Security Blog, Rants, Raves, Write-ups, and Code
DaVinci
We are presented with three files:
monalisa.jpg
plans.jpg
Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg
Looking at the title of the last picture and the picture itself, we can guess that the password is TOM.
$steghide extract -sf Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg
Enter passphrase: TOM
wrote extracted data to "S3cr3t_m3ss@g3.txt"
$ cat S3cr3t_m3ss@g3.txt
Hey Filippos,
This is my secret key for our folder.... (key:020e60c6a84db8c5d4c2d56a4e4fe082)
I used an encryption with 32 characters. hehehehehe! No one will find it! ;)
Decrypt it... It's easy for you right?
Don't share it with anyone...plz!
if you are reading that, call me!
I need your advice for my new CTF challenge!
Kisses,
-Luc1f3r
So, we have an MD5 string of '020e60c6a84db8c5d4c2d56a4e4fe082'. Let's throw it into Crack Station and see what happens.
So, the MD5 converts to 'leonardo'. Let's examine the monalisa.jpg file next with strings. The final two entries of that strings output are what we need:
Mona.jpg
famous.zip
and running strings against Plans.jpg, we get https://www.youtube.com/watch?v=jc1Nfx4c5LQ
Now we know there are 2 files inside of the Mona Lisa, let's binwalk it. Sure enough, there's more than meets the eye.
$ binwalk -e monalisa.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size:
117958, name: famous.zip
450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size:
122869, name: Mona.jpg
568411 0x8AC5B End of Zip archive, footer length: 22
568537 0x8ACD9 End of Zip archive, footer length: 22
This pops out the famous.zip file. Unzip it with the leonardo password and we are met with Mona Lisa with duckface and a cell phone (commentary on the current socio-political climate?). Let's extract anything using steghide on the new Mona.jpg and it asks for a password. TOM and leonardo didn't work, so let's try the name of that YouTube video: 'Guernica'. Success! Base64 Decode and we're done!
$steghide extract -sf Mona.jpg
Enter passphrase: Guernica
wrote extracted data to "key".
$ cat key
VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
$ echo 'U0ZSQ2UwMHdia0JmVERGNlFGOGhjMTlFTTBCRWZRPT0=' | base64 -d
SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==
$echo 'SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==' | base64 -d
With those Base64 Decodes finished, so is this challenge. Onwards and Upwards!
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.