On August 11, 2017, the qualifiers CyberLympics CTF security/hacking competition took place. This year I was on team “The LeftOvers” lead by Ashton (@GameOfPWNZ). The first challenge was fun but very frustrating because it seemed to never end. As soon as you solve one piece of the challenge and throw up your arms thinking you finished challenge only to figure out you haven’t yet. This happened several times, but it was very satisfying once it was finally finished!
Part 1: Steganography
We were provided a picture in png format, see below.You will notice l3tth3gam3zb3gin repeated. However there are some abnormal characters inserted randomly throughout the picture. After noticing that I decided to highlight those characters.After highlighting the abnormal characters I concluded with the following characters. Unfortunately that didn’t spell anything out.
Part 2: What to do with the above string? Is it encoded? Is it even related?
At this point I thought it must be a encoded message. I start trying all the most common cryptography methods and found it to be base64 encoded.
There are several methods to decode message using base64. You can you linux (command shown in screenshot below) or you can use an online service. One of my favorites is https://paulschou.com/tools/xlate/.
The string decodes to https://pastebin.com/eC64uEHq
Visiting that PasteBin website shows another URL. This time it is a BIT.LY link.
URL http://bit.ly/wgzc1 is shown. Obviously next step is to visit that URL.
The URL downloads a 7zip file named wiz-gcl_t0k3n_qualifier_challenge_1.7z
Part 3: I got a file but its password protected
I was stuck at this point. I was about to start password cracking the file but my teammate fortunately figured out the password by guessing. Lots of credit to Ashton (@GameOfPwnz), I would have never cracked that password.
The password to decompress the 7zip file was l3tth3gam3zb3gin
Inside the 7zip file was a PNG picture named wgz-gcl_t0k3n_qualifier_challenge_1.png (shown below)
Part 4: Embedded file
One of the first things I always do when I am provided a file, is to see if any additional files are embedded. A couple popular tools are Foremost or Binwalk. I used Foremost in this situation.
You can test it out yourself. Download the above PNG file and use Foremost tool to extract the embedded image.
foremost -v wgz-gcl_t0k3n_qualifier_challenge_1.png
Another PNG file was embedded, shown below.
The embedded picture provides instructions on who to email the t0k3n too. The issue we now have is what is the t0k3n. I thought 2wgVQgise4Pnkgtjf2rDekPow6mAh8W482KwB3NDaZ5JntgibDQ6k7tWLT was the t0k3n but I received an email stating that is not the t0k3n.
Part 5: Am I ever going to complete this challenge?
At this point I started focusing on 2wgVQgise4Pnkgtjf2rDekPow6mAh8W482KwB3NDaZ5JntgibDQ6k7tWLT. I first tried all the common cryptography algorithms, but no luck at first. I then started trying some of the most unfamiliar ones and finally found one that decoded to the t0k3n. The message was encoded with base58 algorithm.
I used an online service to decode this message. https://www.browserling.com/tools/base58-decode
FINALLY solved the challenge. So many steps.
th3 t0k3n y0u s33k is: mad3!tt0th3l33tl!$t
Team name: The LeftOvers
Author: Zachary Havins