.jpg
5
6┌──(kali㉿kali)-[~/Desktop/pico]
7└─$ ls
8ukn_reality.jpg unknown.zip
Inside the zip file, there was a .jpg
file named ukn_reality.jpg and it looked like the following:
Since this was the only file given to me, I knew I had to look up the file’s info to capture the flag. So the first thing I tried was to run a file
command. However, nothing useful was found.
1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ file ukn_reality.jpg
3ukn_reality.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 4308x2875, components 3
Then I asked chatGPT for ways to view information about an image and it provided some commonly used methods:
file
commandidentify
from ImageMagickexiftool
exiv2
I further looked into the commands and thought the exiftool
would give me the most information about the image.
1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ exiftool ukn_reality.jpg
3ExifTool Version Number : 12.76
4File Name : ukn_reality.jpg
5Directory : .
6File Size : 2.3 MB
7File Modification Date/Time : 2024:03:11 20:05:51-04:00
8File Access Date/Time : 2024:07:09 16:33:57-04:00
9File Inode Change Date/Time : 2024:07:09 16:33:51-04:00
10File Permissions : -rw-r--r--
11File Type : JPEG
12File Type Extension : jpg
13MIME Type : image/jpeg
14JFIF Version : 1.01
15Resolution Unit : inches
16X Resolution : 72
17Y Resolution : 72
18XMP Toolkit : Image::ExifTool 11.88
19Attribution URL : cGljb0NURntNRTc0RDQ3QV9ISUREM05fM2I5MjA5YTJ9Cg==
20Image Width : 4308
21Image Height : 2875
22Encoding Process : Baseline DCT, Huffman coding
23Bits Per Sample : 8
24Color Components : 3
25Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
26Image Size : 4308x2875
27Megapixels : 12.4
If you look closely the value for Attribution URL
is not in the expected form. It looks like it’s encoded or hashed. I tried decoding the given URL with the base64
command.
1┌──(kali㉿kali)-[~/Desktop/pico]
2└─$ echo cGljb0NURntNRTc0RDQ3QV9ISUREM05fM2I5MjA5YTJ9Cg== | base64 -d
3picoCTF{ME74D47A_HIDD3N_3b9209a2}
And we got the flag!
flag: picoCTF{ME74D47A_HIDD3N_3b9209a2}