CTFtime.org

Raw Veganism

by axi0mX / CCSF_HACKERS

Tags: #png 

Rating: 4.3

Author: @axi0mX

Information given: Cooking the files reduces their nutritious value. Consume your files raw.

We get multiple PNG files which look like noise. Looking at pixels, the red, green, and blue value for all pixels is equal. We can get the data by converting it to a BMP file and removing the 54 byte header.

(after unarchiving with tar this works on a Mac)

$ mkdir Converted
$ for i in *.png; do sips -s format bmp $i --out Converted/$i.bmp;tail -c +55 Converted/$i.bmp > Converted/$i.raw;xxd -p -c 3 Converted/$i.raw | cut -b 1-2 | xxd -r -p > Converted/$i.bytes;done
$ cd Converted
$ rm *.bmp
$ rm *.raw

We are left with 40 files with data.

There are pairs of files that are mostly similar, but have some differences. We can find them by using the strings command and searching for long strings that are present in exactly 2 files.

$ strings -n 12 *
$ grep <string found> *

Once we identify a pair, create a directory and move the 2 files there.

pair1:
043d09e121a1d2d77aaa098487ddf62d.png.bytes
153ba8b36ae16e23bc2e5f9eb2a6a8ac.png.bytes

pair2:
041ed9c9f84d7a0b4496db8a4c826f10.png.bytes
a57c72b0f8b9bbecdcfd5432a4d2eb09.png.bytes

pair3:
bd84baf5910e59c323379e1b33e36ce2.png.bytes
d167ebbed97915d57e25e1358db26623.png.bytes

pair4:
7cf7909d1260d6f84eab3009fe06daad.png.bytes
c7931c279ce7d5f8cbd38c6069464802.png.bytes

pair5:
815aadc10f8d41c013fe5673629b6642.png.bytes
96dcd0b28b851c67b88f137fc99d1138.png.bytes

pair6:
1ddb2cc40e3c7bfb63373a16b764454b.png.bytes
a88b4bb3c225ed20440ba6bf633ab169.png.bytes

pair7:
2f7261b0dbcfec78455fb50ed13dead6.png.bytes
e071dd8812e5a4256f75d47ad2dfeb39.png.bytes

pair8:
6ef798f8efac382a1a571429635a25d1.png.bytes
b703cc3df27965de11879b1bf5a4ce69.png.bytes

pair9:
673d2143b07f6d73e924cfdce21e7e61.png.bytes
be4e230f1f4f5243ab22fd8d6ab30754.png.bytes

pair10:
719e05cb25816db1393c64c472331de1.png.bytes
b27dc3ed73a3bdf9cac3d9d9932912e6.png.bytes

pair11:
97a3c832cf761ed406807e09d7c5758c.png.bytes
c149489a34faba509f344c8b3d352aba.png.bytes

pair12:
0a29ad2d1aace7ddfda6623ed14b3cfc.png.bytes
c1c12dd4337839c56af7a7eab713cffe.png.bytes

pair13:
31120e8287762360b478fae1caa0cf85.png.bytes
6e43f9630245c1137c2c6581c68315a0.png.bytes

pair14:
99af438b2bbcbbcf6faa8a6954a311fb.png.bytes
e51b9182f54ed286a13bc3b422698edb.png.bytes

pair15:
3dd036d19ddacac4cd521faaabd6e5f4.png.bytes
4738e11f93c0bbe6bb0508a3358dcc6a.png.bytes

pair16:
35f36d10e91fb913a5e7c9cf7c6bf05b.png.bytes
4cc1be4ed28baf7563a7bb5cfe7afe07.png.bytes

pair17:
0dbca0ab91aa52a82c356cf35fd12668.png.bytes
2888e1b8abae9a1e952db101f0c86ca1.png.bytes

pair18:
284f6b43f1da540bdeb4f349a086fe56.png.bytes
8785304561ecf81141fbdef7a914fb81.png.bytes

pair19:
5598f8c115335d71b65075aaf8c16ba5.png.bytes
580385af1a9cceba19ab9153521affd0.png.bytes

pair20:
563de7a878f2205af9acef7c86556cf4.png.bytes
92c899bed7be8af5cb79663fd32fae11.png.bytes

Once we know which images are paired, we can use convert on Kali to XOR the images together:

$ convert 043d09e121a1d2d77aaa098487ddf62d.png 153ba8b36ae16e23bc2e5f9eb2a6a8ac.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair1.png
$ convert 041ed9c9f84d7a0b4496db8a4c826f10.png a57c72b0f8b9bbecdcfd5432a4d2eb09.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair2.png
$ convert bd84baf5910e59c323379e1b33e36ce2.png d167ebbed97915d57e25e1358db26623.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair3.png
$ convert 7cf7909d1260d6f84eab3009fe06daad.png c7931c279ce7d5f8cbd38c6069464802.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair4.png
$ convert 815aadc10f8d41c013fe5673629b6642.png 96dcd0b28b851c67b88f137fc99d1138.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair5.png
$ convert 1ddb2cc40e3c7bfb63373a16b764454b.png a88b4bb3c225ed20440ba6bf633ab169.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair6.png
$ convert 2f7261b0dbcfec78455fb50ed13dead6.png e071dd8812e5a4256f75d47ad2dfeb39.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair7.png
$ convert 6ef798f8efac382a1a571429635a25d1.png b703cc3df27965de11879b1bf5a4ce69.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair8.png
$ convert 673d2143b07f6d73e924cfdce21e7e61.png be4e230f1f4f5243ab22fd8d6ab30754.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair9.png
$ convert 719e05cb25816db1393c64c472331de1.png b27dc3ed73a3bdf9cac3d9d9932912e6.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair10.png
$ convert 97a3c832cf761ed406807e09d7c5758c.png c149489a34faba509f344c8b3d352aba.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair11.png
$ convert 0a29ad2d1aace7ddfda6623ed14b3cfc.png c1c12dd4337839c56af7a7eab713cffe.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair12.png
$ convert 31120e8287762360b478fae1caa0cf85.png 6e43f9630245c1137c2c6581c68315a0.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair13.png
$ convert 99af438b2bbcbbcf6faa8a6954a311fb.png e51b9182f54ed286a13bc3b422698edb.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair14.png
$ convert 3dd036d19ddacac4cd521faaabd6e5f4.png 4738e11f93c0bbe6bb0508a3358dcc6a.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair15.png
$ convert 35f36d10e91fb913a5e7c9cf7c6bf05b.png 4cc1be4ed28baf7563a7bb5cfe7afe07.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair16.png
$ convert 0dbca0ab91aa52a82c356cf35fd12668.png 2888e1b8abae9a1e952db101f0c86ca1.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair17.png
$ convert 284f6b43f1da540bdeb4f349a086fe56.png 8785304561ecf81141fbdef7a914fb81.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair18.png
$ convert 5598f8c115335d71b65075aaf8c16ba5.png 580385af1a9cceba19ab9153521affd0.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair19.png
$ convert 563de7a878f2205af9acef7c86556cf4.png 92c899bed7be8af5cb79663fd32fae11.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" pair20.png

At this point we have 20 images with ASIS{ some dots }, so we know we are on the right path.

There are 3 filled dots in every image, and 60 dots total. For each of the 60 possibilities there is a filled dot in exactly one of the images. We can use the following command to look at metadata in Kali:

$ identify -verbose pair1.png

This command includes a histogram, which tells you what color values are present in the entire image.

We find that except for 3 pixels, all other pixels have a color value of 30/255 or less. The 3 pixels are definitely outliers, because they have a color value significantly above 30, but no more than 119. Those values could map to the ASCII table.

Gathering all the dots and the pixels from the images, we get the following data:

(pair)(pixel color)(ASCII)(dot position)
 1   95 100 119 _ d w   #38 #48 #53
 2   83  97 107 S a k    #5 #47 #58
 3   83  95 110 S _ n    #3 #30 #44
 4  105 108 121 i l y   #17 #18 #34
 5   98 110 116 b n t   #13 #24 #35
 6  105 105 117 i i u   #15 #43 #56
 7   51  78  95 3 N _   #26 #42 #51
 8   95 110 112 _ n p    #1 #22 #57
 9   52  80  95 4 P _   #39 #45 #50
10   52  71 114 4 G r   #14 #46 #52
11   48  95  95 0 _ _   #28 #37 #49
12   95 108 115 _ l s   #25 #27 #59
13   67 100 102 C d f   #10 #29 #33
14   95 103 114 _ g r    #9 #12 #36
15   65  65  95 A A _    #2 #19 #41
16   73 104 105 I h i    #4 #31 #32
17   97  99 104 a c h   #23 #54 #55
18   52  99 115 4 c s    #8 #20 #21
19   33 110 116 ! n t   #16 #40 #60
20   51  95 105 3 _ i    #6  #7 #11

Ordering them 1 through 60, we have 3 possibilities for each dot, which makes this non-trivial. I started by seeing the pattern _ASIS in the beginning and PNG in the middle and slowly went from there.

(dot)(options)(answer)
 #1 _np _
 #2 AA_ A
 #3 S_n S
 #4 Ihi I
 #5 Sak S
 #6 3_i _
 #7 3_i i
 #8 4cs s
 #9 _gr _
#10 Cdf C
#11 3_i 3
#12 _gr r
#13 bnt t
#14 4Gr 4
#15 iiu i
#16 !nt n
#17 ily l
#18 ily y
#19 AA_ _
#20 4cs c
#21 4cs 4
#22 _np p
#23 ach a
#24 bnt b
#25 _ls l
#26 3N_ 3
#27 _ls _
#28 0__ 0
#29 Cdf f
#30 S_n _
#31 Ihi h
#32 Ihi i
#33 Cdf d
#34 ily i
#35 bnt n
#36 _gr g
#37 0__ _
#38 _dw d
#39 4P_ 4
#40 !nt t
#41 AA_ A
#42 3N_ _
#43 iiu i
#44 S_n n
#45 4P_ _
#46 4Gr r
#47 Sak a
#48 _dw w
#49 0__ _
#50 4P_ P
#51 3N_ N
#52 4Gr G
#53 _dw _
#54 ach c
#55 ach h
#56 iiu u
#57 _np n
#58 Sak k
#59 _ls s
#60 !nt !

The flag is: ASIS{_ASIS_is_C3rt4inly_c4pabl3_0f_hiding_d4tA_in_raw_PNG_chunks!}

Comments

netsusoSept. 12, 2016, 1:52 p.m.

Once you generated the xor'ed version for each pair, you could simply extract the raw pixels and notice that the three diverging bytes were always the last three ones. And you simply needed to apply those bytes to the dot positions following the same order. So no guessing needed :)