Rating:
Look at this fan page I made for the Hidden Figures movie and website! Not everything is what it seems!
/assets
directory is accessible.
Had a look through the files, JS (and CSS based on challenge name) but didn't see anything interesting.
Downloaded main image and checked exifdata, strings, embedded files etc.
Teammate noticed base64 encoded data in the <img data-src>
tag on line 298 when you view the page source.
Save to file and decode.
base64 -d data.b64 > output
File type is image.
file output
file: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1600x2409, components 3
mv file test.jpg
Diff with the original image we downloaded during recon.
diff test.jpg Hidden+Figures+Paperback+Movie+Tie+In+Cover.jpeg
Binary files test.jpg and Hidden+Figures+Paperback+Movie+Tie+In+Cover.jpeg differ
The base64 one is bigger!
foremost test.jpg
We get two images out, one is the movie poster, the other a mario image containing a quote.
THANK YOU MARIO!
BUT OUR PRINCESS IS IN ANOTHER CASTLE!
Check the other images, until we get the flag in a PNG file.
Let's make life easy for ourselves and convert image to text
sudo apt install tesseract-ocr libtesseract-dev tesseract-ocr-eng
tesseract -l eng 00000030.png output
cat output.txt
Now we have a flag to copy and paste!
flag{e62630124508ddb3952843F183843343}