Tags: stego
Rating: 2.0
We are provided with an AVI with a children's show involving animated pigs. The father restarts the computer to fix some computer issues, and it works. We are then treated to an amusing sequence where the father is suddenly wearing "Deal with it" sunglasses and the word "HACKER" appears on screen as a tilting zoom fills the frame with his face.
Using binwalk on the AVI, we note that there are a series of PNG images inside. Indeed, this is a MNG on the inside. We extract all the PNGs into their own directory and look at each one. No single-frame flag or QR code or some such here, all the images look relatively normal.
Using strings on the AVI, we notice a link to an AVI file which appears to have the same contents. However, the md5 sums do not match! We use binwalk to extract the images, rename the images to correspond by frame number, and use Pillow to compare the image data until we find a single set of corresponding frames which do not match. Comparing the two images, it seems that some of the red, green, and blue values have been incremented in the altered version. We interpret incremented values as ones and unincremented as zeroes, and get a string of binary values which, when translated to ASCII, is a brainfuck program.
We run the brainfuck program in a Javascript brainfuck interpreter, which spits out the flag.