Tags: stego
Rating:
`challenge.7` contains a single txt file `password.txt` which we are able to extract
```
Scanning the drive for archives:
1 file, 153628 bytes (151 KiB)
Listing archive: challenge.7z
--
Path = challenge.7z
Type = 7z
Physical Size = 153628
Headers Size = 130
Method = LZMA2:12
Solid = -
Blocks = 1
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2020-10-02 11:00:07 ....A 486 162 password.txt
------------------- ----- ------------ ------------ ------------------------
2020-10-02 11:00:07 486 162 1 files
```
```
$ cat password.txt
_ _ _ __ _
__ _(_)_ _____ _ __ ___ ___ | |_| |__ ___ / _| | __ _ __ _
/ _` | \ \ / / _ \ | '_ ` _ \ / _ \ | __| '_ \ / _ \ | |_| |/ _` |/ _` |
| (_| | |\ V / __/ | | | | | | __/ | |_| | | | __/ | _| | (_| | (_| |
\__, |_| \_/ \___|___|_| |_| |_|\___|___\__|_| |_|\___|___|_| |_|\__,_|\__, |
|___/ |_____| |_____| |_____| |___/
```
seems like password is `give_me_the_flag` , next we notice that the file is actually pretty huge given it contains only a single text file. we inspect it using xxd and observe that there actually is another 7zip archive after the compressed txt file at `000000c0` we see ` 377a bcaf 271c 0004`
```
00000000: 377a bcaf 271c 0004 708d 625c 9a57 0200 7z..'...p.b\.W..
00000010: 0000 0000 6200 0000 0000 0000 2d63 7183 ....b.......-cq.
00000020: e001 e500 9a5d 0010 6a93 c41b 8adf d95e .....]..j......^
00000030: 8def 6644 bb1e 6f47 7fac 44e9 f525 0206 ..fD..oG..D..%..
00000040: 0bc6 079f a0ea f5a0 9cbd cdc0 8be3 d293 ................
00000050: 9ab9 4f92 2b15 189e c933 12f8 79b2 3c71 ..O.+....3..y.<q
00000060: e045 4705 fbd8 2345 da45 629a 5541 b8bb .EG...#E.Eb.UA..
00000070: 8aab d398 38ce b63d 5497 a2b2 6d6d f680 ....8..=T...mm..
00000080: 795f 0af1 7538 07e4 def1 2598 d88b b812 y_..u8....%.....
00000090: a660 677f 89ca b60e 21a3 e035 8335 5ab3 .`g.....!..5.5Z.
000000a0: 2d84 56ff 367d 5975 c7d1 5ea6 6809 c22f -.V.6}Yu..^.h../
000000b0: 1dad 936b 7be6 37dd 9cc2 cf8c bec1 9480 ...k{.7.........
000000c0: 0000 377a bcaf 271c 0004 21f2 c54d b356 ..7z..'...!..M.V
000000d0: 0200 0000 0000 2500 0000 0000 0000 8dc1 ......%.........
000000e0: be36 6772 c955 3e26 ea1f dc4f 7570 8e55 .6gr.U>&...Oup.U
000000f0: 0253 1e28 ea7d dce8 f2e8 3c3a 9ea5 b5f3 .S.(.}....<:....
00000100: c1c2 27c6 7f3e c17d 09a2 0954 d00e 5df2 ..'..>.}...T..].
00000110: 55e6 2cf8 61cc 4835 ff5d f689 daba 118e U.,.a.H5.]......
00000120: 7174 d3bc 1e25 9805 7e54 aef3 57c7 b20d qt...%..~T..W...
00000130: 28b9 40a2 dc44 1790 847f 29fd 55a9 ecca ([email protected]....).U...
00000140: 6222 c19b 7a84 537b 4f3e 467d 5d41 6920 b"..z.S{O>F}]Ai
00000150: 8d1b edc3 9c84 17d0 ad56 6eb2 69bd 23a1 .........Vn.i.#.
```
we remove everything before these values to get a new archive.
```
Scanning the drive for archives:
1 file, 153434 bytes (150 KiB)
Listing archive: cutted.7z
--
Path = cutted.7z
Type = 7z
WARNINGS:
There are data after the end of archive
Physical Size = 153336
Tail Size = 98
Headers Size = 4024
Method = LZMA2:192k 7zAES
Solid = +
Blocks = 1
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2020-10-02 13:31:21 D.... 0 0 part2
2020-10-02 12:12:15 ....A 46 149312 flag.txt
2020-10-02 13:31:04 ....A 564 part2/part2_0.7z
2020-10-02 13:31:04 ....A 751 part2/part2_1.7z
2020-10-02 13:31:04 ....A 350 part2/part2_10.7z
2020-10-02 13:31:08 ....A 189 part2/part2_100.7z
2020-10-02 13:31:08 ....A 539 part2/part2_101.7z
2020-10-02 13:31:08 ....A 446 part2/part2_102.7z
...
....
```
we see the `flag.txt` in the archive and also `part2` folder which is part of the next chall. when we try to extract the flag we are asked for a password which is `give_me_the_flag` from the `password.txt` we extracted earlier
```
$ cat flag.txt
tstlss{next_header_offset_is_a_nice_feature}
```