51 lines
3.1 KiB
Markdown
51 lines
3.1 KiB
Markdown
## Difficulty
|
|
Easy
|
|
## Category
|
|
Stegenography
|
|
## How To Solve
|
|
When trying to unzip `hahah.zip`, you need to enter a password. Since no other files are provided, you will need to brute-force the password. You may have noticed the hint in the challenge description, saying that John is often called 'John The Zipper'. This refers to the open source password cracking tool 'John The Ripper'. Using the `zip2john` command, you can obtain the password hash. If you then use `john` with that hash, it will crack the password.
|
|
|
|
```
|
|
> zip2john hahah.zip > hash.txt
|
|
ver 2.0 efh 5455 efh 7875 hahah.zip/hahah.johnmeme PKZIP Encr: TS_chk, cmplen=1157853, decmplen=1158716, crc=AA183960 ts=53A1 cs=53a1 type=8
|
|
|
|
> john hash.txt
|
|
Using default input encoding: UTF-8
|
|
Loaded 1 password hash (PKZIP [32/64])
|
|
Will run 8 OpenMP threads
|
|
Proceeding with single, rules:Single
|
|
Press 'q' or Ctrl-C to abort, almost any other key for status
|
|
Almost done: Processing the remaining buffered candidate passwords, if any.
|
|
Proceeding with wordlist:/usr/share/john/password.lst
|
|
Proceeding with incremental:ASCII
|
|
1652 (hahah.zip/hahah.johnmeme)
|
|
1g 0:00:00:00 DONE 3/3 (2023-10-31 10:33) 1.136g/s 2289Kp/s 2289Kc/s 2289KC/s rrg84..cybo07
|
|
Use the "--show" option to display all of the cracked passwords reliably
|
|
Session completed.
|
|
```
|
|
Use the password (`1652`) to unzip the file. You now have access to the contained file, called `hahah.johnmeme`. Since this is a somewhat weird extension, you'll have to figure out the file type.
|
|
```
|
|
> file hahah.johnmeme
|
|
hahah.johnmeme: PNG image data, 640 x 642, 8-bit/color RGBA, non-interlaced
|
|
```
|
|
If you open the file, you can see that it is indeed an image. However, the flag is still not captured. Also, it is not hidden in this image. Where else can it be?
|
|
|
|
To continue, you have to find out that the `hahah.johnmeme` contains more than only an image. To uncover all embedded data types, you can use a tool called `binwalk`.
|
|
```
|
|
> binwalk hahah.johnmeme
|
|
|
|
DECIMAL HEXADECIMAL DESCRIPTION
|
|
--------------------------------------------------------------------------------
|
|
0 0x0 PNG image, 640 x 642, 8-bit/color RGBA, non-interlaced
|
|
140 0x8C Zlib compressed data, best compression
|
|
436168 0x6A7C8 gzip compressed data, has original file name: "hahah.xcf", from Unix
|
|
```
|
|
Besides a PNG image, this file appears to also contain Zlib end gzip compressed data. You can ignore the Zlib data, since this is associated with the PNG image. However, the gzip compressed data looks interesting as the original filename was `hahah.xcf`. If you now use the same command, but with `-e`, the data will be extracted from the `hahah.johnmeme` file to the `_hahah.johnmeme.extracted` folder.
|
|
|
|
In this folder, you can see the `hahah.xcf` file (notice that you don't have to unzip the .gz file anymore). XCF is the native image format of GIMP. Open the file in GIMP and you will see the same meme. Go to `Colors > Brightness-Contrast`, decrease the Brightness all the way down, and increase the Contrast all the way up. The flag should now be visible.
|
|
|
|
|
|
|
|
## Flag
|
|
`IGCTF{ZiPz!p}`
|