Saturday, October 22, 2016

Hack You SPb 2016 - Stegano 300 writeup

This task is by Vlad Roskov (vos) and called Gemorroy (i. e. Hemorrhoid).
We are given a png image:


I've written simple Python script to get all IDAT blocks from png image and decompress them.

import struct
import zlib

with open('steg300_where_8c7f6f7.png', 'rb') as f:
    data = f.read()

# get all IDAT blocks
idats = []
while True:
    idat_pos = data.find('IDAT')
    if idat_pos < 0:
        break
    size = struct.unpack('>I', data[idat_pos - 4:idat_pos])[0]
    idats.append(data[idat_pos + 4:idat_pos + 4 + size])
    data = data[idat_pos + 4:]

# concat all blocks
idats_str = ''.join(idats)

# decompress IDAT blocks
d = zlib.decompressobj()
print(d.decompress(idats_str))


At the end of decoded data we've got the next part - a link: http://ctf.su/EggNog :)
The link is with a high frequency video with a sequence of QR-codes. So, we need to go deeper...
Using ffmpeg I've extracted all the frames from this video.
And then using zbar I've decoded all QR codes. After concatenation I've got the next data string:
"\x52\x61\x72\x21\x1a\x07\x01\x00\x20\xb6\xfa\x11\x0a\x01\x05\x06\x04\x05\x01\x01\x80\x80\x00\x4f\x0b\x4a\x57\x24\x02\x03\x0b\xb0\x00\x04\xa4\x00\x20\x0c\x11\xcf\x47\x80\x1d\x00\x08\x66\x6c\x61\x67\x2e\x74\x78\x74\x0a\x03\x02\xb8\x9e\x9d\x22\x65\x29\xd2\x01\xc7\xb0\x2d\x24\x04\x42\xf8\x40\x33\xa5\x5a\x13\xb4\x7c\x83\x40\x32\x34\x2e\x88\x28\xb0\x2f\x44\x83\x7f\xcf\xd4\xd6\x47\x97\x4d\x79\x7d\x51\xd1\x9b\xe5\x0b\x21\xf8\xf6\xc2\x96\xc3\xa7\x08\xb9\x1d\x77\x56\x51\x03\x05\x04\x00"

First four bytes are "Rar!", i.e. it is a RAR archive with flag.txt inside.
After extracting I got a flag:
Flag: 57364N0_w1th1n_57364N0_1m_d0ne

2 comments:

  1. hi, could you help me from : using ffmpeg and extracted all the frames from this video. Thanks you

    ReplyDelete
    Replies
    1. I've used the next command to get all frames:
      ffmpeg -i steg300_video_375bee2.mp4 -vsync vfr frame-%%05d.png

      and I've noticed that each frame with QR code repeats 4 times.
      Therefore I've decoded frames 1, 5, 9, and so on.

      Delete