Rating:

acronym-1000

Description

An acronym is a word or name formed as an abbreviation from the initial components of a phrase... You will need that. Detective Pi Output.png

Note: The flag is not in flag format, please wrap it in format when you submit.

Solution

We are given a PNG file , So I started as I usually do i.e using stegoveritas on the image. It gave out some trailing data but it was kinda junk.

I looked at the exif of the image and it said theres some extra data after IEND chunk.

Since this is a png we cannot use steghide on this but we can try to use zsteg.

We can see that zsteg emits out the extra data and it looks like it's another PNG file. We can extract it properly and keep it in a file.

➜ zsteg -E "extradata:0" output.png > extracted.png

But this new image is broken. Let's see what's missing in this image.

➜ xxd -l8 extracted.png
00000000: 504e 470d 0a1a 0a00                      PNG.....

The actual PNG header is 8950 4e47 like in the original output.png

➜ xxd -l8 output.png
00000000: 8950 4e47 0d0a 1a0a                      .PNG....

You can open the extracted.png in hex editor and add 89 in the starting. That will give you a proper image having a pikachu

Again used stegoveritas on that pikachu image and it gave out an image with QR.

Scanning that QR code we get http://www.diff.vn/en/. Visting that website was deadend. So we focus on the text in that pikachu image.

Bluestego, I found it.Just need one more thing to get the truth!!

So I google bluestego and found BinhHuynh/bluestego

First we(me and @UnblvR) tried to use the script on the pikachu image and got nothing. Then @UnblvR was able to figure out that we need to use it on the original image i.e output.png. And also he figure out that the key should be DIFF on the blue bit.

FALG: ISITDTU{D4N4NG_1S_MY_L0V3}

Original writeup (https://github.com/mzfr/ctf-writeups/tree/master/ISITDTU-2019/Misc/acronym-1000).