Challenge
The thread of the challenge can be found here.
Solution
First of all, this challenge was not steganography based.
The original image was just pulled of google as a cute kitten picture. The image actually contained a zip file, which was inserted using the method found here.
This could have been found by scanning the image for embedded files using this tool on CyberChef or others tools.
To open the embedded zip file easily, you can right click on the image, select "Open With" and choose a program such as Winrar, 7zip, etc.
This would allow you to open the embedded zip file.
The embedded zip file contained a text file called "metadata.txt" which, when opened, contained the text "6457646e597a6f764c334e3261584a6959584975636e5a3064576468646d46794c6d4a68636e4e6961475679646e52315a79356959584a68646d4679596d46793d3d".
For those who are familiar with cyber security and computer science would notice that this data is in hexadecimal format.
This hex could be converted to ASCII using and online converter to find that the ASCII representation of this hex was "dWdnYzovL3N2aXJiYXIucnZ0dWdhdmFyLmJhcnNiaGVydnR1Zy5iYXJhdmFyYmFy==".
To most people who got this far, it may very well have looked like a dead end however if you are into cyber security then you may have noticed the two equals signs at the end of the string. This padding is often seen at the end of base64 encoded data which will hint towards the fact that the data is actually base64 encoded. This can be decoded using the ASCII character set in an online decoder to result in the string "uggc://svirbar.rvtugavar.barsbhervtug.baravarbar".
The pattern "://" hints that this could be a url and possibly follow the pattern "http://...". The fact that http has two repeating characters and so does "uggc" (the start of the decoded string), emphasises the possibility of the text being caesar ciphered. With some testing in an online decoder, you would find that the text uses a ceasar cipher of 13 which is more commonly know as the rot13 cipher. This cipher is significant as the shift used to encode the text is the same shift used to decode the text.
After using rot13 on the text, you would have the string "http://fiveone.eightnine.onefoureight.onenineone". This proves our idea that it may be a web address.
The next step was just common sense, convert every number word to a number to result in the web address "http://51.89.148.191/".
If you went to this address you would have found a blank page. If you followed the path further, and looked deeper, you may have checked the html code of the page. This could be achieved by inspection element on the page by using right click, then inspect element / view page source.
There was a comment in the source of the page which contained the flag: "4172981735".
And that was it! I hope everyone who attempted the challenge enjoyed it, I found that many users struggled with the foothold on this challenge, maybe I'll make the foothold a little easier on the next challenge to lead you down a path.
Please leave any comments and questions on the challenge / solution below!
The thread of the challenge can be found here.
Solution
First of all, this challenge was not steganography based.
The original image was just pulled of google as a cute kitten picture. The image actually contained a zip file, which was inserted using the method found here.
This could have been found by scanning the image for embedded files using this tool on CyberChef or others tools.
To open the embedded zip file easily, you can right click on the image, select "Open With" and choose a program such as Winrar, 7zip, etc.
This would allow you to open the embedded zip file.
The embedded zip file contained a text file called "metadata.txt" which, when opened, contained the text "6457646e597a6f764c334e3261584a6959584975636e5a3064576468646d46794c6d4a68636e4e6961475679646e52315a79356959584a68646d4679596d46793d3d".
For those who are familiar with cyber security and computer science would notice that this data is in hexadecimal format.
This hex could be converted to ASCII using and online converter to find that the ASCII representation of this hex was "dWdnYzovL3N2aXJiYXIucnZ0dWdhdmFyLmJhcnNiaGVydnR1Zy5iYXJhdmFyYmFy==".
To most people who got this far, it may very well have looked like a dead end however if you are into cyber security then you may have noticed the two equals signs at the end of the string. This padding is often seen at the end of base64 encoded data which will hint towards the fact that the data is actually base64 encoded. This can be decoded using the ASCII character set in an online decoder to result in the string "uggc://svirbar.rvtugavar.barsbhervtug.baravarbar".
The pattern "://" hints that this could be a url and possibly follow the pattern "http://...". The fact that http has two repeating characters and so does "uggc" (the start of the decoded string), emphasises the possibility of the text being caesar ciphered. With some testing in an online decoder, you would find that the text uses a ceasar cipher of 13 which is more commonly know as the rot13 cipher. This cipher is significant as the shift used to encode the text is the same shift used to decode the text.
After using rot13 on the text, you would have the string "http://fiveone.eightnine.onefoureight.onenineone". This proves our idea that it may be a web address.
The next step was just common sense, convert every number word to a number to result in the web address "http://51.89.148.191/".
If you went to this address you would have found a blank page. If you followed the path further, and looked deeper, you may have checked the html code of the page. This could be achieved by inspection element on the page by using right click, then inspect element / view page source.
There was a comment in the source of the page which contained the flag: "4172981735".
And that was it! I hope everyone who attempted the challenge enjoyed it, I found that many users struggled with the foothold on this challenge, maybe I'll make the foothold a little easier on the next challenge to lead you down a path.
Please leave any comments and questions on the challenge / solution below!
