For full text search please use the '?' prefix. e.g. ? Onboarding

D-Crypt

Scenario

An intelligence agency gave us a zipped file to analyze. They say they obtained it from a suspected terrorist trying to send it to one of its allies. We trust you to uncover the hidden message but do not tell anyone about it. Sshhh ...

Hint:
(noises The usage of 'reverse racism' and 'reverse discrimination' arose in direct response to affirmative and race-based policies in the 1970s. Instead of playing the identity politics of "our base" and "their base," we should unite people around ideas and principles.)

Reading Material:
https://www.browserling.com/tools
https://www.dcode.fr/cipher-identifier

Solution

My first step was to extract the given Secret.zip archive, since it was not password protected. It contained a single image file, SBT.jpg. I ran exiftool on both the ZIP and the image, but neither contained any information of interest.

When I ran strings ./SBT.jpg, I immediately saw something of interest: message.png. Running steghide extract -sf ./SBT.jpg without a password did not yield anything, but I'm convinced with the correct password there is data to be extracted from the image.

One possible thought was that there was data hidden within the ZIP file itself, and researching into this idea led me to an interesting Medium article on the topic. Here are the findings:

$ sudo apt install binwalk -y
$ binwalk ./SBT.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
9604          0x2584          Zip archive data, at least v2.0 to extract, compressed size: 322, uncompressed size: 1066, name: message.png
10060         0x274C          End of Zip archive, footer length: 22
10082         0x2762          Zip archive data, at least v2.0 to extract, compressed size: 322, uncompressed size: 1066, name: message.png
10538         0x292A          End of Zip archive, footer length: 22

We are able to extract the message.png file from the ZIP archive using binwalk -e ./SBT.jpg. This file contains the following text when run through strings:

h5BA68F35I_%3E%3B%3BG3gdc%3E%3EFF9g5deA82hhh%3F%3Ea%3B22gdh%3Ee%3B%3B%6025%60A682bhddeA82h4IBA68F2gd%60%3E%3B%3B%3B%60g5c%3E%3EFF%60hd%3C%3Ea%3EFbhh_%3Fe8F255g%3EeEG32d%60%3EA83hg5%3C%3EaF2bhhB%3Fa8Gf55g%3Ee%3B%3C32d%60A6FF9g5%3CAA82hhh%3F%3Ea%3B22gd%60%3E%3BEG32d%60A6FGfg5%3CAJ82hh5%3F%3Ea%3B3f55_%3E%3BEG32d%60A682bhddeA82hhh%3F%3Fa8F2gdh%3Ee%3B%3B%60g5c%3EAGF9g5dca8Fhhh_%3Fe8Gfgd%60%3E%3B%3BF%6025%60A682bhd%3CAA82h4I_A%3B8Gfgdh%3EeEG3gdc%3E%3E82bhd%3CAJ%3E2bhh_%3Fe8F255g%3EeEF%60g5c%3EAFF%60hd%3CAA%3E2b4I%3F%3Ea%3B3fgd%3E%3EeEF%60g5cA6FF9g5%3C%3Ea8Fhh5%3F%3Ea%3B22gdh%3EeEG3gdcA683hg5deA%3E2bhh%3F%3Ea%3B22gd%60%3E%3BEG72d%60A682bhd%3C%3Ea%3EFb4I_%3Ee%3B23gdh%3EeEF%6025%60A6FF%60hd%3C%3EaF2bhh%3F%3Ea%3B3f55g%3EeEF%60g5c%3EAFF9g5deA%3E2b4I%3F%3Ea%3B3fgd%3E%3EeEF%6025%60A6FF9g5%3C%3Ea8Fhh5%3F%3Fa8F255g%3EeEG3gdcA683hg5%3CAA%3E2bhh_%3Ee%3B22gd%60%3E%3BEG72d%60%3E%3E82bhddeA82h4I_A%3B8Gf55_%3E%3BEG32d%60%3E%3E82bhd%3CAJ82h4I%3F%3Ea%3B3f55g%3EeEF%60g5c%3EAFF%60hd%3C%3Ea8Fhhh_%3Ee%3B3f5Ig%3EeEG32d%60%3E%3EFF9g5%3C%3Ea8Fhh5_%3Fe8Gf55_%3E%3BEF%605d%60A682bhc

Running this through the URL Decoder tool, we get the following:

h5BA68F35I_>;;G3gdc>>FF9g5deA82hhh?>a;22gdh>e;;`25`A682bhddeA82h4IBA68F2gd`>;;;`g5c>>FF`hd<>a>Fbhh_?e8F255g>eEG32d`>A83hg5<>aF2bhhB?a8Gf55g>e;<32d`A6FF9g5<AA82hhh?>a;22gd`>;EG32d`A6FGfg5<AJ82hh5?>a;3f55_>;EG32d`A682bhddeA82hhh??a8F2gdh>e;;`g5c>AGF9g5dca8Fhhh_?e8Gfgd`>;;F`25`A682bhd<AA82h4I_A;8Gfgdh>eEG3gdc>>82bhd<AJ>2bhh_?e8F255g>eEF`g5c>AFF`hd<AA>2b4I?>a;3fgd>>eEF`g5cA6FF9g5<>a8Fhh5?>a;22gdh>eEG3gdcA683hg5deA>2bhh?>a;22gd`>;EG72d`A682bhd<>a>Fb4I_>e;23gdh>eEF`25`A6FF`hd<>aF2bhh?>a;3f55g>eEF`g5c>AFF9g5deA>2b4I?>a;3fgd>>eEF`25`A6FF9g5<>a8Fhh5??a8F255g>eEG3gdcA683hg5<AA>2bhh_>e;22gd`>;EG72d`>>82bhddeA82h4I_A;8Gf55_>;EG32d`>>82bhd<AJ82h4I?>a;3f55g>eEF`g5c>AFF`hd<>a8Fhhh_>e;3f5Ig>eEG32d`>>FF9g5<>a8Fhh5_?e8Gf55_>;EF`5d`A682bhc

One suggestion that I came across on this Russian forum is to remove the non-URL characters. This may be a useless rabbit hole, but replacing the regex [>`?;<_] with CyberChef gives us the following text:

h5BA68F35IG3gdcFF9g5deA82hhha22gdhe25A682bhddeA82h4IBA68F2gdg5cFFhdaFbhhe8F255geEG32dA83hg5aF2bhhBa8Gf55ge32dA6FF9g5AA82hhha22gdEG32dA6FGfg5AJ82hh5a3f55EG32dA682bhddeA82hhha8F2gdheg5cAGF9g5dca8Fhhhe8GfgdF25A682bhdAA82h4IA8GfgdheEG3gdc82bhdAJ2bhhe8F255geEFg5cAFFhdAA2b4Ia3fgdeEFg5cA6FF9g5a8Fhh5a22gdheEG3gdcA683hg5deA2bhha22gdEG72dA682bhdaFb4Ie23gdheEF25A6FFhdaF2bhha3f55geEFg5cAFF9g5deA2b4Ia3fgdeEF25A6FF9g5a8Fhh5a8F255geEG3gdcA683hg5AA2bhhe22gdEG72d82bhddeA82h4IA8Gf55EG32d82bhdAJ82h4Ia3f55geEFg5cAFFhda8Fhhhe3f5IgeEG32dFF9g5a8Fhh5e8Gf55EF5dA682bhc

  1. What is the hidden message? (30 points)

    Answer:: ``

Tags

  1. 30 points (Private)
  2. hard (Private)