Missing Home

Challenge:

We intercepted this email being passed by a DEADFACE member. We tried some steghide, but that didn't work. Help us out here!

Solution:

Running binwalk on the image uncovers a second JPEG embedded in the image:

$ binwalk missinghome.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
181619        0x2C573         JPEG image data, JFIF standard 1.01
181649        0x2C591         TIFF image data, big-endian, offset of first image directory: 8

We then used foremost on the image to extract the embedded file, which was saved as 00000354.jpg. After trying a number of tools and techniques to identify hidden data in the extracted image we noticed that exiftool was reporting the image included a thumbnail.

$ exiftool 00000354.jpg 
ExifTool Version Number         : 12.40
...
Thumbnail Image                 : (Binary data 3804 bytes, use -b option to extract)

After some trial-n-error with extracting the thumbnail (and a bit of RTFM on Exiftool) we were able to extract the thumbnail, which contained the flag:

exiftool -b -ThumbnailImage 00000354.jpg > extracted.jpg

The accepted flag was: flag{s3cr3ts_don'T_stAy_bur13d_L0nG}