Holiday Nesting Doll

Challenge:

Holidays are a headache and this one is no different. The flag is fractured, can you find it? TIME is almost up! Santa is coming!

Solution:

The provided challenge file was a Zip archive containing three JPEG images:

We ran the standard plethora of stego tools on each image and soon found success using StegSeek to extract embedded JPEG files from two of the images:

$ stegseek -sf Scary2.jpg -wl /ctf-data/pwds/rockyou.txt 

[i] Found passphrase: "wicked"           

[i] Original filename: "Hallowed-Eve.jpg".
[i] Extracting to "Scary2.jpg.out".


$ stegseek -sf Scary3.jpg -wl /ctf-data/pwds/rockyou.txt

[i] Found passphrase: "letmein"           

[i] Original filename: "Hallowed-Spooks.jpg".
[i] Extracting to "Scary3.jpg.out".

By repeating our stego analysis process on the two new JPEG's we identified strings of interest embedded after the FF D9 End of Image marker in each file:

$ strings Scary2.jpg.out | tail -n1
flag{ZmxhZ3tpbmFib3hfaW5hYm94X2luYWJ}

$ strings Scary3.jpg.out | tail -n1
flag{veF9pbmFib3hfaW5hYm94X2luYWJve}

We worked for awhile analyzing Scary1.jpg but were unable to identify any hidden elements in the file. We ultimately chalked it up as a loss and moved on to other challenges… that was until the challenge author posted a notice to the Discord #Stego channel an hour before the end of the CTF:

With that piece of the puzzle we knew it was now just a matter of arranging the three "flags" in the proper order and Base64 decoding them:

$ echo "ZmxhZ3tpbmFib3hfaW5hYm94X2luYWJveF9pbmFib3hfaW5hYm94X2luYWJveF9pbmFib3hfaW5hYm94fQ==" | base64 -d

flag{inabox_inabox_inabox_inabox_inabox_inabox_inabox_inabox}

The accepted flag was: flag{inabox_inabox_inabox_inabox_inabox_inabox_inabox_inabox}