NACTF was held between October 30th and November 4. There were numerous challenges such as Reverse Engineering, Binary Exploitation, Cryptography, Steganography, and Web App Exploitation. This is a write-up of a few of the steganography challenges.
Gummies
Kylie is obsessed with gummies. With her collection of miscellaneous gummy bears, she took this incredible picture which is now her phone's wallpaper. Can you find her flag?
This challenge had me stumped for a while. Going through my usual stego checklist, I just couldn’t see what I was missing. Steghide and jsteg only relate to JPEG and BMP, strings didn’t yield anything, and neither did stegsolve, binwalk, foremost, etc… My last chance was zsteg which manages steganography for both PNG and BMP. Luckily, this revealed the flag!
silence@mayday:~/$ zsteg gummy.png
b1,rgb,lsb,xy .. text: "nactf{5t3gan0graphy_rul35!}"
b2,r,msb,xy .. text: "QEU@Q@ED"
b2,rgb,msb,xy .. text: "D@PUEPQAE"
b2,rgba,lsb,xy .. file: PGP Secret Sub-key -
b4,r,msb,xy .. text: "Agc' @A313"
b4,g,msb,xy .. text: "u$C4t3T%7U"
b4,b,lsb,xy .. file: Targa image data - Map 17 x 4097 x 16 +273 +256 "\023l8\341\253\220\g\223d\263\312n'\237 \351\367"
b4,b,msb,xy .. text: "`F3pB`sap3"
b4,rgb,msb,xy .. text: "dPVCPc0p"
b4,bgr,msb,xy .. text: "V@SS0`pp"
Meta-morphosis
Mikey really likes Metamorphosis by Franz Kafka, so much so that he sent this meme to the class.
This was a quick solve, going through my usual checklist, I found the flag with exiftool:
silence@mayday:~/$ exiftool meme-3.jpg
ExifTool Version Number : 12.07
File Name : meme-3.jpg
Directory : .
File Size : 52 kB
File Modification Date/Time : 2020:11:02 21:00:31-05:00
File Access Date/Time : 2020:11:09 23:40:56-05:00
File Inode Change Date/Time : 2020:11:02 21:00:39-05:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 1
Y Resolution : 1
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : None
Artist : nactf{m3ta_m3ta_m3ta_d3f4j}
Y Cb Cr Positioning : Centered
Image Width : 500
Image Height : 461
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 500x461
Megapixels : 0.231
Turnips
Dr. J loves his ch0nky turnips, can you find his ch0nky flag?
I solved this one with a simple strings command:
silence@mayday:~/$ strings turnip-for-what.jpg | grep -i nactf
nactf{turn1p_f0r_h3x_f3j52}
Turnips 2
Uh oh.. Parth's file seems to have been corrupted. Can you figure out how to find his flag?
A corrupted file? This sounds like fun! Let’s take a look at what file and trid tells us on this file:
silence@mayday:~/$ file file.txt
file.txt: data
silence@mayday:~/$ trid file.txt
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Definitions found: 13206
Analyzing...
Collecting data from file: file.txt
Unknown!
Ok well that doesn’t help much! Let’s give binwalk a try:
silence@mayday:~/$ binwalk file.txt
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
6284 0x188C TIFF image data, big-endian, offset of first image directory: 8
Hmmm… ok looks like there is some image data in there. Let’s whip our out hex editor. I recommend ghex which is an awesome compact hexadecimal editor. If you’re running a Debian based linux, install it this way:sudo apt install ghex
Examining the file header, I notice that some bytes are similar to what we find at the beginning of a PNG file. This could be a corrupted PNG file! All PNGs start with 89 50 4E 47 0D 0A 1A 0A. Also, often right after these bytes we have 00 00 00 0D 49 48 44 52. I make these 2 changes, save the file and bingo! The flag appears inside the repaired image file:
Secret Message
Monica loves inventing secret languages. So much so that she claims to be the only one to know the message in this recording. What does it say?
This “sounds” pretty straightforward. Playing the audio clearly reveals morse code. Let’s load it up inside our favorite morse audio decoder:
And there’s our flag: nactf{QU33N_0F_L4NGU4G3S}
Many thanks to the organizers of NACTF and Trail of Bits for providing the competition prizes!
Silence Mayday 
