Task 1: Download the Image
Room link
Users can also join this room by going to their My Rooms page and entering luckypantherctf
Start by downloading the provided image file.
Task 2: Investigate the Image
Question 1: What Did You Find in the Picture?
To get started, you can try using online tools. Such as:aperisolve, stegano ... . But I'll skip this part and move on to the terminal.
Just now let's try commands:
file
strings
exiv2 <file.name>
binwalk -e <file.name>
And now closer to the point, use the steghide tool to analyze the image:
steghide info luckypanther.jpg
Output:
"luckypanther.jpg":
format: jpeg
capacity: 28.7 KB
Try to get information about embedded data? (y/n) y
Enter passphrase:
Since a passphrase is required, we need to find it. Let’s try StegSeek with the rockyou.txt
wordlist:
stegseek luckypanther.jpg /usr/share/wordlists/rockyou.txt -
StegSeek successfully finds the passphrase:
StegSeek 0.6
[i] Found passphrase: "$pxxxxxxxxxx"
Next, extract the hidden file using steghide
:
steghide extract -sf luckypanther.jpg
Enter the passphrase "$pxxxxxxxxxx"
to extract the embedded file, which is forest.zip
.
Answer: forest.zip
Question 2: What is Your Second Find?
Let’s unzip the forest.zip
file:
unzip forest.zip
Output:
Archive: forest.zip
forest.zip: deepforest.pdf password:
The forest.zip
file is password-protected. To crack it, use fcrackzip:
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt forest.zip
After running the command, we find the password:
PASSWORD FOUND!!!!: pw == dexxxxxxxx
Unzipping with the password dexxxxxxxx
reveals the deepforest.pdf
file.
Answer: deepforest.pdf
Question 3: What is Hiding in the Deep Forest?
Opening deepforest.pdf
requires a password. To crack it, first extract the hash using pdf2john
:
/usr/share/john/pdf2john.pl deepforest.pdf > deepforesthash
Then, use John the Ripper to crack the hash:
john --format=PDF --wordlist=/usr/share/wordlists/rockyou.txt deepforesthash
John successfully cracks the password:
good-luck (deepforest.pdf)
Alternatively, you can use Hashcat. First, edit the hash file by removing deepforest.pdf:
from the start, and save it as deepforesthash2
.
To crack the hash with Hashcat:
hashcat -m 10500 deepforesthash2 -a 0 /usr/share/wordlists/rockyou.txt
Hashcat confirms the password is good-luck
.
Now, open deepforest.pdf
with the password good-luck
to reveal the first flag.
Answer: GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}
Task 3: What is the Flag?
Just a little more deciphering left.
Are you in the Deep Forest?
Question: What is the Flag?
We have a flag example from Task 2:
GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}
Using the Cipher Identifier tool at dCode, we identify it as a ROT13 cipher.
click on ROT-13 Cipher and decrypt srting:
We can decode it directly using ROT13, or by using CyberChef with the ROT13 function.
Answer: THM{H!_H4ck3r!_xxx_xxx_xx_xxx_xxxx_xxxxxxx_C0ngr4t$!}
Great! Happy Hacking!