Writeup for Information @picoCTF
Shamal Lakshan

information

Information

Category: Forensics
AUTHOR: SUSIE

Description

1
2
Files can always be changedin a secret way. Can you find the flag? cat.jpg

The image

Here is our cute little cat:


Whenever I get an image file, I go and run file (to make sure it’s an image), binwalk (to see if there are hidden files), strings and usually I pair that with grep and lastly I check the image in a hexeditor, just to check the header and such.

1
2
3
4
5
6
7
8
9
10
root@kali:~/CTFs/Picoctf-2021/information-solved# file cat.jpg
cat.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2560x1598, components 3
root@kali:~/CTFs/Picoctf-2021/information-solved# binwalk cat.jpg

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02

root@kali:~/CTFs/Picoctf-2021/information-solved# strings cat.jpg | grep picoCTF{*
root@kali:~/CTFs/Picoctf-2021/information-solved#

Great, what about the hex?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
......JFIF......
.......0Photosho
p 3.0.8BIM......
....t..PicoCTF..
..........http:/
/ns.adobe.com/xa
p/1.0/.<?xpacket
begin='...' id=
'W5M0MpCehiHzreS
zNTczkc9d'?>.<x:xmpmeta xmlns:x=
'adobe:ns:meta/'x:xmptk='Image:
:ExifTool 10.80'
>.<rdf:RDF xmlns:rdf='http://www
.w3.org/1999/02/
22-rdf-syntax-ns
#'>.. <rdf:Description rdf:about
=''. xmlns:cc='
http://creativec
ommons.org/ns#'>
. <cc:license rdf:resource='cGl
jb0NURnt0aGVfbTN
0YWRhdGFfMXNfbW9
kaWZpZWR9'/>. </
rdf:Description>
.. <rdf:Description rdf:about=''. xmlns:dc='htt
p://purl.org/dc/
elements/1.1/'>.
<dc:rights>.
<rdf:Alt>. <
rdf:li xml:lang=
'x-default'>Pico
CTF</rdf:li>.
</rdf:Alt>. </dc:rights>. </rdf:Description>.</
rdf:RDF>.</x:xmpmeta>.

Interesting… I can see some base64, maybe? W5M0MpCehiHzreSzNTczkc9d and cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9

Decoding in the terminal

Linux

Just echo W5M0MpCehiHzreSzNTczkc9d | base64 -d and we get beautiful nonsense [�42���!��573��]r. So maybe try the next string:

1
2
3
4
echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d

picoCTF{the_m3tadata_1s_modified}

Great!!

Windows (PowerShell)

This looks a little bit more dawnting

1
2
3
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9'))
picoCTF{the_m3tadata_1s_modified}

Now, some of you might have just tried [System.Convert]::FromBase64String('cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9'). But the encoding specifies is really needed, because FromBase64String returns a byte array that then has to be converted.

FLAG

1
2
picoCTF{the_m3tadata_1s_modified}