write-ups-challenges-2023-2024/memejohn/SOLUTION.md

51 lines
3.1 KiB
Markdown
Raw Permalink Normal View History

2023-11-28 15:24:59 +00:00
## Difficulty
Easy
## Category
Stegenography
## How To Solve
When trying to unzip `hahah.zip`, you need to enter a password. Since no other files are provided, you will need to brute-force the password. You may have noticed the hint in the challenge description, saying that John is often called 'John The Zipper'. This refers to the open source password cracking tool 'John The Ripper'. Using the `zip2john` command, you can obtain the password hash. If you then use `john` with that hash, it will crack the password.
```
> zip2john hahah.zip > hash.txt
ver 2.0 efh 5455 efh 7875 hahah.zip/hahah.johnmeme PKZIP Encr: TS_chk, cmplen=1157853, decmplen=1158716, crc=AA183960 ts=53A1 cs=53a1 type=8
> john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
1652 (hahah.zip/hahah.johnmeme)
1g 0:00:00:00 DONE 3/3 (2023-10-31 10:33) 1.136g/s 2289Kp/s 2289Kc/s 2289KC/s rrg84..cybo07
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
Use the password (`1652`) to unzip the file. You now have access to the contained file, called `hahah.johnmeme`. Since this is a somewhat weird extension, you'll have to figure out the file type.
```
> file hahah.johnmeme
hahah.johnmeme: PNG image data, 640 x 642, 8-bit/color RGBA, non-interlaced
```
If you open the file, you can see that it is indeed an image. However, the flag is still not captured. Also, it is not hidden in this image. Where else can it be?
To continue, you have to find out that the `hahah.johnmeme` contains more than only an image. To uncover all embedded data types, you can use a tool called `binwalk`.
```
> binwalk hahah.johnmeme
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 640 x 642, 8-bit/color RGBA, non-interlaced
140 0x8C Zlib compressed data, best compression
436168 0x6A7C8 gzip compressed data, has original file name: "hahah.xcf", from Unix
```
Besides a PNG image, this file appears to also contain Zlib end gzip compressed data. You can ignore the Zlib data, since this is associated with the PNG image. However, the gzip compressed data looks interesting as the original filename was `hahah.xcf`. If you now use the same command, but with `-e`, the data will be extracted from the `hahah.johnmeme` file to the `_hahah.johnmeme.extracted` folder.
In this folder, you can see the `hahah.xcf` file (notice that you don't have to unzip the .gz file anymore). XCF is the native image format of GIMP. Open the file in GIMP and you will see the same meme. Go to `Colors > Brightness-Contrast`, decrease the Brightness all the way down, and increase the Contrast all the way up. The flag should now be visible.
![screenshot](screenshot.png)
## Flag
`IGCTF{ZiPz!p}`