WPICTF 2020 Writeup(s)

Posted on 20 Apr 2020 by Aadi Bajpai

Last updated 20 Apr 2020 at 7:13 pm
permalink

A couple of days ago, me and a couple of other GCI winners decided to participate in the WPI CTF out of quarantine boredness, we ended up finishing #14 which I think was pretty great since we were all just doing it for fun.

This is a writeup for the Luna steganography challenge, because that's the one I found the most interesting.

Luna

They say the full moon makes people go crazy... hopefully this stego won't have the same effect on you!

Luna

So as you see, we start off with a Luna.tar.xz file which on decompressing gives a Luna.tar file which on further unzipping gives a file named 1.png and a zipped folder with two password protected files—Just In Case.png and jut.

Clearly, we're supposed to start out with 1.png which in looks is nothing but an all white image.

1.png

I ran the stegoveritas tool on it to examine further and it printed a lot of metadata and exif info and carved out a couple of .zlib files. Interestingly, the metadata had 2 fields that stood out:

  1. StudyPhysician: awcIsALegendAndIHopeThisIsAStrongPasswordJackTheRipperBegone
  2. Description: oops, all #FFD2A4#

From the first, we have our password! The jut file seemed absolute gibberish while Just In Case.png was a screenshot from gimp.

Just In Case

Looking at jut from a hex editor, the first 3 characters were interesting: BPS

Upon googling, a .bps file is one used to patch ROMs on SNES emulators and stuff so I downloaded Flips, a patcher for BPS files.

I tried to patch jut on 1.png but welp, no dice.

Circling back, we hadn't yet used the 2nd line from metadata nor Just In Case.png so it has to do something with those.

"oops, all #FFD2A4#" seems to imply that the image shouldn't be all white but the hex color #FFD2A4, and Just In Case.png has specific export instructions. So I ssh into a linux server with x11 to use gimp (yes, I am a windows pleb) and when that was too slow I just ask a friend on Linux. After those operations, our new 1.png looks like this:

New 1.png

Now we patch jut on top of this and voila!

flag ez

WPI{M00N_mOOn}

Honestly, this was a pretty involved challenge and Justin really did a great job with this, so props for that. I would even recommend his other challenge, Remy's Epic Adventure 2: Electric Boogaloo but I'm gonna procrastinate on writing that writeup lol.

ctf