26
Apr
2013

pCTF 2013 – cat_rar (forensics 150)

So, among all the binaries Plaidctf also followed the tradition in CTF to hide a stego as a forensics challenge. We had a challenge with this description:

cat_rar
150
forensics
“Meow meow mw mw m.
cat.rar

In the cat.rar file we found two files:

  • a cat.rar.jpg which seems to be an image of a cat.
  • a cat.rar.bin which seems to be an x64 ELF binary


Running the binary gave use the following information:

$ ./cat.rar.bin
steghide version 0.5.1
the first argument must be one of the following:
 embed, --embed          embed data
 extract, --extract      extract data
 info, --info            display information about a cover- or stego-file
   info <filename>       display information about <filename>
 encinfo, --encinfo      display a list of supported encryption algorithms
 version, --version      display version information
 license, --license      display steghide's license
 help, --help            display this usage information
embedding options:
 -ef, --embedfile        select file to be embedded
   -ef <filename>        embed the file <filename>
 -cf, --coverfile        select cover-file
   -cf <filename>        embed into the file <filename>
 -p, --passphrase        specify passphrase
   -p <passphrase>       use <passphrase> to embed data
 -sf, --stegofile        select stego file
   -sf <filename>        write result to <filename> instead of cover-file
 -e, --encryption        select encryption parameters
   -e <a>[<m>]|<m>[<a>]  specify an encryption algorithm and/or mode
   -e none               do not encrypt data before embedding
 -z, --compress          compress data before embedding (default)
   -z <l>                 using level <l> (1 best speed...9 best compression)
 -Z, --dontcompress      do not compress data before embedding
 -K, --nochecksum        do not embed crc32 checksum of embedded data
 -N, --dontembedname     do not embed the name of the original file
 -f, --force             overwrite existing files
 -q, --quiet             suppress information messages
 -v, --verbose           display detailed information
extracting options:
 -sf, --stegofile        select stego file
   -sf <filename>        extract data from <filename>
 -p, --passphrase        specify passphrase
   -p <passphrase>       use <passphrase> to extract data
 -xf, --extractfile      select file name for extracted data
   -xf <filename>        write the extracted data to <filename>
 -f, --force             overwrite existing files
 -q, --quiet             suppress information messages
 -v, --verbose           display detailed information
options for the info command:
 -p, --passphrase        specify passphrase
   -p <passphrase>       use <passphrase> to get info about embedded data
To embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt
To extract embedded data from stg.jpg: steghide extract -sf stg.jpg

So there is probably a message hidden in the cat.rar.jpg file with steghide. First we tried to brute force the password with a wordlist, but this seems to not be the solution.

So we took a closer look to the binary and noticed the size was a lot bigger than the normal steghide binary, we also noticed some interesting strings in it:

@the passphrase cannot be pills here.
@pills_wav_len
@pills_wav_zliblen
@_GLOBAL__I_pills_wav_len

So there was something hidden in the binary as well, apparently a zlib stream with a wave file in it. We used foremost to extract the zlib stream. Add the following line to foremost.conf:

    zlib    y    1000000    \x78\x01
    zlib    y    1000000    \x78\x5e
    zlib    y    1000000    \x78\x9c
    zlib    y    1000000    \x78\xda

and get the stream with:

$ foremost -a cat.rar.bin

Now extract the stream with this simple python script:

#!/usr/bin/python
import sys,zlib
print zlib.decompress(open(sys.argv[1]).read())

And run it with:

$ ./zlib.py output/zlib/00000611.zlib > file.wav

So we now have a wave file. Let’s try to find something in LSB.

lsb.php:

<?
$a=file_get_contents($argv[1]);
$bb='';
for($i=0;$i<strlen($a);$i++) {
        $bb .= ( ord($a[$i])&1 );
}
for($offs=0;$offs<8;$offs++) {
        for($jj=0; $jj<strlen($bb); $jj += 8) {
                echo chr(bindec(substr($bb,$offs+$jj,8)));
        }
}
?>

And run it:

$ php lsb.php pills.wav | xxd
..
0006f90: 052f 2737 ba10 2605 4d40 a020 545e 4e6f  ./'7..&.M@. T^No
0006fa0: 7420 4c53 412e 2049 7427 7320 7374 6d67  t LSA. It's stmg
0006fb0: 6869 6465 2e20 4c6f 6d6b 2069 6e20 7468  hide. Lomk in th
0006fc0: 6520 6269 6e61 7279 2e24 0a5e 4e6f 7420  e binary.$.^Not
0006fd0: 4c5b 422e 2049 7427 7320 7374 6567 6869  L[B. It's steghi
0006fe0: 6465 2e20 4c6f 6f6b 2069 6e20 7468 6520  de. Look in the
0006ff0: 6269 6e61 7279 2e24 0a5e 4e6f 7420 4c53  binary.$.^Not LS
0007000: 422e 2049 7427 7320 7374 6767 6869 6465  B. It's stgghide
0007010: 2e20 cc6f 6f6b 2069 6e00 7668 6520 6269  . .ook in.vhe bi
0007020: 6e61 7279 2e04 0a5e 4e6f 7420 4c53 422e  nary...^Not LSB.
0007030: 2049 7427 7320 7374 6567 6869 6465 2e20   It's steghide.
0007040: 4c67 6f6b 2069 6e20 7468 6520 6269 6e61  Lgok in the bina
0007050: 7279 2e24 0a5e 4e6f 7420 4c53 422e 2049  ry.$.^Not LSB. I
0007060: 7427 7320 7374 6567 6869 6465 2e20 4c6f  t's steghide. Lo
0007070: 6f6b 2069 6e20 7468 6520 6269 6e61 7271  ok in the binarq

Well, back to the binary. At this point we were actually lost and tried to bruteforce the password using steghide:

$ for i in $(strings cat.rar.bin) ; do steghide extract -sf cat.rar.jpg -xf out -p $i ; done

No luck there. But the strings get split at whitepace, so let’s try it with IFS only matching “\n”

$ export IFS="
"
$ for i in $(strings cat.rar.bin) ; do steghide extract -sf cat.rar.jpg -xf out -p $i ; done
wrote extracted data to "out".
$ cat out
st3g0_suck5_need

So this seems to work. But it seems only to be part of the key. We also noticed that the string that was accepted is:
“the passphrase cannot be pills here.”

So we tried to extract a message from the wave file using the same key:

$ steghide extract -sf lol.wav -xf out2 -p "the passphrase cannot be pills here."
wrote extracted data to "out2".
$ cat out2
s_moar_reversing

FLAG: st3g0_suck5_needs_moar_reversing

Comments are closed.