Rating:

# Colorfull

## Task

Our team capture this traffic. We believe that there is some malicious activity inside it. Can you figure out it??

File: colurfull.pcapng

## Solution

We open this file with wireshark.

After looking at UDP and DNS we continue with `http or http2 or ftp or ftp-data`.

There is an interesting packet there: `STOR ./files.zip`

We follow the TCP stream and save the data as `RAW` to `files.zip`.

The file is password protected so we use `john` to crack it:

```bash
$ zip2john files.zip > hash
$ john --wordlist=rockyou.txt hash
$ john --show hash
files.zip/secret_data.txt:labeba:secret_data.txt:files.zip:files.zip

1 password hash cracked, 0 left
```

After extracting with `labeba` we get `secret_data.txt`.

```bash
$ head -10 secret_data.txt
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
34-177-76
```

Took me some time to realize that these are RGB values, therefore the challenge name `colorfull`.

```python
from PIL import Image
import pytesseract

with open("secret_data.txt", "r") as f:
d = f.read().split("\n")
d.pop()
d = [int(x) for y in d for x in y.split("-")]

for x in range(280,300):
width = x
height = 200
c = d.copy()
for x in range(len(d), width*height*3):
c.append(0)
im = Image.frombytes("RGB", (width, height), bytes(c))
txt = pytesseract.image_to_string(im)
if len(txt) > 3:
print(width)
im.resize((1000,1000)).save("imgs/img_{}.png".format(width))
```

We read the values into a flat array, bruteforce the width and use a constant height. We fill the array up with black pixels at the end to compensate for that.

We then create an image from bytes and use `pytesseract` to check if there is text in the image. If so, a resized version will be saved into `imgs`.

```bash
$ python image.py
289
```

And we can read the flag: `JISCTF{EF1LT3R4T3D_D4T4_1N_1M4G3_F1L3}`

Original writeup (https://github.com/klassiker/ctf-writeups/blob/master/2020/jisctf-quals/forensics/colorfull.md).