Description
Figure out how they moved the flag.
Solution
Download the file. It is a packet file.
Open it with wireshark.
The log shows it’s looking for mac addresses.
And tons of TFTP packets are following.
I noticed some files are sent over the TFPT.
Let’s check the files.
Filter the packets with tftp.type
Ok, I can see the files. Let’s download the files so we can check the contents.
File > Export objects > TFTP and save all the files.
These are the files. instructions.txt picture1.bmp picture2.bmp picture3.bmp plan program.deb
Let’s read the instructions.txt first.
GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA
Encoded. Base64? I tried but failed.
It doesn’t look like hash. I tried Rot13.
TFTPDOESNTENCRYPTOURTRAFFICSOWEMUSTDISGUISEOURFLAGTRANSFER.FIGUREOUTAWAYTOHIDETHEFLAGANDIWILLCHECKBACKFORTHEPLAN
At a glance, it looks doesn’t make sense.
But if we read it carefully, actually it is an english sentence!
TFTP DOESNT ENCRYPT OUR TRAFFIC SO WE MUST DISGUISE OUR FLAG TRANSFER. FIGURE OUT A WAY TO HIDE THE FLAG AND I WILL CHECK BACK FOR THE PLAN
Ok. Saying they figured out a way to hide the flag. Let’s check the file plan.
V HFRQ GUR CEBTENZ NAQ UVQ VG JVGU - QHRQVYVTRAPR. PURPX BHG GUR CUBGBF
I USED THE PROGRAM AND HID IT WITH - DUEDILIGENCE. CHECK OUT THE PHOTOS
Ok, the program is used and the flag is hidden in it. Let’s check out the photos.
If you see the photos, it’s just landscapes.
We have one more file to investigate. program.deb
binwalk -e program.deb
This file contains the manuals about steghide.
I think the program they mentioned is steghide.
Let’s give it a try. But, we need a password to extract an embedded file.
Where can I find it?
I spent some time to find the password. Finally, I remembered that the text file said something about steghide.
I USED THE PROGRAM AND HID IT WITH - DUEDILIGENCE. CHECK OUT THE PHOTOS
When I read it the first time, I didn’t know what it was.
But now I think it may be the password.
steghide extract -sf picture1.bmp -p DUEDILIGENCE
steghide: could not extract any data with that passphrase!
steghide extract -sf picture2.bmp -p DUEDILIGENCE
steghide: could not extract any data with that passphrase!
steghide extract -sf picture3.bmp -p DUEDILIGENCE
wrote extracted data to "flag.txt".
Ok! we extracted the flag.txt from the picture!
picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}