Official Write-Up for the Lucky Panther CTF TryHackMe Private Room

maz4l - Aug 22 - - Dev Community

Task 1: Download the Image

Room link

Users can also join this room by going to their My Rooms page and entering luckypantherctf

Start by downloading the provided image file.

Image description

Task 2: Investigate the Image

Question 1: What Did You Find in the Picture?

To get started, you can try using online tools. Such as:aperisolve, stegano ... . But I'll skip this part and move on to the terminal.

Just now let's try commands:

file
strings
exiv2 <file.name>
binwalk -e <file.name>
Enter fullscreen mode Exit fullscreen mode

And now closer to the point, use the steghide tool to analyze the image:

steghide info luckypanther.jpg
Enter fullscreen mode Exit fullscreen mode

Output:

"luckypanther.jpg":
format: jpeg
capacity: 28.7 KB
Try to get information about embedded data? (y/n) y
Enter passphrase:
Enter fullscreen mode Exit fullscreen mode

Since a passphrase is required, we need to find it. Let’s try StegSeek with the rockyou.txt wordlist:

stegseek luckypanther.jpg /usr/share/wordlists/rockyou.txt -
Enter fullscreen mode Exit fullscreen mode

StegSeek successfully finds the passphrase:

StegSeek 0.6 
[i] Found passphrase: "$pxxxxxxxxxx"
Enter fullscreen mode Exit fullscreen mode

Next, extract the hidden file using steghide:

steghide extract -sf luckypanther.jpg
Enter fullscreen mode Exit fullscreen mode

Enter the passphrase "$pxxxxxxxxxx" to extract the embedded file, which is forest.zip.

Answer: forest.zip

Question 2: What is Your Second Find?

Let’s unzip the forest.zip file:

unzip forest.zip
Enter fullscreen mode Exit fullscreen mode

Output:

Archive:  forest.zip
forest.zip: deepforest.pdf password:
Enter fullscreen mode Exit fullscreen mode

The forest.zip file is password-protected. To crack it, use fcrackzip:

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt forest.zip
Enter fullscreen mode Exit fullscreen mode

After running the command, we find the password:

PASSWORD FOUND!!!!: pw == dexxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Unzipping with the password dexxxxxxxx reveals the deepforest.pdf file.

Answer: deepforest.pdf

Question 3: What is Hiding in the Deep Forest?

Opening deepforest.pdf requires a password. To crack it, first extract the hash using pdf2john:

/usr/share/john/pdf2john.pl deepforest.pdf > deepforesthash
Enter fullscreen mode Exit fullscreen mode

Then, use John the Ripper to crack the hash:

john --format=PDF --wordlist=/usr/share/wordlists/rockyou.txt deepforesthash
Enter fullscreen mode Exit fullscreen mode

John successfully cracks the password:

good-luck (deepforest.pdf)
Enter fullscreen mode Exit fullscreen mode

Alternatively, you can use Hashcat. First, edit the hash file by removing deepforest.pdf: from the start, and save it as deepforesthash2.

To crack the hash with Hashcat:

hashcat -m 10500 deepforesthash2 -a 0 /usr/share/wordlists/rockyou.txt
Enter fullscreen mode Exit fullscreen mode

Hashcat confirms the password is good-luck.

Now, open deepforest.pdf with the password good-luck to reveal the first flag.

Answer: GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}

Task 3: What is the Flag?

Just a little more deciphering left.

Are you in the Deep Forest?

Question: What is the Flag?

We have a flag example from Task 2:

GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}
Enter fullscreen mode Exit fullscreen mode

Using the Cipher Identifier tool at dCode, we identify it as a ROT13 cipher.

Image description

click on ROT-13 Cipher and decrypt srting:

Image description

We can decode it directly using ROT13, or by using CyberChef with the ROT13 function.

Image description

Answer: THM{H!_H4ck3r!_xxx_xxx_xx_xxx_xxxx_xxxxxxx_C0ngr4t$!}

Great! Happy Hacking!

. . . . . . . . . . . . . . . . . . . . . .