DaVinci

Name: Da Vinci
Hint: Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!
Base Points: Easy - Retired [0]
Rated Difficulty:
D3s0late
Creator: nickvourd

We are presented with three files:

 

monalisa.jpg
plans.jpg
Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg
 
Looking at the title of the last picture and the picture itself, we can guess that the password is TOM.

 
$steghide extract -sf Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg 
   Enter passphrase: TOM
   wrote extracted data to "S3cr3t_m3ss@g3.txt"
   
   $ cat S3cr3t_m3ss@g3.txt 
   Hey Filippos,
   This is my secret key for our folder.... (key:020e60c6a84db8c5d4c2d56a4e4fe082)
   I used an encryption with 32 characters. hehehehehe! No one will find it! ;)
   Decrypt it... It's easy for you right?
   Don't share it with anyone...plz!


   if you are reading that, call me!
   I need your advice for my new CTF challenge!

   Kisses,
   -Luc1f3r
 

So, we have an MD5 string of '020e60c6a84db8c5d4c2d56a4e4fe082'.  Let's throw it into Crack Station and see what happens.

So, the MD5 converts to 'leonardo'.  Let's examine the monalisa.jpg file next with strings.  The final two entries of that strings output are what we need:


Mona.jpg
famous.zip


and running strings against Plans.jpg, we get https://www.youtube.com/watch?v=jc1Nfx4c5LQ

Now we know there are 2 files inside of the Mona Lisa, let's binwalk it.  Sure enough, there's more than meets the eye.

 
$ binwalk -e monalisa.jpg 

   DECIMAL       HEXADECIMAL     DESCRIPTION
   --------------------------------------------------------------------------------
   0             0x0             JPEG image data, JFIF standard 1.01
   450363        0x6DF3B         Zip archive data, at least v2.0 to extract, uncompressed size: 
   117958, name: famous.zip
   450440        0x6DF88         Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 
   122869, name: Mona.jpg
   568411        0x8AC5B         End of Zip archive, footer length: 22
   568537        0x8ACD9         End of Zip archive, footer length: 22
 

This pops out the famous.zip file.  Unzip it with the leonardo password and we are met with Mona Lisa with duckface and a cell phone (commentary on the current socio-political climate?).  Let's extract anything using steghide on the new Mona.jpg and it asks for a password.  TOM and leonardo didn't work, so let's try the name of that YouTube video: 'Guernica'.  Success! Base64 Decode and we're done!

 
$steghide extract -sf Mona.jpg 
    Enter passphrase: Guernica
    wrote extracted data to "key".

    $ cat key
    VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
    
    $ echo 'U0ZSQ2UwMHdia0JmVERGNlFGOGhjMTlFTTBCRWZRPT0=' | base64 -d
    SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==
    
    $echo 'SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==' | base64 -d

With those Base64 Decodes finished, so is this challenge.  Onwards and Upwards!