Post

DeconstruCT.F 2023 - Space Ahoy

Posted
By Nolliv22 2 min read

Description

Category: Forensic

Brian tries to send some crucial information from the space station about an impending disaster through a super secure line to his friend through a picture. Help his friend uncover the truth ..

super_secret.jpg

Resolution

1. Extract embedded files

The picture is very heavy (9.9 MB) so we try to find any embedded file inside with binwalk

1
2
3
4
5
6
7
8

$ binwalk -e super_secret.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
166246        0x28966         Zip archive data, at least v1.0 to extract, compressed size: 9725992, uncompressed size: 9725992, name: hidden.jpg
9892256       0x96F1A0        End of Zip archive, footer length: 22
9892370       0x96F212        End of Zip archive, footer length: 22

Now we have another heavy file hidden.jpg (9.7 MB) so we use binwalk again:

1
2
3
4
5
6
7
8

$ binwalk -e hidden.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8
39697         0x9B11          Zip archive data, at least v2.0 to extract, compressed size: 9686117, uncompressed size: 10611338, name: SupEr_s3CrET_AuD10.wav
9725970       0x946812        End of Zip archive, footer length: 22

And we have our final file: SupEr_s3CrET_AuD10.wav.

2. SSTV transmission

I opened and listened to the audio and I heard some transmission sound.

I searched on Google forensic transmission sound ctf and I found a writeup who exactly solve this challenge (Alien Transmission 1 - itsecgary).

The audio file contains Slow-scan television (SSTV) transmissions in order to transmit a picture.

From here I followed the more detailled writup from Dvd848 to setup all I need to recover the picture:

  • To install on Debian-based Linux distro: 
    1

    $ sudo apt install qsstv sox # sox is also needed
  • To setup everything for QSSTV: 
    1
2

    $ pactl load-module module-null-sink sink_name=virtual-cable
$ pavucontrol # A GUI will pop-up, go to the "Output Devices" tab to verify that you have the "Null Output" device

Pavucontrol

1

$ qsstv # The program GUI will pop-up, go to "Options" -> "Configuration" -> "Sound" and select the "PulseAudio" Audio Interface

QSSTV

1

# Back in the pavucontrol GUI, select the "Recording" tab and specify that QSSTV should capture audio from the Null Output

Pavucontrol QSSTV

  • Recover the picture from an audio:

    • Select the mode Scottie 1:

      Change mode

    • Play the audio file:

      1

      $ paplay -d virtual-cable SupEr_s3CrET_AuD10.wav

    The picture should start to appear:

    Loading

Here is the recovered picture:

Recovered

There is a QR code, we use CyberChef to parse it:

CyberChef

And we get the flag: dsc{un5af3_sp4C3_coD3}.

Writeups, DeconstruCT.F 2023
Forensic
This post is licensed under CC BY 4.0 by the author.