# Capture the Flag FTW!

Last weekend I completed and won my first capture the flag (CTF) game. The game was hosted on the SecDSM user group page and it proved to be pretty challenging. I don’t think I win anything but I don’t care I’m just satisfied I completed it.

So let me walk you through what the challenge was and how I solved it. If you aren’t familiar with a CTF it’s really easy to understand. Someone creates a challenge and hides a password somewhere and you have to find the password to win.

### The Challenge

Here’s what it looks like

Now you might think to yourself WHERE WOULD THERE BE A PASSWORD IN THIS?

Well it’s starring right at you!

### Strings

I first looked at the request and viewed the source of the website and I didn’t find anything unusual. Then I decided to look at this image. I downloaded it and looked to see if there was any data that might be stored in the image.

I ran this image through the string command it output some really interesting information.

$strings -a -n 7 minictf.png 6Bz*cp! LU"B #%+ jI7;;;D >VU2]/_ 1d9rP}Sz Sjzk &2 YX{? sO=YVuHI 6w/U#-# Q8F&!-r #Iis"#m f>_fg]) O?=Z2D| vvv4#Qe ;oo,ZC" qUEDHC; agR92UU &+=Z"20YX3Y l'5M&M] FK\m,s& fJUDDa-^ {af k'U= mJ"]rr} "F4(l p H*%eJ)) Neuvv~vff .yS)Z6:U w|||xxtzz [pQ'?|b L0NBnvp ^=880=S+ 4l:-"n{ jO;M)G |f0te@W RbI,)@s ID."$*"
1	BJPB[<s
B" %2Sfq
{i{0U7B
j"bn::se
cj[m ,
zHY$?yz Hr"P"XNr b<:::::L\j52 -m'Pf"J [2wWe3V L[qvCZsK "J28<gQ-p%' kmD*6_ JCfrIl<9 20'&7wrf /3S-g*G3 p&s_M%' 0sra"!N +sJ9|v@DI -sp!I%. ;HYk0OL: s&@7/2s Df1X <'% M3*JaD i Dbs~ek)B e"&-R(# Ok5UY.+ ]$f:W7R
[8c	hao
CD"2O8u
Qd\tEmsso
sxP*oR9F
xW$ja1o D"ZX2Qa[-" @,9MZh9 ZO[lTta aoQV)-b GZxBhcn 2;O:D"\ Or^ad>E S0|(%;e ZH4TUUK gwO&C0V PUxtr|zzn LUM-P, ;===88899y snggoww7 eY6M}trRU !(2 z" CVXmM)! PrN41 VQ%("m8 V8?9#zD r]2+.?y J##o2ng <|X=|Byok >zo||T8 Xf9zWsZ No6= !, 0H)]\\ K.|89>:=:B5 t:;88^, *N18r!0 bEt!#ru awwwgg' ~xtttpp *sP7sf5 :c 8$$i5 NNNNOOONN =ztxxh' t:;;;ggg svvv||l 1rU5.k u~~~qqq x~~~pp0 IP[DV@A 4F&{^dlc$*$\1GJ i*@GD*1 p5Jl3} \FDA8!*9Gd 8?:9>8<|vr rY?Gcf- u}~qur| 8tE&(bi ^W1Fp^b kDDUUGGG M]7MSUM k"N[{XE# I$p&2"
DwA\G.o7tF
M]5Muyyy||rqqa-
*9peYVu
>9xKxkM
nu8;X\W
u JQHAC
;&d&oTc$G; @.SfQp. Gtxxxpp0 bqzzzuue Ez+>VtA gN4((9R UuqqutwSN|S z}yqu'? L&)q?|@ O'c?Mo0 TrD/.#u$pw6:o|
2rD$,1FS U(3@lC@ RlC[72f |]oT"*; mkRYU5S!f \ DR_OqXMe 0V5Y\i/0JQz IDATf,z 6d\InS-y7 dVwQ>::R(VD s;y>(F H03v4CL tDTPxiaq hnb7}|h nw}}}mm dqqyymy}cuii drppPyF"6I resssmmcqqQ{ tyui}}}uuyie ;wnss{my%K <88X\\T ]{5k,@($fckcu}
rqs{cei
W_moo/--
sgiiiqq
loo'&=>:@
:a@neY+
Mmfisssiiiyyyq
Y[[;9>v
s*;Y?huoY
x|tttxxxxx
08888<<
_XXX]ZN
u.8CD	L
o!kcwaqeuc<r
B?\LSU%
c >szwoo
dSDb5co
f*BDjF!
,3	f3S@4
Lf|"?0
d9!T	jP
fQhfBD
~=4Mspp0
fJ)eU"J
#V-b./K
\G5nOY<
p5,DOQM
|]43US5
ffb*Ugr
&$wDu# ;;;GGG> 5X4CP4C ]J 1N<V C4;88X rAvj5,*LLDZ !P)NM#C .vkno<2 h.C@L9= m$*9wM
4{3w^ g
>TWGb9?
XmTPpS_t
%^%Zg:mx
{d$Ddpa dBtfA"da MZ%X7) ,%T;Q$UD5
fA'trB@w
vHubrAb
A:34G4F,u
9Li{,l\
CqO808!@!\
%tEXtdate:create
2019-11-13T16:45:30+00:00-lX.
%tEXtdate:modify
2019-11-13T16:45:11+00:00
9tEXtDocument
zTXtDescription
coLbYmFsbApiYXQKYmVkCmJvb2sKYm95CmJ1bgpjYW4KY2FrZQpjYXAKY2FyCmNhdApjb3cKY3ViCmN1
cApkYWQKZGF5CmRvZwpkb2xsCmR1c3QKZmFuCmZlZXQKZ2lybApndW4KaGFsbApoYXQKaGVuCmph
cgpraXRlCm1hbgptYXAKbWVuCm1vbQpwYW4KcGV0CnBpZQpwaWcKcG90CnJhdApzb24Kc3VuCnRv
ZQpjb2x1bW4KdHViCnZhbgphcHBsZQphcm0KYmFuYW5hCmJpa2UKYmlyZApib29rCmNoaW4KY2xh
bQpjbGFzcwpjbG92ZXIKY2x1Ygpjb3JuCmNyYXlvbgpjcm93CmNyb3duCmNyb3dkCmNyaWIKZGVz
awpkaW1lCmRpcnQKZHJlc3MKZmFuZwpmaWVsZApmbGFnCmZsb3dlcgpmb2cKZ2FtZQpoZWF0Cmhp
bGwKaG9tZQpob3JuCmhvc2UKam9rZQpqdWljZQpraXRlCmxha2UKbWFpZAptYXNrCm1pY2UKbWls
awptaW50Cm1lYWwKbWVhdAptb29uCm1vdGhlcgptb3JuaW5nCm5hbWUKbmVzdApub3NlCnBlYXI


I scrolled through to the bottom and realized we had some base64 encoded strings stored inside the exif information.

### EXIF Information

When I used to be into photography I learned how image information was stored. They call this info exif information. Usually when you take a picture with your camera, your camera can store information about the picture. It varies but what caught my eye was the base64 strings that were in the image.

I ran another tool called exiftool and it displayed it in a little better form.

$exiftool minictf.png ExifTool Version Number : 11.76 File Name : minictf.png Directory : . File Size : 228 kB File Modification Date/Time : 2019:11:14 22:35:56-06:00 File Access Date/Time : 2019:11:17 19:08:14-06:00 File Inode Change Date/Time : 2019:11:17 22:38:12-06:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 460 Image Height : 387 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Gamma : 2.2 White Point X : 0.3127 White Point Y : 0.329 Red X : 0.64 Red Y : 0.33 Green X : 0.3 Green Y : 0.6 Blue X : 0.15 Blue Y : 0.06 Background Color : 255 255 255 Warning : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers) Datecreate : 2019-11-13T16:45:30+00:00 Datemodify : 2019-11-13T16:45:11+00:00 Document : UEsDBAoACQAAAONVbU87lgOALgAAACIAAAAIABwAZmxhZy50eHRVVAkAA4kzzF2fM8xddXgLAAEE6AMAAARkAAAAt+mveOkPZnEcaHbeaP4kI0SQ9QySINRF1RqujJ4n4sxaElAAo6utNCpfRWfH6FBLBwg7lgOALgAAACIAAABQSwECHgMKAAkAAADjVW1PO5YDgC4AAAAiAAAACAAYAAAAAAABAAAApIEAAAAAZmxhZy50eHRVVAUAA4kzzF11eAsAAQToAwAABGQAAABQSwUGAAAAAAEAAQBOAAAAgAAAAAAA Description : quizzical.highfalutin.dynamic.wakeful.cheerful.thoughtful.cooperative.questionable.abundant.uneven.yummy.juicy.vacuous.concerned.young.sparkling.abhorrent.sweltering.late.macho.scrawny.friendly.kaput.divergent.busy.charming.protective.premium.puzzled.waggish.rambunctious.puffy.hard.fat.sedate.yellow.resonant.dapper.courageous.vast.cool.elated.wary.bewildered.level.wooden.ceaseless.tearful.cloudy.other.gullible.flashy.trite.quick.nondescript.round.slow.spiritual.brave.tenuous.abstracted.colossal.sloppy.obsolete.elegant.fabulous.vivacious.exuberant.faithful.helpless.odd.sordid.blue.imported.ugly.ruthless.deeply.eminent.reminiscent.rotten.sour.volatile.succinct.judicious.abrupt.learned.stereotyped.evanescent.efficacious.festive.loose.torpid.condemned.selective.strong.momentous.ordinary.dry.great.ultra Image Size : 460x387 Megapixels : 0.178  Well look at this we have a base64 string inside the Document attribute and inside the description field we have what looks like a word list. This is weird. ### Base64 Decode The next step was seeing what was inside the base64 string. I googled base64 decoder and saw this Now this looks weird right? This isn’t any text or password. This looks like some sort of binary file. The PK at the top reminded me of the file header of a zip file. I can’t remember how I know what the PK stands for but after googling file signatures I confirmed it was. File Signatures So I wrote a ruby script to output the decoded base64 string to a zip file. require 'rmagick' require "base64" img = Magick::Image.read('minictf.png').first File.open('flag.zip', 'wb') do |f| f.write(Base64.decode64(img.properties['Document'])) end  ### Flag.zip The next step, I ran unzip to unzip the flag.zip and it asked for a password. But here’s the other interesting thing even though I didn’t have the password it told me it had a file named flag.txt in it. I knew this was it at this point but how do I find the password for the zip file? Earlier when I was looking at the exif information I found a wordlist. So I ran fcrackzip to see if any of those words were the password. $ fcrackzip -v -D -u -m 2 -p wordlist.txt flag.zip
found file 'flag.txt', (size cp/uc     46/    34, flags 9, chk 55e3)


I took another look at the strings output from earlier and discovered another base64 string

coLbYmFsbApiYXQKYmVkCmJvb2sKYm95CmJ1bgpjYW4KY2FrZQpjYXAKY2FyCmNhdApjb3cKY3ViCmN1
cApkYWQKZGF5CmRvZwpkb2xsCmR1c3QKZmFuCmZlZXQKZ2lybApndW4KaGFsbApoYXQKaGVuCmph
cgpraXRlCm1hbgptYXAKbWVuCm1vbQpwYW4KcGV0CnBpZQpwaWcKcG90CnJhdApzb24Kc3VuCnRv
ZQpjb2x1bW4KdHViCnZhbgphcHBsZQphcm0KYmFuYW5hCmJpa2UKYmlyZApib29rCmNoaW4KY2xh
bQpjbGFzcwpjbG92ZXIKY2x1Ygpjb3JuCmNyYXlvbgpjcm93CmNyb3duCmNyb3dkCmNyaWIKZGVz
awpkaW1lCmRpcnQKZHJlc3MKZmFuZwpmaWVsZApmbGFnCmZsb3dlcgpmb2cKZ2FtZQpoZWF0Cmhp
bGwKaG9tZQpob3JuCmhvc2UKam9rZQpqdWljZQpraXRlCmxha2UKbWFpZAptYXNrCm1pY2UKbWls
awptaW50Cm1lYWwKbWVhdAptb29uCm1vdGhlcgptb3JuaW5nCm5hbWUKbmVzdApub3NlCnBlYXI


Which translates into another wordlist!!

rball
bat
bed
book
boy
bun
can
cake
cap
car
cat
cow
cub
cup
day
dog
doll
dust
fan
feet
girl
gun
hall
hat
hen
jar
kite
man
map
men
mom
pan
pet
pie
pig
pot
rat
son
sun
toe
column
tub
van
apple
arm
banana
bike
bird
book
chin
clam
class
clover
club
corn
crayon
crow
crown
crowd
crib
desk
dime
dirt
dress
fang
field
flag
flower
fog
game
heat
hill
home
horn
hose
joke
juice
kite
lake
maid
mice
milk
mint
meal
meat
moon
mother
morning
name
nest
nose
pear


I ran the password cracker again on this new wordlist

$fcrackzip -v -D -u -m 2 -p wordlist2.txt flag.zip found file 'flag.txt', (size cp/uc 46/ 34, flags 9, chk 55e3)  Shit, still no password. I took a break and went to the store. I was talking about my problems to my wife and kids and I kept coming to the same question. WHY would they hide two wordlists in the same image? I got home and got settled, pulled up the ctf page again. Then it dawned on me. I have two lists, 1 list is column A and the other list is column B sooo maybe I should combine the wordlists and see if that works. I wrote another ruby script cause I CAN. wordlist1 = File.open('wordlist.txt', 'r') wordlist2 = File.open('wordlist2.txt', 'r') wContents = wordlist1.read w2Contents = wordlist2.read wordlist = File.open('wordlist3.txt', 'w') File.open('wordlist.txt', 'r').each do |w| File.open('wordlist2.txt', 'r').each do |w2| wordlist.write(w.chomp + "" + w2) end end wordlist.close  Now this ruby script combined each word with each word from wordlist 2 and gave me a new wordlist to try. ### Capturing the Flag I ran the new wordlist through frackzip and….drum roll plz $ fcrackzip -v -D -u -m 2 -p wordlist3.txt flag.zip
found file 'flag.txt', (size cp/uc     46/    34, flags 9, chk 55e3)



OH SHIT IT FOUND A PASSWORD!!

$unzip flag.zip Archive: flag.zip [flag.zip] flag.txt password: othercolumn replace flag.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y extracting: flag.txt  $ cat flag.txt
SecDSM{all_sorts_of_ways_to_hide}
`