We are presented with three files:
monalisa.jpg
plans.jpg
Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg
Looking at the title of the last picture and the picture itself, we can guess that the password is TOM.
$steghide extract -sf Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg
Enter passphrase: TOM
wrote extracted data to "S3cr3t_m3ss@g3.txt"
$ cat S3cr3t_m3ss@g3.txt
Hey Filippos,
This is my secret key for our folder.... (key:020e60c6a84db8c5d4c2d56a4e4fe082)
I used an encryption with 32 characters. hehehehehe! No one will find it! ;)
Decrypt it... It's easy for you right?
Don't share it with anyone...plz!
if you are reading that, call me!
I need your advice for my new CTF challenge!
Kisses,
-Luc1f3r
So, we have an MD5 string of '020e60c6a84db8c5d4c2d56a4e4fe082'. Let's throw it into Crack Station and see what happens.
So, the MD5 converts to 'leonardo'. Let's examine the monalisa.jpg file next with strings. The final two entries of that strings output are what we need:
Mona.jpg
famous.zip
and running strings against Plans.jpg, we get https://www.youtube.com/watch?v=jc1Nfx4c5LQ
Now we know there are 2 files inside of the Mona Lisa, let's binwalk it. Sure enough, there's more than meets the eye.
$ binwalk -e monalisa.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size:
117958, name: famous.zip
450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size:
122869, name: Mona.jpg
568411 0x8AC5B End of Zip archive, footer length: 22
568537 0x8ACD9 End of Zip archive, footer length: 22
This pops out the famous.zip file. Unzip it with the leonardo password and we are met with Mona Lisa with duckface and a cell phone (commentary on the current socio-political climate?). Let's extract anything using steghide on the new Mona.jpg and it asks for a password. TOM and leonardo didn't work, so let's try the name of that YouTube video: 'Guernica'. Success! Base64 Decode and we're done!
$steghide extract -sf Mona.jpg
Enter passphrase: Guernica
wrote extracted data to "key".
$ cat key
VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
$ echo 'U0ZSQ2UwMHdia0JmVERGNlFGOGhjMTlFTTBCRWZRPT0=' | base64 -d
SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==
$echo 'SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==' | base64 -d
With those Base64 Decodes finished, so is this challenge. Onwards and Upwards!