If you have been following my Twitter stream lately you would have noticed that a good majority of the tweet focus has been on the BSides Chicago / BSides Detroit cross city capture the flag event. I wanted to write about the most recent challenge because I really enjoyed creating it. It was very neat to see how other people solved the challenge. I want to go through how I created it.
For those that may not have seen or know, you can “hide” other files by appending them certain other files without corrupting the file integrity. For example, if you want you can append a zip file containing other files to a jpg image. In your linux or cygwin terminal you can simply type
cat myzip.zip >> myimage.jpg
This will put your myzip.zip file at the end of the myimage.jpg file. Now, for most of you I know that this is already common knowledge. I am just writing this for those who didn’t know about this.
With that being said, I was playing around with trying to avoid antivirus applications by messing around with the binary files. One of the successful techniques I found was to invert or “flip” the binary upside down. The cool thing about this is that it actually changes the MD5 of the file as well. I am still working on flipping the file in memory but that is for a later post.
So, to create this challenge I wanted the above steganography method to work while still adding my other zip with the correct flag.
To do this, I start with the hackers.jpg image.
Then I took my “No flag for you!” image (image1.jpg) and zipped it up.
|=== image1.jpg Zipped to image1.zip ===>|
Now I take the image1.zip and I append it to the hackers.jpg.
cat image1.zip >> hackers.jpg
Now the file looks like this:
Then, I took the actual flag image and renamed it to gpj.1egami.
Why you ask? Well, remember, we are flipping this upside down. While the bytes will be backward, the characters will still show right side up. So if I kept the file as image1.jpg it would show up as gpj.1egami after I flip it and give a bigger hint. So I take gpj.1egami and zip it up.
|=== gpj.1egami Zipped to realimage1.zip ===>|
Now, comes the fun part. We take realimage1.zip and take the bytes and flip them over. So byte in position 0 becomes byte in the last position, byte in position 1 goes to last -1, and so on. We are basically flipping the file upside down. Like this.
I wrote a python script that can do this for you. I posted it to my github.
Now, just like before, we append this new zip file to our already appended hackers.jpg like this.
cat realimage1.zip >> hackers.jpg
The file now looks like this.
This file will now show up as the hackers.jpg. If you rename it to .zip it will give you the false flag image. If you flip it over like this:
And then rename it to .zip and open it, it’ll give you the correct flag.
Here is the challenge hackers.jpg. Give it a try! Use 7zip or winrar. Windows zip doesn’t work with this.
Have fun and leave your comments below.