Posts Inctf21 Pro Finals Forensics Writeup
Post
Cancel

Inctf21 Pro Finals Forensics Writeup

Hello Amazing Hackers!

In this Blog We are going to have a look at some cool forensic challenges from inctf21 professional by bi0s Beginner Level Interesting Challenges From INCTF21 PRO Finals


1. XOXO (100pts)

image

Description: Did you know: if a^b=c then a^c=b

Given : xorred png file

1
2
3
 pj@kali~ file encrypted.png
 
encrypted.png: data 
  1. We actually Dont know the key , but we know the actual extension(png) which is come after the xor process. then xor the file with magic bytes of png , it will gives the Key to retrive the PNG

Magic Bytes of PNG

1
2
xxd -l 10 chall.png                                                                  
00000000: 8950 4e47 0d0a 1a0a 0000                 .PNG......

image

2.Xor the encrypted.png with the key eAsy-x0r

1
2
3
4
5
6
>>> from pwn import  *
>>> encrypted=open("encrypted.png","rb").read()
>>> answer=open("flag.png","wb")
>>> answer.write(xor("eAsy-x0r",encrypted))
396068
>>> answer.close()

image

Here We go ,FLAG :inctf{x0riNg_iS_fUn!!}


2. Look Deeper (200pts)

image

Description : Ramesh sent me this PDF and told me that there is a weird sound deep in it, and asked me to find it. Can you help him find the what is hidden deep?

Given :

1
chall.pdf: PDF document, version 1.1
  1. Evince the pdf

image

1
2
echo "ZTN5bl83a2RfdjBfc240el9nYzdfaHUzeXp0=="|base64 -d                                       
e3yn_7kd_v0_sn4z_gc7_hu3yz

I thought vigenere, yes vigenere cipher

image

well, it’s not a flag but let’s take it w3ll_7ry_n0_fl4g_bu7_us3ful

  1. Lets enum the pdf and extract any file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
python2 /opt/git.peepdf/peepdf.py -i chall.pdf

PPDF> info

Version 0:
        Catalog: 1
        Info: No
        Objects (8): [1, 2, 3, 4, 5, 6, 7, 8]
        Streams (2): [5, 8]
                Encoded (1): [8]
        Suspicious elements:
                /Names (1): [1]

PPDF> stream 8 > output

wave time !

1
2
file output 
output: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz

From Description deep? exactly deepsound!

  1. open the wave in deepsound and input the decrypted cipher as a password
  • open carrier file
  • input password
  • save the flag.zip

image

  • unzip flag.zip

correct the header of flag.png

remove the line ......JFIF...... from flag.png using ghex

1
2
3
4
5
6
7
8
9
10
>>pj@kali~: xxd flag.png|head                                                                              1 ⨯
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001  ......JFIF......
00000010: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR

        (after)
        
 >>pj@kali~: xxd flag.png|head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 03c0 0000 02bd 0806 0000 00eb 1d05  ................
00000020: 3000 0036 837a 5458 7452 6177 2070 726f  0..6.zTXtRaw pro

image

Flag : inctf{Kn0w1ng_4b0ut_PDF’s_15_u53fuL}


3. Chunklet (100pts)

reference-inctf-nationals Learning Round

given:

1
2
 >>pj@kali~: file chall.png                                                                               130 ⨯
chall.png: data
  1. Correct the png header
1
2
3
4
5
6
>>pj@kali~: xxd -l 10 chall.png 
00000000: 8950 6e47 0d0a 1a0a 0000                 .PnG......
                  (after)                                                                                              
 >>pj@kali~: xxd -l 10 chall.png
00000000: 8950 4e47 0d0a 1a0a 0000                 .PNG......

  1. Replace idhr to IHDR

  2. Replace IADT to IDAT

image

  1. Replace The trailer from INED to IEND
1
2
3
4
5
6
7
>>pj@kali~: xxd chall.png |tail                
00006de0: 0000 494e 4544 ae42 6082                 ..INED.B`.
                             
                             (AFTER)                           
 >>pj@kali~: xxd chall.png |tail
00006de0: 0000 4945 4e44 ae42 6082                 ..IEND.B`.

  1. feh chall.png

image

Here we Go

Flag : inctf{tH15_w4S_Pr3Ty_EA5y}


This post is licensed under CC BY 4.0 by the author.