Cyprus CyberSecurity Challenge 2018: Datagram 53#HiddenChannel

Tags: forensicsnetworksteganography

This was one of my favorite challenges. Just because it included steganography!

Description

"Our team has intecepted the network communication between two suspects. You can find the intercepted communication here: https://www.dropbox.com/s/rxyem2gpg2qi6ns/Datagram53.pcapng Your task, should you wish to accept it, is to analyze the captured traffic, identify how the suspects were communicating and retrieve any files they may have exchanged. The flag is of the format CTF{long_phrase}. (Hint: Steganography is an interesting topic)"

Solution

Firstly, we opened the Datagram53.pcapng with wireshark and started to look for something unusual.

As we proceeded we saw some Unknown DNS packages.

After I looked into them I saw these messages:

"I have hidden the crown jewels in an image at the"following location:
http://212.24.106.72/image.zip"

The zip that we downloaded was locked, so I used frcrackzip and rockyou wordlist to crack the password.

I checked the image for any hidden file...

..and again, I had to find another password.

So I checked the image for any possible hints or a password, in case they were hidden inside the image, by printing the strings of printable characters.

At first I was confused, so I tried to change the brightness of the image and see if there were any hidden messages, but still nothing. Hmm... I stop for a moment and try to relax. A few moments later I decided to try the last line of the strings as a password.

And that was it. We had successfully extracted the file that was inside the image! I printed the content of the flag.txt and...!

Conclusion

This challenge was really fun and another 150 points had been achieved.

Usefullinks