DeconstruCT.F 2023 - Two Paths
Description
Category: Forensics
Logan gave me this image file before disappearing.. I’ve been breaking my head over it for long Can you decode it?
Resolution
1. Embedded files inside JPG
The picture hello.jpg is very heavy (41.5 MB), it must hide some files inside of itself.
We use binwalk to find any embedded files:
1
2
3
4
5
6
7
8
9
10
11
12
$ binwalk hello.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, little-endian offset of first image directory: 8
1801 0x709 Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
86856 0x15348 Zip archive data, at least v2.0 to extract, compressed size: 151849, uncompressed size: 152413, name: greenpill.jpg
238726 0x3A486 End of Zip archive, footer length: 22
238748 0x3A49C Zip archive data, at least v1.0 to extract, compressed size: 41267125, uncompressed size: 41267125, name: redpill.jpg
41505892 0x2795464 End of Zip archive, footer length: 22
41506102 0x2795536 End of Zip archive, footer length: 22
There are indeed many embedded files, let’s extract them with the same command but with the -e flag.
Inside the folder with extracted files there are two images: greenpill.jpg and redpill.jpg.
Again redpill.jpg is very heavy (41.3 MB), we do the same thing again:
1
2
3
4
5
6
7
8
9
$ binwalk -e redpill.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
68806 0x10CC6 Zip archive data, at least v2.0 to extract, compressed size: 1228, uncompressed size: 175644, name: morse.wav
70073 0x111B9 Zip archive data, at least v1.0 to extract, compressed size: 41196805, uncompressed size: 41196805, name: secrett.zip
41266897 0x275AED1 End of Zip archive, footer length: 22
41267103 0x275AF9F End of Zip archive, footer length: 22
Now we have two files: morse.wav and secrett.zip.
2. Morse code and ZIP decryption
The morse.wav is literally morse code sound.
We use Morse sound decoder from MATTA to decode tit:
1
2
3
4
5
6
7
8
9
10
11
12
$ wav2txt_gnu morse.wav
input WAV file has sampleRate= 8000, i.e. deltaTime= 1.25000E-04
input WAV file has byte-size= 175644
Message in English:
THE PASSWORD IS THE HOVERCRAFT OF MORPHEUS
FTTB: first 5 words:
-|....|./
.--.|.-|...|...|.--|---|.-.|-../
..|.../
-|....|./
....|---|...-|.|.-.|-.-.|.-.|.-|..-.|-/
We have a hint about the password to decrypt the ZIP.
We searched online for HOVERCRAFT OF MORPHEUS and we found Nebuchadnezzar.
We use it to decrypt the ZIP file and it worked (lowercase):
1
$ 7z x secrett.zip -pnebuchadnezzar
And we get a new file: deep_secret.wav.
3. WAV Steganography
We tried to use a lot of well-known WAV steganography tools but none of them worked.
So we searched on Google deep secret wav steganography and we found a tool called Deep Sound this blog:
Deep Sound only runs on Windows, so we installed it inside a virtual machine.
We opened deep_secret.wav with Deep Sound and we found a secret file:
We extract the secret file twopathsflag.txt:
and we got the flag: dsc{u_ch053_THE_cOrr3Ct_pill!}.