write-ups-challenges-2023-2024/russianGOST/SOLUTION.md
2023-11-28 16:24:59 +01:00

4.5 KiB
Raw Permalink Blame History

Difficulty

Medium

Category

Steganography

How To Solve

When trying to unzip the targetspec.zip, you are asked to enter the password. Since you don't know the password at this moment, and brute force will take way too long, you should look into another file first. At first glance, you might want to just translate the intercepted.txt file. However, you will notice that the translation is nonsense, because these words aren't corrent Russian words. If you look carefully, you might see that the last character is capitalized. This may indicate the beginning of a sentence, but is never used at the end of a word. Also the punctuation placement is abnormal. From this we can conclude that we need to reverse all the characters to make sense of the text. Use the rev command.

> rev intercepted.txt
Удостоверьтесь, что название этого гребаного целевого города не утекло. Иностранцы никогда не должны иметь доступ к целевым спецификациям блять. Я также удалил парольную фразу с изображения кузнечика, потому что все время ее забываю

This can be translated into:

Make sure the name of the ******* target city doesn't get leaked. Foreigners should never have access to target specifications ****. I also removed the passphrase from the grasshopper image because I keep forgetting it

From this you can deduce that the password of the targetspec.zip folder might have something to do with the the target city. I you now look into the information.txt file, you see that the target city is unknown, but the name of the exact location is known! Look up this location on the internet, and you will find the name of the city: Pennsylvania. With this password, you can unzip the targetspec.zip.

When listing the files in the decompressed folder with a simple ls, you can see 6 images of the target location. However, there is 1 other image hidden in the folder. Use ls -a to show hidden files. The .grasshopper.jpg should now be listed. This is a picture of the target person. This image contains some hidden information. Use the steghide tool to reveal that information:

> steghide extract -sf .grasshopper.jpg
Enter passphrase:
wrote extracted data to "realname".

The realname file will contain the following text:

Настоящее имя цели зашифровано в картинке парковки, начиная с байта 1807996.

This translates to:

The real name of the target is encrypted in the parking picture, starting from byte 1807996.

To look for the encrypted bytes in the parking picture, use the following command:

> hexdump -s 1807996 -n 100 -C target_parking.jpg
001b967c  36 65 65 31 39 64 34 61  63 37 31 64 35 63 62 38  |6ee19d4ac71d5cb8|
001b968c  31 35 32 31 64 36 61 33  34 63 65 30 62 36 61 63  |1521d6a34ce0b6ac|
001b969c  31 36 35 38 37 36 31 63  64 64 64 34 36 35 36 64  |1658761cddd4656d|
001b96ac  35 64 37 33 64 32 63 33  66 31 62 38 33 38 64 31  |5d73d2c3f1b838d1|
001b96bc  a8 a1 99 d3 7a 89 84 7e  43 97 47 c8 e3 8f dc d3  |....z..~C.G.....|
001b96cc  3e ca 24 ef fc 88 e3 fb  28 18 9e 34 94 6c 41 32  |>.$.....(..4.lA2|
001b96dc  a6 d4 09 90                                       |....|
001b96e0

You're almost there! You can see a sequence of hexadecimals (6ee19d4ac71d5cb81521d6a34ce0b6ac1658761cddd4656d5d73d2c3f1b838d1), which together form an encrypted version of the flag. To determine what encryption algorithm has been used (and thus how decryption needs to be done), go back to the information.txt file. Important items in this file are the operation name G(H)OST and the code name of the targeted person grasshopper. If you loop up GOST and grasshopper, you might already find the algorithm you need. The translation of grasshopper in Russian is Кузнечик, which is the original name of the encryption algorythm. GOST is the name of the standard of the Russian Federation in which this algorithm was defined. Using CyberChef, you can decrypt the code to get the flag, containing the name of the targeted victim.

Flag

IGCTF{Oleksiy_Shevchenko}