Home Blog Github

The Elusive Red Herring

~# cat Question

In the depths of the ocean, fish in general, are hard to come by due to global warming. However, I just found a red herring, with a weird brusied QR code attached on its skin? I don't assume it could be of use to you?

FILE: qrcode.jpg

This challenge had a lot of tricks. We can use binwalk to extract any hidden files embedded in the jpg file. In this case it was 4 zip files. 

┌──(tev㉿kali)-[~LNC]
└─$ binwalk -e qrcode.jpg          

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
364           0x16C           Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
152196        0x25284         Zip archive data, at least v2.0 to extract, name: red_herrings/red_herring_1/
152253        0x252BD         Zip archive data, at least v2.0 to extract, compressed size: 104618, uncompressed size: 104716, name: red_herrings/red_herring_1/red_herring.jpeg
256944        0x3EBB0         Zip archive data, at least v2.0 to extract, name: red_herrings/red_herring_2/
257001        0x3EBE9         Zip archive data, at least v2.0 to extract, compressed size: 5177, uncompressed size: 5386, name: red_herrings/red_herring_2/red_herring.jpeg
262251        0x4006B         Zip archive data, at least v2.0 to extract, name: red_herrings/red_herring_3/
262308        0x400A4         Zip archive data, at least v2.0 to extract, compressed size: 4915, uncompressed size: 5107, name: red_herrings/red_herring_3/red_herring.jpeg
267296        0x41420         Zip archive data, at least v2.0 to extract, name: red_herrings/red_herring_4/
267353        0x41459         Zip archive data, at least v2.0 to extract, compressed size: 2625603, uncompressed size: 2625603, name: red_herrings/red_herring_4/red_herring.zip
2893028       0x2C24E4        Zip archive data, at least v2.0 to extract, name: red_herrings/red_herring_5/
2893085       0x2C251D        Zip archive data, at least v2.0 to extract, compressed size: 10501, uncompressed size: 13304, name: red_herrings/red_herring_5/red_herring.jpeg
2904468       0x2C5194        End of Zip archive, footer length: 22
┌──(tev㉿kali)-[~/LNC/_qrcode.jpg.extracted/red_herrings]
└─$ ls
red_herring_1  red_herring_2  red_herring_3  red_herring_4  red_herring_5

Opening each folder 1-3 & 5 shows us an image of a fish except 4, which showed us a zip folder. When unzipped we get 10000 fake flags.txt.

┌──(tev㉿kali)-[~/LNC/_qrcode.jpg.extracted/red_herrings]
└─$ cd red_herring_4 
                                                                                                                            
┌──(tev㉿kali)-[~/LNC/_qrcode.jpg.extracted/red_herrings/red_herring_4]
└─$ ls
red_herring.zip
                                                                                                                            
┌──(tev㉿kali)-[~/LNC/_qrcode.jpg.extracted/red_herrings/red_herring_4]
└─$ unzip red_herring.zip 
Archive:  red_herring.zip
   creating: red_herring/1/
 extracting: red_herring/1/flag.txt  
   creating: red_herring/10/
 extracting: red_herring/10/flag.txt  
   creating: red_herring/100/
 extracting: red_herring/100/flag.txt  
   creating: red_herring/1000/
 extracting: red_herring/1000/flag.txt  
   creating: red_herring/10000/
 extracting: red_herring/10000/flag.txt  
   creating: red_herring/1001/
 extracting: red_herring/1001/flag.txt  
.
.
.
   creating: red_herring/9999/
 extracting: red_herring/9999/flag.txt

Finding the real flag

At this point, we know that 1 out of the 10000 fake flags, will give us the real flag. We can use a script to filter out all the fake flags.txt.

CREDS: Syn Kit (teammate) for the script!

#!/bin/bash

# Define the output file
output_file="out.txt"

# Iterate over directories and read flag.txt files
for dir in */; do
    if [ -f "$dir/flag.txt" ]; then
        echo -n "$dir" >> "$output_file"
        cat "$dir/flag.txt" >> "$output_file"
        echo "" >> "$output_file"
    fi
done

echo "All flag.txt contents have been written to $output_file."
┌──(SynKit㉿kali)-[~/LNC/_qrcode.jpg.extracted/red_herrings/red_herring_4]
└─$ cat solve.sh | grep -v "f4k3"
LNC24{d0nT_f4LL_4_r3d_h3rR1nG5!}

Flag: LNC24{d0nT_f4LL_4_r3d_h3rR1nG5!}

PreviousSave Our ShipNextFerris Wheel

Last updated