picoCTF 2021 writeup - Information

'Information' is an easy forensic task.

Before we take a look at this challenge, i want to clear things up in case you don't know what forensics means.

What is forensics?

In a CTF/Hacking context, forensics can include:

• file format analysis
• steganography
• memory dump analysis
  
• network packet capture analysis

To explain be more precise: any challenge to examine and process a hidden piece of information out of static data files. 

Getting information

When looking at the description, there already is a little hint.

    Files can always be changed in a secret way.

We get to download a file called cat.jpg.

The first and most obvious thing to do is to take a look at this image.

 

 

When i first opened this image, i thought this challenge might be over already.

Behind the cat is an open terminal and i somehow thought there will be the flag.

Turns out, no.

 

In my previous post, we changed the file extension of a php file to jpg.
So a good practice is to confirm obvious informations you have.

By using the file command (i don't know any windows equivalents to this) we get to see some metadata of our file

cat.jpg: JPEG image data, JFIF standard 1.02,

aspect ratio, density 1x1, segment length 16,

baseline, precision 8, 2560x1598, components 3

 

We confirmed, this is an image and there is no hidden property.

 

 

The next step is to take a look at the image data itself.

Images can be manipulated were strings/encrypted data would be written to the image data.

 

To output the image data, i used strings which is a built-in linux function.
This command outputs all strings of the given file.

When i first tried this, i made a mistake. I have overseen a useful information.
The image is pretty big (2560x1598) so there is a loot of data/strings to output.

My mistake was to scroll ... and scroll .. and scroll to get to the beginning of the output.

So in order to not scroll myself to death, i retried printing all strings, but this time i piped

it to less.

This command is used to display contents of a file or command output, one page at a time.

 

        strings cat.jpg | less 

 

Its output was:

 

JFIF
0Photoshop 3.0
8BIM
PicoCTF
http://ns.adobe.com/xap/1.0/
<?xpacket begin='
' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 10.80'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
<rdf:Description rdf:about=''
xmlns:cc='http://creativecommons.org/ns#'>
<cc:license rdf:resource='cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9'/>
</rdf:Description>
<rdf:Description rdf:about=''
xmlns:dc='http://purl.org/dc/elements/1.1/'>
<dc:rights>
<rdf:Alt>
<rdf:li xml:lang='x-default'>PicoCTF</rdf:li>
</rdf:Alt>
</dc:rights>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>

 

This looks kinda promising.

The first thing that caught my attention was the string 'PicoCTF'. I knew i was

on the right track.

All links are irrelevant, because they're real websites. Quick tip: don't click on http links! :D

 

Secondly i noticed the license element which had a resource, but it is encrypted/encoded.

Since this is an easy task, i tried decoding it with base64 (which is some kind of standard

for easy - mid challenges).

 

     echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d

 

Well .. this was the flag! 

 

 picoCTF{the_m3tadata_1s_modified}