FDCA Xmas 2024 Day 6 - Hvor lagde du filerne, Thor?

Challenge Description

Danish (original)

Vi har modtaget kritisk efterretning fra Asgård: Jætterne har stjålet hemmelige dokumenter fra gudernes arkiver, og de planlægger at bruge informationerne til at ødelægge Yggdrasil én gang for alle. Det eneste spor vi har, er et billede fundet efterladt i en af Jætternes skjulte lejr. Odin mener, at dette billede kan indeholde skjulte data, der kan føre os til de stjålne dokumenter.

Din opgave er at undersøge billedet for skjulte informationer. Kan du finde ud af, hvad Jætterne har gemt? Jætterne har været snedige og sat flere forhindringer på vejen. Held og lykke, for Asgårds skæbne afhænger af dig!

English (from chatgpt)

We have received critical intelligence from Asgard: The giants have stolen secret documents from the gods’ archives, and they plan to use the information to destroy Yggdrasil once and for all. The only clue we have is a picture found abandoned in one of the giants’ hidden camps. Odin believes that this picture may contain hidden data that could lead us to the stolen documents.

Your task is to examine the picture for hidden information. Can you figure out what the giants have concealed? The giants have been clever and placed several obstacles in the way. Good luck, for Asgard’s fate depends on you!

File

We are also given the following file:

Yggdrasil.zip

Solution

We unzip the file and see that is contains a jpeg image called Yggdrasil.jpeg:

$ unzip Yggdrasil.zip
Archive: Yggdrasil.zip
  inflating: Yggdrasil.jpeg

Since it is an image steghide with an empty password is nearly always worth trying:

$ steghide extract -sf Yggdrasil.jpeg
Enter passphrase:
wrote extracted data to "SuperHemmeligt.zip"

Bingo!

The zip is sadly password protected:

$ unzip SuperHemmeligt.zip
Archive: SuperHemmeligt.zip
   creating: SuperHemmeligt/
   creating: SuperHemmeligt/Papirkurven/
   creating: SuperHemmeligt/Papirkurven/HemmeligePlaner/
[SuperHemmeligt.zip] SuperHemmeligt/Papirkurven/HemmeligePlaner/Key.jpeg password:

So lets try and crack it with John The Ripper:

$ zip2john SuperHemmeligt.zip > hash
[expunged for readability]

$ john --wordlist=rockyou.txt hash
Created directory: /home/osiriz/.john
[hibari:26592] shmem: mmap: an error occurred while determining whether or not /tmp/ompi.hibari.1000/jf.0/404881408/shared_mem_cuda_pool.hibari could be created.
[hibari:26592] create_and_attach: unable to create shared memory BTL coordinating structure :: size 134217728
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok         (SuperHemmeligt.zip)
1g 0:00:00:00 DONE (2024-12-06 13:59) 50.00g/s 819200p/s 819200c/s 819200C/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We can see that the password is ragnarok

$ unzip SuperHemmeligt.zip
Archive:  SuperHemmeligt.zip
[SuperHemmeligt.zip] SuperHemmeligt/Papirkurven/HemmeligePlaner/Key.jpeg password:
  inflating: SuperHemmeligt/Papirkurven/HemmeligePlaner/Key.jpeg
  inflating: SuperHemmeligt/Papirkurven/HemmeligePlaner/Mjolnir_Jail.jpeg
  inflating: SuperHemmeligt/Papirkurven/HemmeligePlaner/Hemmelig_Plan.docx
  inflating: SuperHemmeligt/Papirkurven/HemmeligePlaner/Dagger.jpeg
   creating: SuperHemmeligt/ThorMemes/
  inflating: SuperHemmeligt/ThorMemes/6po24.jpg
  inflating: SuperHemmeligt/ThorMemes/47ay1sk2ub011.jpg
  inflating: SuperHemmeligt/ThorMemes/1002098035-photo-u1.jpg
  inflating: SuperHemmeligt/ThorMemes/images.jpg
  inflating: SuperHemmeligt/ThorMemes/05c101f998e69cf5ae48b03cf8146cd7.jpg
  inflating: SuperHemmeligt/ThorMemes/tumblr_8693791f74757b0a162ca0f23b1db2d7_941e022a_640.jpg
   creating: SuperHemmeligt/KageOpskrifter til jul/
  inflating: SuperHemmeligt/KageOpskrifter til jul/Kanelsnegle kage opskrift.docx
 extracting: SuperHemmeligt/KageOpskrifter til jul/Drommekage.webp
  inflating: SuperHemmeligt/KageOpskrifter til jul/Drommekage opskrift.docx

Reading SuperHemmeligt/Papirkurven/HemmeligePlaner/Hemmelig_Plan.docx we know that they are hiding data in metadata, so lets look at the metadata of the jpg image in the same folder:

$ exiftool SuperHemmeligt/Papirkurven/HemmeligePlaner/Mjolnir_Jail.jpeg
ExifTool Version Number         : 13.05
File Name                       : Mjolnir_Jail.jpeg
Directory                       : SuperHemmeligt/Papirkurven/HemmeligePlaner
File Size                       : 37 kB
File Modification Date/Time     : 2024:11:27 23:56:20+01:00
File Access Date/Time           : 2024:11:28 00:05:58+01:00
File Inode Change Date/Time     : 2024:12:06 14:01:05+01:00
File Permissions                : -rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
XMP Toolkit                     : Image::ExifTool 12.76
Author                          : RkRDQXtteV9wcjNjMW91c19kNHQ0fQ==
Image Width                     : 1024
Image Height                    : 1024
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1024x1024
Megapixels                      : 1.0

$ echo "RkRDQXtteV9wcjNjMW91c19kNHQ0fQ==" | base64 -d
FDCA{my_pr3c1ous_d4t4}