NDH Writeups
2014 Nuit du Hack CTF Quals by Hackerzvoice
It was a great moment of fun to participate to this year's CTF Quals organised by Hackerzvoice
Solving challenges involved all Pollypocket team members, here is only some polished results.
The greatest
The greatest was a steganography challenge:
We are sure that this e-mail contains hidden information, go get it !
Score 500
Link http://static.nuitduhack.com/mail.tar
Let's get this one:
wget http://static.nuitduhack.com/mail.tar file mail.tar mail.tar: POSIX tar archive (GNU)
And a quick inspection through an hexadecimal editor didn't reveal anything suspicious or noticeable.
So let's open it:
tar tvf mail.tar -rw-r--r-- null/null 296008 2014-04-05 07:05 Mail tar xvf mail.tar
And we get a file called Mail containing an email from BOOBA#rapfr.fr to theflag#nuitduhack.com
Hi dude! Check out this pic. I used the cool tool I told you about last time, except that I played around with the code a bit. Speaking of tools, Gregory Evans right? Have fun trying to find the hidden data ;) Peace out.
Together with an attachment (well, two attachments as the email was text+html)
The html version differed slightly ("this pic" => "this pick") but that didn't reveal to be of importance.
The other attachment:
Content-Type: image/gif; name=greg.gif Content-Disposition: attachment; filename=greg.gif Content-Transfer-Encoding: base64
Let's get it out of the mail using munpack from package mpack
munpack Mail
greg.gif is... a GIF showing #1 world hacker :-)
Here again nothing else than the GIF itself in the file.
file greg.gif greg.gif: GIF image data, version 89a, 500 x 645
Using gifsicle from the eponym package
gifsicle --xinfo greg.gif * greg.gif 1 image logical screen 500x645 global color table [256] background 65 + image #0 500x645
There is no much possibilities for stegano in GIF as the image is made of refs to the colormap so it could be:
- position of pixels of a given color
- duplicates or alike in the colormap (e.g. #cccccc and #cccbcc) or other tricks
So let's dump the colormap:
gifsicle --color-info greg.gif * greg.gif 1 image logical screen 500x645 global color table [256] | 0: #FFFFFF 64: #A3835C 128: #1E3E71 192: #769DD1 | 1: #FCF5F6 65: #A37F81 129: #030915 193: #0F314D | 2: #F5E9E8 66: #A27C58 130: #546473 194: #5982BB [...] | 61: #A48A64 125: #675847 189: #4B3A47 253: #000000 | 62: #A3BCE1 126: #101627 190: #7CA2CD 254: #000000 | 63: #A38C6B 127: #4C6169 191: #594837 255: #000000 background 65 + image #0 500x645
243 colors were used (it's #000000 from 244 to 255)
They are globally sorted from #FFFFFF to #000000 but there are quirks in the sorting: #126, #129, #191 and #193 in the partial dump above are not sorted properly.