Sunday, September 1, 2013

ASIS CTF Finals 2013 - ~Windows (stegano 106)

This is a task from the ASIS CTF Finals 2013, "Stego" (steganography) category, and it was solved by quite a lot of teams. It was another of my favorite tasks in this CTF - it was quite easy, but required a couple of interesting steps to get to the end. This task was solved collaboratively by Gynvael Coldwind and Samlis Coldwind.

We were given an audio/video file called windows.mp4 (mirror), which looked more or less like this (the windows faded in and faded out at different positions):

In addition to the fading in/out there was an audio track with something that sounded like speech but wasn't quite understandable, and quite a lot of metadata. Some of the metadata contained interesting information, e.g.:

  • Ingredients File Path: Frames 2.mp4, reversed.mp3
  • Pantry Artist: SpokenText.net - Your free online text to audio converter
  • Pantry Title: spokentext_e8b691fef65cc404b854b7cb14afce6f62632285
So basically the metadata revealed the mystery of the audio track - reversed spoken text. And by the way, the Pantry Title metadata gives you the exact ID of the SpokenText.net generated audio file, which you could retrieve from SpokenText.net (click - though the link probably doesn't work anymore).

After either reversing the audio track, or downloading the original file, you would hear the synthesised voice saying a long number: 51324984652187698521487459648201.

One thing I didn't mention before was the task description which went like this:

Append what you find to "ASIS_" and send that as flag.

However, sending in ASIS_51324984652187698521487459648201 didn't work, which means that the video track was also important.

The fading in and out windows didn't reveal anything while taking the frames individually, so we decided to change the black background to transparent on each frame, and merge them all together. This resulted in the following image:

Yes, it's a QR code. Adding a white background and playing with the contrast / brightness made it readable for my QR reader in my cell phone, and resulted in the following string: xorwith313.

XORing the 51324984652187698521487459648201 value with 313 (both treated as bignums) gives 51324984652187698521487459648496, and appending ASIS_ at the beginning gives you the flag: ASIS_51324984652187698521487459648496.

No comments:

Post a Comment