๐ญ My Face
๐ Before you start
You can donate to me via Buy Me a Coffee or follow me on Github
๐ต๏ธโโ๏ธ Searching for Information
In this new challenge, we arrive on a web page and see two people talking...
A Sarah who sends messages that seem to be encoded by something and another who responds with messages that seem to be answers to questions. Therefore, we will need to analyze these messages to understand what is happening.
This site, however, doesn't seem to have much... Only posts of photos of people with face filters. As we know from the challenge title, we will need to do something with one or more faces.
The main icon of the website is precisely a blurred image of a face. By looking at the source code of the page, we can download and analyze it.
Here is the retrieved image:
We have something to do with this image, but what? ๐ค
We will then use a very well-known tool in the world of steganography, Aperi'Solve
What is Aperi'Solve? ๐คจ
Aperi'Solve is a tool developed by Team AperiKube, which allows solving steganography challenges. This tool is very powerful and can launch several steganography tools at once on the image you provide.
Unfortunately, this tool only accepts images in .png, .jpg or .jpeg formats. However, if we try to convert our image to .png, we might lose the hidden information in the image.
We will have to do everything manually! ๐
We will test some tools on it to understand a bit more what is hidden behind this image. And then a twist:
$ binwalk MyFace.ico
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
15406 0x3C2E PNG image, 553 x 219, 8-bit/color RGB, non-interlaced
15497 0x3C89 Zlib compressed data, compressed
We have a PNG file hidden in the ICO image! ๐คฏ
๐ผ๏ธ Retrieving the Image
We see that the image is at the offset 15406. We will therefore extract this image from the icon. Using the ddcommand :
What is `dd` ? ๐คจ
dd is a command that allows you to copy and convert files. It is very useful for low-level operations on files. It's a very powerful command, but also very dangerous because it can easily erase data. That's why I use this command only once my information is retrieved and not during the analysis step.
$ dd if=MyFace.ico of=MyFace.png bs=1 skip=15406
And we recover this magnificent image :
It's perfect; we have what we need! ๐ฅณ
๐ง Decoding the Conversation
With the messages we have recovered, we will be able to decode them thanks to the key we just found on the image.
To do this, we will make a small Python script to decode the messages:
from Crypto.Cipher import AES
import base64
# Function to decrypt in ECB mode with the given key
def decrypt_ecb(ciphertext, key):
cipher = AES.new(key.encode(), AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
return plaintext
# Encryption key
key = "h~{w*Y6Tab}5T6iP7(,RF5CAh-8hb74;"
# Encrypted message to decrypt
encrypted_message = "ieHuXcpeBQzsEj6Emhthk9yymkAHY2xyogj/mK0MoeTlOhsVHXkAuws6wOYpS4IYAT/tUxk6nHuuU7s9nXUS1sKg7uM64RySd3rXe1RcpAoOTxgzPgJBgBUK0J7IrIprueRl3iu0dbNwqjlNMS3CkCEjBeFTqxw/at3iy3aGkiOyUFyNwgTOxevQWUdYCYcrxJGVHX8RCFVlC5SSdRM12G8rswhP/5XV9WsjR9bFtmc="
# Base64 decoding of the encrypted message
encrypted_message_bytes = base64.b64decode(encrypted_message)
# Decryption of the message
decrypted_message = decrypt_ecb(encrypted_message_bytes, key)
# Displaying the decrypted message
print("Decrypted message:", decrypted_message.decode())
And we have our decrypted message:
$ python3 main.py
Message dรฉchiffrรฉ : Ne t'inquiรจte pas ! J'ai sรฉcurisรฉ la porte avec mon cadenas.
Les voyageurs n'auront pas la 0 Day.
Au cas oรน, voici le mot de passe :
MCTF{L3_C@DeNas_E5t_L3g3r}
๐ Support
๐ Before you leave
You can donate to me via Buy Me a Coffee or follow me on Github