information
Information
Category: Forensics AUTHOR: SUSIE
Description
1 | Files can always be changedin a secret way. Can you find the flag? cat.jpg |
The image
Here is our cute little cat:
Whenever I get an image file, I go and run file
(to make sure it’s an image), binwalk
(to see if there are hidden files), strings
and usually I pair that with grep
and lastly I check the image in a hexeditor
, just to check the header and such.
1 | root@kali:~/CTFs/Picoctf-2021/information-solved# file cat.jpg |
Great, what about the hex?
1 | ......JFIF...... |
Interesting… I can see some base64, maybe? W5M0MpCehiHzreSzNTczkc9d
and cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Decoding in the terminal
Linux
Just echo W5M0MpCehiHzreSzNTczkc9d | base64 -d
and we get beautiful nonsense [�42���!��573��]r
. So maybe try the next string:
1 | echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d |
Great!!
Windows (PowerShell)
This looks a little bit more dawnting
1 | [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9')) |
Now, some of you might have just tried [System.Convert]::FromBase64String('cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9')
. But the encoding specifies is really needed, because FromBase64String
returns a byte array that then has to be converted.
FLAG
1 | picoCTF{the_m3tadata_1s_modified} |