yes. hi. hello. me again.
A kind German gentlemen named @jvpeek popped into my twitch stream and had a challenge for me.
Starting the challenge
He just shared this string without any other context. So naturally I was fucking hooked.
It ended with an
== so I believed it was
base64 encoded data. (Thanks Kubernetes!)
echo "dWdnY2Y6Ly93aWNycngucXIvY3lodC53Y3Q=" | base64 -d uggcf://wicrrx.qr/cyht.wct
This looked like a 1:1 cypher also known as a ROT-13 cypher
which would mean that the message is rotating by 13 characters
1 2 3 4 5 6 7 8 9 10111213 a b c d e f g h i j k l m n o p q r s t u v w x y z n o p q r s t u v w x y z a b c d e f g h i j k l m
So the decoded message would look like
I was smart enough to know not to download a random
.jpg from the internet without investigating it first. So
I then looked into the file with a few tools
emacs # Just to check the file out file plug.jpg plug.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 700x690, components 3 steghide # Can hide messages stegseek # Will try to find messages binwalk # Used to embed files in the image
Then I discovered there was an embedded
.zip in the image!
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 43258 0xA8FA Zip archive data, at least v2.0 to extract, compressed size: 9252, uncompressed size: 11248, name: tt.png 52634 0xCD9A End of Zip archive, footer length: 22
So I extracted the zip archive!
binwalk -e plug.jpg
Where I found two files
ls A8FA.zip tt.png
I opened up
tt.png in gimp and discovered a message hidden in the image itself.
742 in the corner.
first youtube video
After finding the URL for the original image, I found a game on the main page.
You can go to jvpeek.de.
I entered the
742 code into the keypad and found a new string by highlighting data on the page.
742 742 JvPeek TV 11.07.21 18:08:37 vh079m8vk4z0l7atchvq6hamw4p9czdndnkch8ou ytz86bbkxcscx1ho8ktt2m8mamqpw0ud9tkd6v4o xjes3k4kiuurjtw3v82diqehxpxl4apep3zzxeub 3lgzjMarkzw2mezn19j1ht5tyn7uyz1s2dqc79vw bbbg2y5wx7sjt4mlxfx3pymhrbhe11bzfldsx5by yb5YOUR6SECRETaISdINrANOTHERxCASTLEdxg75 02fbpw4uhcehwovovj32bw8yxr3v6yfz7u8kj1pt 3scvdixkvmrsap15150w8q21bf1f1a5nmfm0733h 7ygryv0jox5bmzkeux6jgb6l95mnym8wnth3lwcm tui44oeky7vt6m951dkyvlorczwq0jrsq0h9opd6 2snh4i11n5xzo334tpegcf3c5ase188el24nax5t pcg0rq0stdb10bdb7qn3slx7rkbmkpyex0n5fn79 hd7rv1tvum3epqpzclmxs9kcakn7g0le3w310n8x qa1zczuwzpw4q9chygq77zsvbuw5sg2g2fdg6pdp t541kuwk07z4l3wjcxvqqg0xo5hlirf6hwip5p9g wfloi0f6kqygwrmtvd6uek60mc7q4xvr3627mtez omni5luirii02sn53s2yswvnr30rjv7pnjo4l2hz z4oh0z2loj6gb1i1j9v314fk2ovcmnt8lbcphfab th1ewxrj110kwa57du0h0eph7t8ni4qdzxdsv9hq z6971itrdf615jw2q2ziy8jgdxdqdtm0p0ys6d50 x5x68a1q23x9cc8kdvwoaYT YTpv qat4pqwwh5flsveyz3d75YT Hi5jzQtYG6I YTpq qoonj4axvn8tx6x2rlvtgYT YT0c bn7lh330bftlouna7itfhzjf9rm1sggerzxml5cx
Turns out there are common paradigms for hiding messages in teletext in other countries.
This one lost me, but if you look around the blob of text you notice
YT and it clearly is a youtube video
We got a clue to check out the audio and used
youtube-dl to download the
.wav of the audio.
youtube-dl -x --audio-format wav https://www.youtube.com/watch?v=Hi5jzQtYG6I
We opened up the audio in audacity which made me laugh given the current affairs of the project.
After opening the
.wav file in audacity I started to check a few things.
The title of the video had
1200 in the title, so naturally I peaked out the graphic equalizer around 1200 (and enveloped the nearby frequencies).
We then got a tip to use a tool called
minimodem which the man page suggested using a baud rate of 300.
We replaced the baud rate with 1200
minimodem -r 1200
and peaked out the signal in audacity with an amplifier and ensured there was no clipping. We also reverted our EQ bandpass.
We played the sample from the youtube video and changed the
minimodem pulseaudio input to my local audio stream.
What we found changed my life forever.
I won’t spoil the suprise (I clipped the bottom few lines of the QR code).
You should have everything you need to find the final message and the flag!
Great CTF, in a very unusual way.
Thanks to @jvpeek for setting this up.
Make sure to give him a follow!