This is for the JerseyCTF
For this challenge, we were given the following information and files:
flag.txt:
51cacb88d7b1aa22418817b8b64962c5a39b6469e9b5a2e10d4ffb65c8cbbff04afe10d71da8ea1a29efd5118e1bd542
IGotTheKeys.wav:
PartofKey.jpg:
AlsoPartofKey.gif:
To begin with… I assume the flag.txt is the hex of the flag encrypted using AES.
I go to work on analyzing the wav file and based on previous experience it sounds lie there may be hidden data in the sound itself. I need to look at the spectrogram. I import it into Audacity and take a look:
I see the hidden message is “ECB”, which is the Electronic Codebook mode of decryption.
Next I analyze the PartofKey.jpg image. Looking at the Exif data (metadata) of the picture, I see the image has a copyright of “Bases of Eight” and a comment with the value:
66 64 71 63 64 142 63 66 142 67 145 70 146 146 60 144
This looks like octal and the hint cements that assumption. A quick conversion to ASCII:
This gives me a 16 character hex value:
64934b36b7e8ff0d
Next, I look at the gif. Watching it loop, I see a quick blip on one of the frames, so I decide to split it into individual frames to get a better look:
I see some text. After trying the usual decoding (base64) of strings like this, I realize the actual name of the gif might yield a hint… AlsoPartofKey58.gif
This might be base58 encoded:
This gives me another 16 character hex string:
918fcbd005bcaf7a
I think I have what I need to decrypt. I tried several online tools and Linux terminal commands, but found a site with the options I need.
For AES256, the key needs to be 32 characters long. I input the encrypted flag, mark it as hex, choose AES with ECB, combine and enter the two 16 character hex strings I collected from the images “918fcbd005bcaf7a64934b36b7e8ff0d”, and select mark the key as hex:
And I click Decrypt to get the flag:
jctf{cr4ck1ng_clus73rs0f_cryp70}