JerseyCTF: Crypto: StegAESaurus

This is for the JerseyCTF

For this challenge, we were given the following information and files:

flag.txt:

51cacb88d7b1aa22418817b8b64962c5a39b6469e9b5a2e10d4ffb65c8cbbff04afe10d71da8ea1a29efd5118e1bd542

IGotTheKeys.wav:

PartofKey.jpg:

AlsoPartofKey.gif:

To begin with… I assume the flag.txt is the hex of the flag encrypted using AES.

I go to work on analyzing the wav file and based on previous experience it sounds lie there may be hidden data in the sound itself. I need to look at the spectrogram. I import it into Audacity and take a look:

I see the hidden message is “ECB”, which is the Electronic Codebook mode of decryption.

Next I analyze the PartofKey.jpg image. Looking at the Exif data (metadata) of the picture, I see the image has a copyright of “Bases of Eight” and a comment with the value:

66 64 71 63 64 142 63 66 142 67 145 70 146 146 60 144

This looks like octal and the hint cements that assumption. A quick conversion to ASCII:

This gives me a 16 character hex value:

64934b36b7e8ff0d

Next, I look at the gif. Watching it loop, I see a quick blip on one of the frames, so I decide to split it into individual frames to get a better look:

I see some text. After trying the usual decoding (base64) of strings like this, I realize the actual name of the gif might yield a hint… AlsoPartofKey58.gif

This might be base58 encoded:

This gives me another 16 character hex string:

918fcbd005bcaf7a

I think I have what I need to decrypt. I tried several online tools and Linux terminal commands, but found a site with the options I need.

For AES256, the key needs to be 32 characters long. I input the encrypted flag, mark it as hex, choose AES with ECB, combine and enter the two 16 character hex strings I collected from the images “918fcbd005bcaf7a64934b36b7e8ff0d”, and select mark the key as hex:

And I click Decrypt to get the flag:

jctf{cr4ck1ng_clus73rs0f_cryp70}