Home Blog Github

Save Our Ship

~# cat Question

I heard my friend was captured when trying to flee this horrible place! He sent me this weird message though...

FILE: challenge.png

The challenge gave us a png file format. Immediately we can use eog to view the contents of this png. However, when doing so, we will get a file format error. We can also run pngcheck to check if the file is a valid png.

┌──(tev㉿kali)-[~/LNC]
└─$ eog challenge.png    

** File Format ERROR

┌──(tev㉿kali)-[~/LNC]
└─$ pngcheck -v challenge.png  
zlib warning:  different version (expected 1.2.13, using 1.3)

File: challenge.png (268637 bytes)
  this is neither a PNG or JNG image nor a MNG stream
ERRORS DETECTED in challenge.png

Changing the magic bytes

Thus, I opened the file in a hex editor (Hxd) to check what is causing this error. This is what the first 5 lines of the file's hexdump look like.

90 49 38 12 5E 47 0D 0A 1A 0A 00 00 00 0D 49 48 
44 52 00 00 02 64 00 00 01 98 08 06 00 00 00 EC
A9 FE 43 00 00 00 01 73 52 47 42 00 AE CE 1C E9
00 00 20 00 49 44 41 54 78 5E EC BD 5F 8B 64 C9
91 2F 68 15 1D 37 36 08 82 24 29 8A A2 28 8A A6

We can tell that there are already errors.

  1. The magic bytes have been altered

  2. IHDR (header) is no longer in the header

From this Wikipedia, magic bytes in short just describe the file signature. The first 8 bytes of the file will tell us if the challenge file given is a png or not, despite the extension (.png). A png file extension would have the first 8 magic bytes as 89 50 4E 47 0D 0A 1A 0A . That is not the case for this file.

All files will have an IHDR header, which determines a image dimensions. However in this file the IHDR, is "overflowing" into the next line. We can compare a real png to this fake png and see that extra bytes were added 1A 0A. We can just remove them.

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
00 00 02 64 00 00 01 98 08 06 00 00 00 EC A9 FE
43 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00
20 00 49 44 41 54 78 5E EC BD 5F 8B 64 C9 91 2F
68 15 1D 37 36 08 82 24 29 8A A2 28 8A A6 68 9A

Opening up the image shows us a picture of a ship.

We can embed text or files within an image. Thus, we can use Aperi'Solve to see if there is any hidden files or text. We manage to get a hidden text and a zip file (or use zsteg & binwalk respectively) from the image. Unzipping the zip file will require us to get a password which is in the text and this will give us flag.txt.

268144	0x41770	Zip archive data, 
encrypted at least v2.0 to extract, 
compressed size: 341, uncompressed size: 5404, name: flag.txt
I have captured your friends, and I won't let them go so easily. 
I guess I'll give you a clue, you won't be able to solve this challenge anyway.
\nPassword: AttackAtDawnTomorrow

flag.txt

Haha! Not so fast. I came, I saw, and I intercepted the message! ‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌​​​​​⁠‌‌​​​​⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​‌⁠‌‌​​​​⁠‌‌​​​‌
But I've hidden it somewhere... in case I need the message again.

Uncovering the hidden text

Nothing looks suspicious about this. However, there are other ways to hide messages in text files, that we cannot see (even fancy highlighting). When I transferred the file over to my home machine, I saw there was "white stuff" also known as Zero Width Space.

After some googling, I came across this tool. It is basically a steganography tool that reveals zero width text to plain text. Inserting the zero width text will convert it to binary and we can then convert it back to ascii, giving us the flag.

Flag: LNC24{s4ve_m3_aT_tHe_jETty!}

PreviousNexiotonNextThe Elusive Red Herring

Last updated