This is the data provided:

Challenge description

I suppose we’ll be searching for something hidden. We’re given a compressed file “invokeme.7z” (note the filename)… Inside, there is an image file (9.81 MB in size, pretty big).

I’m pretty confident at this point that this is a steganography challenge. The challenge description said that something was hidden for thousands of years, maybe it was referring to steganography’s history.

The first recorded uses of steganography can be traced back to 440 BC

Lets solve this. We’ll be using Linux this time.

Note: most of the tools we’ll be using here don’t come preinstalled on Ubuntu, so you’ll have to manually install them. I wont go over that process here.

My ubuntu installation

.

First thing, I want to make sure that this file is indeed a JPG or JPEG image (the file extension isn’t always true, you know..). Lets use Linux’s file command.

“file” command

Confirmed! It’s a JPEG file.

Here’s our work plan:

  1. Inspect the image manually, maybe the flag is hidden somewhere, or a hint or so..
  2. Look up the Basic methods and tools used to hide data inside JPEG files
  3. Look up the Advanced methods and tools used to hide data inside JPEG files
  4. For each method/tool, check if any data was hidden inside our JPEG file using it
  5. Once we confirm the tool/method used, we’ll extract the hidden data accordingly

.

1- Manual image inspection

The image is pretty big (5184×3456) and a has a lot of details, colors, lighting and stuff… So I couldnt make out anything useful from it.

2- Basic methods and tools used to hide data inside JPEG files

If you googled “steganography tools”, you will stumble accross this wonderful collection of tools by Dominic Breuker.

The list of tools is pretty big, but we’re currently interested only in the tools that support hiding data in JPEG files, so our list will be shorter.

Lets start first by the basic data-hiding methods (labeled “General screening tools” in the github page)

List of general screening tools in the github page above

A. Check the EXIF-metadata of our JPEG file using exiftool

using Exiftool

Nothing..

B. Check if other files are appended together… using binwalk

using Binwalk

Nope.. just our innocent JPEG file

C. Checking for interesting strings.. I’ll use the built-in strings command, and pipe its output to a grep command to give us the strings longer than 7 characters. And of course redirect that output to a text file.

Using “strings” command

List of strings > 6 characters inside the image file

Tried searching for “flag” or “fl4g” or “secret”…. Nothing.

D. Use “foremost” to scan the headers and look for any weird data structures..

Using “foremost”

Nothing..

E. Checking for image corruption using “identify”..

Using “identify”

Nope, looks fine.

That’s it for the Basic tools. Lets dig deeper 💀

3- Advanced methods and tools used to hide data inside JPEG files

We’ll continue on our wonderful Github list.

A. Using stegdetect. Maybe it will find something

Using “stegdetect”

Negative.

B. Lets try stegoVeritas. It’s a python script that manipuates the given image using various filters to make some colours or elements in the picture stick-out instead of blending in with the background.

all images output by “stegoveritas”

We now have 38 files. Lets skim through them quickly..

Something caught my eye..

Green filters used. Note the area inside the red rectangle

Blue filters used. Note the area inside the red rectangle

Yet the same spot doesnt look fishy at all in the original image

Nothing suspicious at all in the original image

Or even in one of the red-filtered images.

Using Red filters. The hidden text is blending with the background

Lets zoom in and see what’s there

The hidden text in the normal image

The hidden text in a Blue filtered image

The hidden text in a Green filtered image

Sweet! Lets try this flag…

Incorrect flag.

Note that it says: “l3757ryh4rd3r”. That’s “LetsTryHarder” in leetspeak.

.

What to do now?

Two possibilities.. Either this sentence we found is a part of a multi-step challenge. Or this is just a distraction to throw us off.

Anyways, we’ll continue. Lets check the rest of the tools..

I’ll skip zSteg because it supports PNG & BMP only. I’ll also skip stegbreak for now, because we dont have time for bruteforcing. Lets leave it as a last resort.

C. jphide/jpseek.

I tried it and got nothing

D. jsteg.

Using “jsteg”

Negative.

E. outguess from SSAK. It requires a password to decrypt the hidden data though, so I tried the word we found earlier “l3757ryh4rd3r”. But this tool didn’t work for some reason. Lets leave it for now.

F. steghide. It also requires a password to decrypt the data. Lets see…

Using “steghide”

Win!! and guess what? the extracted text file is called “reinvoke.txt”… Remember this challenge’s zip-file name?

name of the challenge’s zip file

Lets grab the flag from our new text file.

contents of reinvoke.txt

Hmmm… That doesnt look like the flag to me. And it doesnt contain the word “flag” or “fl4g” or anything. This has got to be some sort of ciphertext.

After staring at this text for a couple of minutes, I noticed that some “words” are repetead.

Some words are repeated in the text

Maybe a substitution cipher is used here.. Lets try all possibilities of Caesar cipher on this text.

Testing all possibilities of the “Key” of caesar cipher

All results are meaningless

Nothing meaningful.

I was stuck here for a few minutes, then I decided to google the words that were repeated a couple of times in this text. After a couple of searches, I stumbled upon a website that has similar text in its HTML:

<div class="encrypted-content" style="display:none">
                                    
kAm“%96 FD6D 7@C 5C@?6 E649?@=@8J 8C@H 52:=J[” 96 D2:5]k^Am
                                    
</div>

Note that the “div” element’s class is “encrypted-content”. So this is some sort of encryption. Lets see how this website decrypts this…

A quick look on the website’s JS files, I noticed a file called “decrypt.js”

decrypt.js can be seen down there

Looks interesting, lets beautify it, and copy it to notepad++ and check it out with syntax highlighting.

decrypt.js after beautification and copying to notepad++

It appears to be a Jquery file. But why was it named “decrypt.js”?

If we scroll to the end, we’ll see a function called “unscramble”. It appears to be modifying each character’s unicode value.

“unscramble” function inside decrypt.js

Lets try it on our text, then study it later. Copy it over to the developer’s console in the web browser.

Note that the ciphertext we want to decode contains line-breaks. so we have to remove those first because JS is picky about it.

Syntax error because there are newlines (\n) in the text from reinvoke.txt

I used a regex in notepad++ to search & replace.

Search and replace all line feeds and carriage-returns (CRLF)

No errors now, sweet!

No errors

Lets try our decryption function 🤞

Defining our decryption function as b_unscramble( )

Calling b_unscramble( ) with our ciphertext

Boom! that’s our flag right there: flag{d3v3l0p3d_f0r_74l3n75}

.

I’ll also explain the decryption function briefly:

The decryption function

Decryption steps:

  1. Create an empty string to store our decryption results in. (Line 2729)
  2. Grab current character’s unicode value using charCodeAt function, and store it in a local variable called nChar. (Line 2731)
  3. Make sure that nChar lies between 33 and 126 (ASCII printable values.. including symbols like @#$%, lowercase and uppercase English alphabets and English digits) . Otherwise, skip this character. (Line 2732)
  4. Add 14 to nChar ( nChar – 33 + 47)
  5. Do a modulo operation on the result with 94. (result % 94)
  6. Add 33 to the result.
  7. Then grab the letter represented by the result value using String.fromCharCode function.
  8. Add this letter to our output String created in step 1.
  9. Repeat.

.

Leave a Reply

Your email address will not be published. Required fields are marked *