yes. hi. hello. me again.

A kind German gentlemen named @jvpeek popped into my twitch stream and had a challenge for me.


Starting the challenge

He just shared this string without any other context. So naturally I was fucking hooked.

dWdnY2Y6Ly93aWNycngucXIvY3lodC53Y3Q=

Base64

It ended with an = or == so I believed it was base64 encoded data. (Thanks Kubernetes!)

echo "dWdnY2Y6Ly93aWNycngucXIvY3lodC53Y3Q=" | base64 -d
uggcf://wicrrx.qr/cyht.wct

ROT-13 Cypher

This looked like a 1:1 cypher also known as a ROT-13 cypher

which would mean that the message is rotating by 13 characters

1 2 3 4 5 6 7 8 9 10111213 
a b c d e f g h i j k l m n o p q r s t u v w x y z
n o p q r s t u v w x y z a b c d e f g h i j k l m

So the decoded message would look like

uggcf://wicrrx.qr/cyht.wct
https://jvpeek.de/plug.jpg

plug.jpg

I was smart enough to know not to download a random .jpg from the internet without investigating it first. So

wget https://jvpeek.de/plug.jpg

I then looked into the file with a few tools

emacs # Just to check the file out

file plug.jpg
plug.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 700x690, components 3

steghide # Can hide messages
stegseek # Will try to find messages

binwalk # Used to embed files in the image

binwalk

Then I discovered there was an embedded .zip in the image!

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
43258         0xA8FA          Zip archive data, at least v2.0 to extract, compressed size: 9252, uncompressed size: 11248, name: tt.png
52634         0xCD9A          End of Zip archive, footer length: 22

So I extracted the zip archive!

binwalk -e plug.jpg

Where I found two files

ls
A8FA.zip  tt.png

tt.png

I opened up tt.png in gimp and discovered a message hidden in the image itself.

I found 742 in the corner.

first youtube video

After finding the URL for the original image, I found a game on the main page.

You can go to jvpeek.de.

I entered the 742 code into the keypad and found a new string by highlighting data on the page.

 742 742   JvPeek TV   11.07.21 18:08:37
vh079m8vk4z0l7atchvq6hamw4p9czdndnkch8ou
ytz86bbkxcscx1ho8ktt2m8mamqpw0ud9tkd6v4o
xjes3k4kiuurjtw3v82diqehxpxl4apep3zzxeub
3lgzjMarkzw2mezn19j1ht5tyn7uyz1s2dqc79vw
bbbg2y5wx7sjt4mlxfx3pymhrbhe11bzfldsx5by
yb5YOUR6SECRETaISdINrANOTHERxCASTLEdxg75
02fbpw4uhcehwovovj32bw8yxr3v6yfz7u8kj1pt
3scvdixkvmrsap15150w8q21bf1f1a5nmfm0733h
7ygryv0jox5bmzkeux6jgb6l95mnym8wnth3lwcm
tui44oeky7vt6m951dkyvlorczwq0jrsq0h9opd6
2snh4i11n5xzo334tpegcf3c5ase188el24nax5t
pcg0rq0stdb10bdb7qn3slx7rkbmkpyex0n5fn79
hd7rv1tvum3epqpzclmxs9kcakn7g0le3w310n8x
qa1zczuwzpw4q9chygq77zsvbuw5sg2g2fdg6pdp
t541kuwk07z4l3wjcxvqqg0xo5hlirf6hwip5p9g
wfloi0f6kqygwrmtvd6uek60mc7q4xvr3627mtez
omni5luirii02sn53s2yswvnr30rjv7pnjo4l2hz
z4oh0z2loj6gb1i1j9v314fk2ovcmnt8lbcphfab
th1ewxrj110kwa57du0h0eph7t8ni4qdzxdsv9hq
z6971itrdf615jw2q2ziy8jgdxdqdtm0p0ys6d50
x5x68a1q23x9cc8kdvwoaYT             YTpv
qat4pqwwh5flsveyz3d75YT Hi5jzQtYG6I YTpq
qoonj4axvn8tx6x2rlvtgYT             YT0c
bn7lh330bftlouna7itfhzjf9rm1sggerzxml5cx

Turns out there are common paradigms for hiding messages in teletext in other countries.

This one lost me, but if you look around the blob of text you notice YT and it clearly is a youtube video

We got a clue to check out the audio and used youtube-dl to download the .wav of the audio.

youtube-dl -x --audio-format wav https://www.youtube.com/watch?v=Hi5jzQtYG6I

audacity

We opened up the audio in audacity which made me laugh given the current affairs of the project.

More: drama

After opening the .wav file in audacity I started to check a few things.

The title of the video had 1200 in the title, so naturally I peaked out the graphic equalizer around 1200 (and enveloped the nearby frequencies).

minimodem

We then got a tip to use a tool called minimodem which the man page suggested using a baud rate of 300.

We replaced the baud rate with 1200

minimodem -r 1200 

and peaked out the signal in audacity with an amplifier and ensured there was no clipping. We also reverted our EQ bandpass.

We played the sample from the youtube video and changed the minimodem pulseaudio input to my local audio stream.

Flag

What we found changed my life forever.

I won’t spoil the suprise (I clipped the bottom few lines of the QR code).

You should have everything you need to find the final message and the flag!

Conclusion

Great CTF, in a very unusual way.

Thanks to @jvpeek for setting this up.

Make sure to give him a follow!