A procedure for solving the problem of hidden writing in CTF

 

0x00 Preface

as a novice I would like to record what I have learned since I have been exposed to this kind of stuff for a few days now. the knowledge points required for this CTF include the contents of the image hidden,mp3 ,base64 decryption, pawn decryption, and possibly tools included Binwalk,mp3stego and so on.

Topic Links: Http://ctf5.shiyanbar.com/stega/apple.png

0x01 Temptation

these days I developed a habit, get the topic no matter 3,721 first to Kail above run a run. As a result, you can use the rich tools, and then expand the problem-solving ideas.

first of all. Command line input wget http://ctf5.shiyanbar.com/stega/apple.png

Download the picture. Such as:

The second step, using artifact binwalk analysis of a wave.

command Line input:binwalk apple.png

Get the following data, sure enough to have hidden information.

The third step is to separate the hidden information.

command Line input:binwalk-e apple.png

Get the following information:

Open all files found no useful information, the other side of the rar file Open is just the same as the outside Apple.mp3 file.

0x01 Find new Tool Mp3stego

It seems that the road is out of line. So go to the experiment and see the Great God's comments. Suddenly found a useful piece of information --to use the MP3 encryption and decryption tool. Baidu a wave found this tool seems to be used in the Windows platform. Words don't say much, to the Windows platform.

we already know that this picture of apple.png hides the MP3 file. So I simply right click on 360 unzip to open get the following file.

It suddenly occurred to me that I had used a call Wave editor software, so open the analysis wave. Such as.

It seems that there are two of audio, but this is not a fundamental analysis.

we still have to experiment. The software introduced by the Great God Mp3stego. Then download the extract to get the following file

tools under the good after a wave of usage in Baidu. Use the following:

1. that will be decoded first. Drag the MP3 file to the directory that contains the program Decode.exe

2. Open cmd Command window

Enter the CD C:\Users\2F28\Desktop\tools\MP3Stego_1_1_18\MP3Stego to switch to the directory that contains the Decode.exe.

3. Decoding using the Deconde program

use commands for: Decode.exe-x apple.mp3-p

P is followed by a password. I had to look back because I didn't find anything related to the password before. The image was found to be a two-dimensional code. Put it on the web and scan it to get the following information:

\u7f8a\u7531\u5927\u4e95\u592b\u5927\u4eba\u738b\u4e2d\u5de5

Obviously, this is a Unicode character. After decoding, get the following information:

Sheep by the Great Wangzhong

start unclear so, the result is entered Baidu, found that this is an encryption method called Pawn shop encryption. Immediately Baidu decryption results:9158753624

This should be the decryption password that was previously needed. call cmd to re-enter the command:

CD C:\Users\2F28\Desktop\tools\MP3Stego_1_1_18\MP3Stego

Re-enter the command:

Decode.exe-x apple.mp3-p 9158753624

this gives the result. The resulting output is named in the Apple.mp3.txt file. Open the contents of the file as

: q1rge3hpyw9fcgluz19ndw99

Obviously, this one is over-dense. Because Firefox directly has a base64 decryption plugin. So right-click to try

The result is: Ctf{xiao_ping_guo}. Complete!

A procedure for solving the problem of hidden writing in CTF