MisTrale Write UpMisTrale Write Up
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
    • ๐Ÿ Introduction
    • ๐ŸŒŸ Acknowledgments
  • ๐Ÿ’€ Root-Me 20k

    • ๐Ÿ’€ Root Me - 20k
    • โค๏ธ Bash - Love Me
    • ๐Ÿ›‘ Python - Not This Way
    • ๐Ÿ“š NodeJs - Never Trust Node One
  • โ›“๏ธ JailCTF-2024

    • ๐Ÿ‘ฎ JailCTF - 2024
    • ๐Ÿ”  !Alphabeat
    • ๐Ÿง‘โ€๐Ÿฆฏ Blind Calc
    • ๐ŸŽ‰ Parity 1
    • ๐ŸŽˆ Parity 2
    • ๐Ÿช„ Pickle Magic
    • โ˜Ž๏ธ Get and Call
    • โ‰๏ธ No Sense
    • ๐ŸŸฉ Filter'd
    • ๐Ÿง SUS Calculator
  • ๐Ÿ•น๏ธ TCP1P

    • ๐ŸŽฎ Another Discord
  • ๐Ÿงฎ GCC-2024

    • ๐Ÿ˜… soBusy
  • ๐ŸŒ› Midnight

    • ๐ŸŒƒ Midnight
    • โœจ Privesc - 1
    • ๐Ÿ”‘ Privesc - 2
    • ๐Ÿ‘‘ Privesc - 3
    • ๐ŸŽญ My Face

๐ŸŽญ My Face

๐Ÿ‘€ Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

๐Ÿ•ต๏ธโ€โ™‚๏ธ Searching for Information

In this new challenge, we arrive on a web page and see two people talking...

A Sarah who sends messages that seem to be encoded by something and another who responds with messages that seem to be answers to questions. Therefore, we will need to analyze these messages to understand what is happening.

This site, however, doesn't seem to have much... Only posts of photos of people with face filters. As we know from the challenge title, we will need to do something with one or more faces.

The main icon of the website is precisely a blurred image of a face. By looking at the source code of the page, we can download and analyze it.

Here is the retrieved image:

We have something to do with this image, but what? ๐Ÿค”

We will then use a very well-known tool in the world of steganography, Aperi'Solve

What is Aperi'Solve? ๐Ÿคจ

Aperi'Solve is a tool developed by Team AperiKube, which allows solving steganography challenges. This tool is very powerful and can launch several steganography tools at once on the image you provide.

Unfortunately, this tool only accepts images in .png, .jpg or .jpeg formats. However, if we try to convert our image to .png, we might lose the hidden information in the image.

We will have to do everything manually! ๐Ÿ˜…

We will test some tools on it to understand a bit more what is hidden behind this image. And then a twist:

$ binwalk MyFace.ico 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
15406         0x3C2E          PNG image, 553 x 219, 8-bit/color RGB, non-interlaced
15497         0x3C89          Zlib compressed data, compressed

We have a PNG file hidden in the ICO image! ๐Ÿคฏ

๐Ÿ–ผ๏ธ Retrieving the Image

We see that the image is at the offset 15406. We will therefore extract this image from the icon. Using the ddcommand :

What is `dd` ? ๐Ÿคจ

dd is a command that allows you to copy and convert files. It is very useful for low-level operations on files. It's a very powerful command, but also very dangerous because it can easily erase data. That's why I use this command only once my information is retrieved and not during the analysis step.

$ dd if=MyFace.ico of=MyFace.png bs=1 skip=15406

And we recover this magnificent image :

It's perfect; we have what we need! ๐Ÿฅณ

๐Ÿง Decoding the Conversation

With the messages we have recovered, we will be able to decode them thanks to the key we just found on the image.

To do this, we will make a small Python script to decode the messages:

from Crypto.Cipher import AES
import base64

# Function to decrypt in ECB mode with the given key
def decrypt_ecb(ciphertext, key):
    cipher = AES.new(key.encode(), AES.MODE_ECB)
    plaintext = cipher.decrypt(ciphertext)
    return plaintext

# Encryption key
key = "h~{w*Y6Tab}5T6iP7(,RF5CAh-8hb74;"

# Encrypted message to decrypt
encrypted_message = "ieHuXcpeBQzsEj6Emhthk9yymkAHY2xyogj/mK0MoeTlOhsVHXkAuws6wOYpS4IYAT/tUxk6nHuuU7s9nXUS1sKg7uM64RySd3rXe1RcpAoOTxgzPgJBgBUK0J7IrIprueRl3iu0dbNwqjlNMS3CkCEjBeFTqxw/at3iy3aGkiOyUFyNwgTOxevQWUdYCYcrxJGVHX8RCFVlC5SSdRM12G8rswhP/5XV9WsjR9bFtmc="

# Base64 decoding of the encrypted message
encrypted_message_bytes = base64.b64decode(encrypted_message)

# Decryption of the message
decrypted_message = decrypt_ecb(encrypted_message_bytes, key)

# Displaying the decrypted message
print("Decrypted message:", decrypted_message.decode())

And we have our decrypted message:

$ python3 main.py
Message dรฉchiffrรฉ : Ne t'inquiรจte pas ! J'ai sรฉcurisรฉ la porte avec mon cadenas. 

Les voyageurs n'auront pas la 0 Day.

Au cas oรน, voici le mot de passe :

MCTF{L3_C@DeNas_E5t_L3g3r}

๐Ÿ’– Support

๐Ÿ‘€ Before you leave

You can donate to me via Buy Me a Coffee or follow me on Github

Prev
๐Ÿ‘‘ Privesc - 3