The challenge is basically an mp3 stegano. After examining the file we came to a conclusion that there was no where else to hide the flag other than in the id3 part of the file.
Now this is the part where losers are separated from winners. The RGB tags and the presentation of values in triplets make most people try to find a way to get an image, but they are actually just red herrings. The real clue here is the occurrence of NULL. It suggests the end of a message. After trying some conversion, I found out that "78-9c" (hex values of 120-156) was the signature of zlib compressed data, and with that dloser was able to quickly recover the precious flag.
<dloser> >>> zlib.decompress('789ccb8ccf482c498d2f4d06c2f444002a9f05b7'.decode('hex'))
<dloser> 'i_hate_ucucuga'
Solving challenges is fun, and it's even more thrilling when there is a time limit. Oh, it is also good to be able to let everyone know how you solved them, not just limited to the solvers as on normal challenge sites.
Hi there,
ReplyDeleteCan you explain for me, how can i convert and detect 78-9c was use by zlib??? Where can i find exactly secret string??? I use Ollydgb to view this file, and ...
Take the numbers in the RGB tags and convert them to hex, you'll get 789ccb8ccf482c498d2f4d06c2f444002a9f05b7. The zlib decompression can be done using the code above (python)
ReplyDeleteThanks for your help! i will try this, have a nice day bro!
ReplyDelete