Link to the room: https://tryhackme.com/room/ctf100
Greeting there, it is time for another THM’s CTF 100 write-up. Today, we are going to complete all the sub-tasks in task 4. The theme of the task is Stego or steganography. At the end of this stage, you should able to use various kinds of tools on the extract and analyzing data from a mere image.
Task 4: Stage 4
Deploy the machine and telnet to the port 9999. Be sure to enter the port sequence which you obtained from stage 3. (The port sequence can be obtained from a pcap file)
Also, fire your Nmap with the following command.
nmap -Pn -v --min-parallelism 100 <Machine IP>
Looks like we got Port 21 (FTP) opened on the server. In case you forget the login credential for the FTP, you can find it on what.png on the previous stage. I will list the login credential right here as a bonus.
Let’s visit the FTP port.
Did you see that? You just capture your first flag of the task. Alright, simply list and download all files into your machine to start the challenge.
Task 4-1: Flag 47
You just got the flag on the FTP banner whenever you log in to the FTP server. Refer to the figure above
Task 4-2: Flag 48
The flag is hidden inside 1.jpg. You need to just steghide (without a password) to extract the file.
steghide extract -sf 1.jpg
Task 4-3: Flag 49
Ever heard of image metadata? Yes, you need to use an EXIF tool to read the flag. The flag is inside 2.jpg.
Task 4-4: Flag 50
Similar to Task 4-2, you are required to use steghide to extract the file. However, a password is needed. Use stegcrack to brute your way out.
stegcracker 3.jpg /usr/share/wordlists/rockyou.txt
It going to take a few minutes for the crack. The password is smokeweed420. It located around the 160000th line.
Task 4-5: Flag 51
If you look at the listing, 4.jpg is unusual big in size. Perhaps something is hidden inside the image? Use binwalk.
Guess what? We have more files inside the image. Extract all the files with the following command.
binwalk --extract 4.jpg
After that, locate the extracted folder. Noticed that all the files are actually empty. This is because of the file inside the zip are password protected. I’m going to use john to crack the zip.
zip2john 429E.zip > hash
All these steps have nothing to do with flag51 (Sorry, I have to troll people even in the write-up) and I will come back for the extracted file later on. The flag 51 does hide inside the file, use strings command.
Task 4-6: Flag 52
Hint on the picture, color.
The flag is scattered as color bits. Use zsteg to reassemble the color and capture the flag.
Task 4-7: Flag 53
Somehow, I almost matched the flag with the color of the wall. For this task, I’m going to use stegoveritas to analyze the image.
I’m going to show the flag cause it really hard to see.
Task 4-8: Flag 54
The flag is a joke. Actually I forgot to put the wav file inside the folder. Sorry.
Task 4-9: Flag 55
Where is flag 55? It is inside the FTP server. Did you check the server with ls -la command?
Task 4-10: Flag 56
Alright, we need to visit the extracted files from binwalk. As for flag 56, it is located in the ZIP file. You can’t extract the zip file, this is because it is NOT a ZIP file. HAHAHAHAHAHHAHA. Check the file type.
It just a normal ASCII file. use the cat command to read the file.
Task 4-11: Flag 57
The flag is on the 8.png but it was corrupted. For your information, the correct PNG header is.
89 50 4E 47 0D 0A 1A 0A
By using hexdump, you saw the following.
You need to fix the first 4 bytes to the correct header. I recommend hexedit for Linux.
Do a control+x to save the file.
Task 4-12: Flag 58
An ultra 4K picture. I’m just joking, it not even a 720p. Use strings and grep commands to read the flag.
strings 9.jpg | grep 'flag*'
Task 4-13: Flag 59
Ohhhhh, that creepy look. To capture flag 59, you need to play with the contrast. Stegoveritas works perfectly for this task.
About that hostname, we will be going to use it in the next challenge.
Task 4-14: Flag 60
You will notice something at the chin of the troll face. Enlarge the picture and capture the flag. The picture is a bit blurry, sorry for that. I will put the flag right here: 7xvmslbuifqu8tlz4qev
That concludes the CTF 100 stage 4 write-up. Stage 5 write-up coming soon. See ya 😉