JerseyCTF: Crypto: StegAESaurus

This is for the JerseyCTF

For this challenge, we were given the following information and files:

flag.txt:

51cacb88d7b1aa22418817b8b64962c5a39b6469e9b5a2e10d4ffb65c8cbbff04afe10d71da8ea1a29efd5118e1bd542

IGotTheKeys.wav:

PartofKey.jpg:

AlsoPartofKey.gif:

To begin with… I assume the flag.txt is the hex of the flag encrypted using AES.

I go to work on analyzing the wav file and based on previous experience it sounds lie there may be hidden data in the sound itself. I need to look at the spectrogram. I import it into Audacity and take a look:

I see the hidden message is “ECB”, which is the Electronic Codebook mode of decryption.

Next I analyze the PartofKey.jpg image. Looking at the Exif data (metadata) of the picture, I see the image has a copyright of “Bases of Eight” and a comment with the value:

66 64 71 63 64 142 63 66 142 67 145 70 146 146 60 144

This looks like octal and the hint cements that assumption. A quick conversion to ASCII:

This gives me a 16 character hex value:

64934b36b7e8ff0d

Next, I look at the gif. Watching it loop, I see a quick blip on one of the frames, so I decide to split it into individual frames to get a better look:

I see some text. After trying the usual decoding (base64) of strings like this, I realize the actual name of the gif might yield a hint… AlsoPartofKey58.gif

This might be base58 encoded:

This gives me another 16 character hex string:

918fcbd005bcaf7a

I think I have what I need to decrypt. I tried several online tools and Linux terminal commands, but found a site with the options I need.

For AES256, the key needs to be 32 characters long. I input the encrypted flag, mark it as hex, choose AES with ECB, combine and enter the two 16 character hex strings I collected from the images “918fcbd005bcaf7a64934b36b7e8ff0d”, and select mark the key as hex:

And I click Decrypt to get the flag:

jctf{cr4ck1ng_clus73rs0f_cryp70}

0x41414141 CTF: Register Secret PIN

This is from the 0x41414141 CTF.

When I went to register to compete in the 0x41414141 CTF I found that is was a little different from other CTFd based CTFs. Besides the normal registration information, it asks for a pin code (secret pin code for CTF registration).

Going back and looking through the site, I see on the About page that the secret pin code for CTF entry is hidden somewhere on the site:

After pouring through the source files for each page on the site, running curl POSTs, and looking at previous versions of the site on Archive.org, I considered the steganography approach.

Besides the normal social media link images, there are only two images on the site. One is the animated Offshift logo, which yielded no obvious results when running strings, binwalk, or other stego decoders:

The second image is a small Offshift logo that is used as the header logo:

After downloading this image, I ran strings on it to look for anything interesting:

Ahh! I see “secret: 100100100101” at the bottom of the results.

I convert the binary string to decimal:

echo "obase=10; ibase=2; 100100100101" | bc

Using the resulting decimal value as the pin, I am now able to register for the CTF.