FDCA Xmas 2024 Day 17 - Cats and codes

Challenge Description

Danish (original)

ÅH NEJ!! Jætterne har ændret Odins katte billeder, Odin er dybt bedrøvet over dette og forlanger at dette udbedres. Derfor har han bedt os undersøge, hvad jætterne har gjort ved hans katte.

English (from chatgpt)

Oh no!! The giants have altered Odin’s cat pictures, and Odin is deeply saddened by this and demands that it be fixed. Therefore, he has asked us to investigate what the giants have done to his cats.

File

We are also given the following file:

cat.zip

Solution

The zip file is password protected, so we need to bruteforce it with john the ripper:

$ unzip cat.zip
Archive:  cat.zip
[cat.zip] cat1.jpg password:

$ zip2john cat.zip > hash
[expunged for readability]

$ john --wordlist=rockyou.txt hash
[puter:16837] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.puter.1000/jf.0/846856192/shared_mem_cuda_pool.hibari could be created.
[puter:16837] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thor123          (cat.zip)
1g 0:00:00:00 DONE (2024-12-17 20:03) 25.00g/s 3276Kp/s 3276Kc/s 3276KC/s 022179..korn13
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ unzip cat.zip
Archive:  cat.zip
[cat.zip] cat1.jpg password:
  inflating: cat1.jpg
  inflating: cat2.jpg
  inflating: cat3.jpg
  inflating: cat4.jpg
  inflating: cat5.jpg

Looking at the images we can figure out that cat4.jpg has a base64 encoded password in its exif data, and that cat5.jpg is actually also a zip file, which combined gives us cat6.jpg:

$ exiftool cat4.jpg
[expunged for readability]
Thumbnail Offset                : 2636
Thumbnail Length                : 5632
Comment                         : IUhlbW1lbGlndF9Lb2Rlb3JkMTMyNA==
Image Width                     : 2580
Image Height                    : 1720
[expunged for readability]

$ echo "IUhlbW1lbGlndF9Lb2Rlb3JkMTMyNA==" | base64 -d
!Hemmeligt_Kodeord1324

$ file --keep-going cat5.jpg
cat5.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1440x1137, components 3\012-  Zip archive, with extra data prepended\012- data

$ unzip cat5.jpg
Archive:  cat5.jpg
warning [cat5.jpg]:  273423 extra bytes at beginning or within zipfile
  (attempting to process anyway)
[cat5.jpg] cat6.jpg password:
  inflating: cat6.jpg

Running stegseek --seed on cat6.jpg we can see that there is hidden data in it:

$ stegseek --seed cat6.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found (possible) seed: "30d194e1"
        Plain size: 55.7 KB (compressed)
        Encryption Algorithm: rijndael-128
        Encryption Mode:      cbc

The passphrase can be found on the cats chest: cat_7_is_my_favorite

$ steghide extract -sf cat6.jpg
Enter passphrase:
wrote extracted data to "cat7.png".

And I got the flag from cat7.png by using Steganography Online: FDCA{den_danser_tango}