BSidesBOS2020 Logo

Category:

  • General Skills

Points:

  • Dynamic

File(s):

  • harp.jpg

Hint(s):

  • None

Play The Harp

Challenge:

Ah yes, the beautiful harp! A family member of such a wonderful type of musical instruments!

Solution:

Given that the provided challenge file was a JPEG image I spent some time running though the various Steganography analysis approaches. For example, exiftool to read the metadata, strings to grep the obvious, binwalk to identify any embedded files and stegsolve to quickly view the bit planes. During this process binwalk identified a second JPG embedded in the challenge file.



$ binwalk harp.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
143651        0x23123         JPEG image data, JFIF standard 1.01

I used foremost to extract both JPEGs and then compared their MD5 hashes:

$ foremost harp.jpg
Processing: harp.jpg
|*|

$ ls output/jpg/
00000000.jpg
00000280.jpg

$ md5sum output/jpg/*.jpg
c56ee00692682c5a90524ecb88091694  output/jpg/00000000.jpg
c56ee00692682c5a90524ecb88091694  output/jpg/00000280.jpg

My original assumption was that the embedded JPEG was going to be an image of the flag, but instead it was an identical copy of the harp. At this point I opened the file in a hex editor and searched for JPEG header (FF D8 FF) and trailer (FF D9) signatures to analyze the file structure. I found the first JPEG ended at offset 0x22F2B and the second JPEG began at offset 0x23123 and ended at the end of the file. Which means there are 504 bytes of unaccounted data in-between the two images.

I used dd to carve the 504 bytes from the challenge file and then inspected the contents using strings:

$ dd if=harp.jpg bs=1 skip=143147 count=504 of=extra.bin

$ strings extra.bin

HDNR6GFf
6LLIJK9l
18NL1HWa
GCU85U5g
RQ9CGTH{
T47Y9SUt
2SKZJOBh
H06K09Ze
3BWV54X_
C1VY4EIh
GO0DK9Ua
ZZLVBMZr
8CK8FTGp
TNDQURH_
CEHGS41i
ONSNNRTn
DYAKGQMs
AX9CNZ7t
CS5R3KQr
U4A6BBVu
F2RULTOm
D2NLIUPe
KYKGKGVn
AN98O3Ht
G9STPVD_
ETGMLPCh
TFUFSALa
PK4CD5Ss
6EDFJ45_
CIOL1S0v
VIJP3WFe
OU3CPSBr
O0F6WTWt
NKIWW0Ri
QPFWGVNc
CJUPZL9a
CEC4YQ8l
YC23ZR6_
DTUT5VJs
113O5FVt
VY2QV4Br
C498PXFi
NO6EMR1n
ND8JBSNg
OQJOHJUs
8IOJ9LD}

The last column of the contents stood out since all the other characters were upper-cased. Reading down the column I could see the flag being spelled out, so I dumped the strings, used cut to grab the characters from the 8th column, then tr to strip line feeds, thus making the flag readable horizontally.

$ strings extra.bin | cut -c8 | tr -d '\n'

flag{the_harp_instrument_has_vertical_strings}

Published:

Updated:

Leave a comment