Second post about the 2020 [email protected] CTFs, and in this one I will provide the writeups of the Steganography and the Scripting challenges I’ve resolved. I will also give some general info on steganography itself, in case you are not familiar with it.
What is Steganography?
Steganography is the practice of concealing information within ordinary means (digital, physical, etc.).
It differs from cryptography because, theoretically, a third party would not be aware that information is being exchanged using a steganographic technique while using cryptography one knows for sure that there’s information to be discovered by it’s encrypted and not easily accessible.
Originally there was physical steganography, hiding messages through chemical or physical means: you are probably familiar with the invisible inks, writing messages with a transparent ink on a piece of paper, that can only be revealed through the use of a special light for example, or with the help of heat (I used to do this when I was a child). If you check the Wikipedia page there are a lot of cool examples and anecdotes of how steganography was applied throughout the centuries.
In more recent times we have digital steganography, hiding messages inside other types of files, like images or audio tracks (if you ever watched Mr. Robot, that’s why he keeps a collection of CDs, where each one of those contains concealed data about his targets).
The HacktivityCon challenges were about this, finding the hidden flags inside images, text files, audio files, and here are the writeups of the ones I’ve resolved.
Spy vs Spy
This was probably the quickest challenge, I already knew about steganography with images and played with it in the past so I already knew what to look for.
The first thing I did is to find a tool that would help me in manipulating the image quickly and I’ve settled for “stegsolve”, on Kali linux.
From there it was a quick going through the different settings until I’ve found the right one that showed the flag.
The solution was Red Plane 0 (‘Red’ plane is one of the several properties you can manipulate, ‘Alpha’ is another common one).
This was the simplest challenge, and in some respect the funniest because it’s been a while that I wanted to try something with Morse Code. When I was a child I used to read and use morse code in a written format, but I’ve always been fascinated by the one that was used during the war, in a sound form. You can find some examples of morse code audios here.
So the challenge was simple, download an audio file with morse code and simply translate it. I just had to slow down the audio (it was too quick for me), write down on a piece of paper the sequences of dots and dashes, and then simply use a Morse Code vocabulary to translate it to the actual text.
Fun fact, the flag was a name, Arcangelo Ricciardi, an Italian chess player that cheated in a chess tournament by using morse code.
With this challenge, I’ve learned something new and I was very pleased with it.
I knew that you can always hide a message inside different file formats (in the past I encountered steganography via images or audio files), but when I saw this challenge I was puzzled for a few minutes.
There was no apparent code into the actual text, and opening the .txt file via Hexedit or Gedit didn’t show anything peculiar, if not a series of random dots at the end of the file that at that time didn’t give me any clue. I was expecting to find some garbled text like for something encrypted, or maybe the actual flag text.
So I moved on onto other challenges with the intention to come back to it with fresh eyes.
When I did, I was selecting all the text in the standard Notepad on Windows and I’ve noticed that there were several lines of empty text at the end of the file that was possible to select. That was something new for me, and simple tests like copying and pasting that portion of text onto other files didn’t give any result.
That’s when I went to Google and started to search for steganography and messages hidden in blank text files, and that’s when I’ve learned of something called SNOW.
What is the Steganographic Nature of Whitespace?
Steganographic Nature of Whitespace (SNOW) is a type of steganography that conceals messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.
(Source: official SNOW website, that seems to be no longer online. but you can still access it *wink wink*).
It uses the ICE encryption, (ICE stands for Information Concealment Engine). It is a 64-bit private key block cipher, in the tradition of DES. However, unlike DES, it was designed to be secure against differential and linear cryptanalysis, and has no key complementation weaknesses or weak keys. In addition, its key size can be any multiple of 64 bits, whereas the DES key is limited to 56 bits (found on the official SNOW website as well).
Long story short, you can encrypt messages and disguise them as white space and tabs inside a text file, and it shouldn’t be immediately visible, but even if someone finds out about it, you still have the message encrypter (with a password, of course, would be better).
So after reading about it on the official website I’ve found out that what I needed is a tool to encrypt and decrypt messages using this technique, stegsnow.
The text file had no encryption password, so it was as easy as firing the command
and I got the flag.
Neat! The thing I like about CTFs is that it’s not only a way to practice skills, but also to learn things completely new, like in this case, the steganographic nature of whitespaces.
Let’s now see the two scripting challenges I’ve dabbled with.
SNOW website: https://www.darkside.com.au/snow/index.html
Morse Code: https://en.wikipedia.org/wiki/Morse_code
Morse Code Decoder: https://morsedecoder.com/
I think that being in the ‘Scripting’ section, this CTF could have been resolved using a script, but I ended up doing it manually (because it made sense on that moment, and because even if I wanted to use a script, considering my current level I would have probably wasted more time writing the script that doing this challenge manually).
There was a page with a button, that said to click the button and they would find the script for you. By clicking on it the pages times out after a while ending on a page like: http://example.com:50011/site/821d13435d73cc9e689762dee71300fd.php
Doing this with Burp open shows how pressing the button will cause the visitor to jump (i.e. 302 redirects) from one page to another in a matter of seconds until the browser times out.
Checking the responses on Burp I saw that every hop had a response of something like “character 6 of the flag is t”
After checking all the redirects’ responses it was clear that the flag was not complete, so by looking around I found out that by going to the folder that was hosting the .php pages, I could find a list of all the .php files.
Each one had similar redirects hopping onto a number of pages.
I’ve resolved this simply by opening those .php files, and writing on a note all the characters until I’ve found the complete flag.
It would have been quicker to automate it using a script that would read the response of the page, but doing it manually it wasn’t that hard and overall it didn’t take much to get the full flag.
Burp Suite: https://portswigger.net/burp
This one was also simple to resolve on a theoretical level but I couldn’t actually do it because I lack the scripting capabilities that this CTF required.
When logging in into the server I was greeted with a multiple-choice menu. The first option was a simple ‘About us’ message, and the fourth option wasn’t available.
The bulk of the challenge was the Login function, where I could try to login as ‘admin’.
The system would require 3 characters taken at random from the whole password, and it would provide a ‘WRONG’ or ‘CORRECT’ answer for each one of those.
So the solution was simply to prepare a script that would insert characters in that menu, and grab the ones that would return a CORRECT answer, collating all of them on a file, and looping until the whole password was found (or when by chance 3 correct characters would have been entered).
I’ve started to build a script in Python for this task but realized that it was taking up too much of my time, and with just 6 hours left before the end of CTF, I didn’t want to spend a lot of time developing this script.
In the end, I’ve checked a write up of this challenge from someone that resolved it just to confirm that my insight was correct. So hopefully by the next time that I will find a similar challenge my Python skills have improved at a level that would help me complete a task like this without taking too much time.
These were the challenges I completed (except for Impartial) from the categories ‘Steganography’ and ‘Scripting’.
You can find the other two parts of the writeups at the following links:
Part 1: HacktivityCon CTF 2020 – Web Writeups
Part 3: HacktivityCon CTF 2020 – Mixed categories Writeups