This is my second challenge write-up related to this past weekend’s PlaidCTF event hosted by Plaid Parliament of Pwning (www.pwning.net) and will cover the forensics challenge “cat_rar”.
cat_rar – 150
After playing around with the crypto challenges for far too long, I decided to switch and help out some of the other team members with the cat_rar challenge. The challenge comprised of a single file named “cat.rar” and the completely unhelpful string “Meow meow mw mw m. The attached file can be found here.
Fig 1. Our quest
So we have a rar file which was verified with the file command in our handy Kali environment. Extracting the rar gives us two files to play around with: cat.rar.jpg and cat.rar.bin. The image is shown in Fig 2.
Fig 2. Another cat picture. Fantastic.
We started inspecting the image first to see if there was anything interesting about it using tools like gimp and exiftool but nothing really stood out as being of any interest. With that we turned our attention to the cat.rar.bin binary file. Running file on that showed:
cat.rar.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
Running the executable gave us the following output:
steghide version 0.5.1
the first argument must be one of the following:
embed, –embed embed data
extract, –extract extract data
info, –info display information about a cover- or stego-file
info <filename> display information about <filename>
encinfo, –encinfo display a list of supported encryption algorithms
version, –version display version information
license, –license display steghide’s license
help, –help display this usage information
The binary appears to be the steghide program, so at this point we realize that we’re going to be going on a journey to stego-land and the cat picture is our one-way ticket to some sweet new in-game gear. First, we attempted to run the steghide program with the cat picture using steghide extract -sf cat.rar.jpg but it prompted for a password. Clearly, it wasn’t going to be that easy and we were going to have to do some work to get our key. We did some hex editing on the image to see if there were any references to a password or passphrase but to no avail. We decided next to check and see if the executable contained anything useful. Hopper to the rescue! After looking through hopper for a bit we discovered a string that was out of place and gave us our first lead. The string showed up in Hopper as “the passphrase cannot be pills here.” (Fig 3, below)
Fig 3. Our first lead.
Now that we had what appeared to be our passphrase, we ran the cat.rar.bin again and specified the jpg and our newly discovered passphrase. And?
root@kali:~# ./cat.rar.bin extract -sf cat.rar.jpg -p ‘the passphrase cannot be pills here.’
steghide: could not extract any data with that passphrase!
We decided next to install the ‘official’ steghide program and try to extract the data again.
root@kali:~# steghide extract -sf ./cat.rar.jpg -p ‘the passphrase cannot be pills here.’
wrote extracted data to “part1.txt”.
root@kali:~# cat part1.txt
Succes! Well, partial success at least. We had part1 of our flag, but our journey wasn’t quite over with yet.
After poking around more inside Hopper for another possible passphrase I came across a particularly odd section shown in Fig 4 below. Since I had spent so much time with the compression 250 challenge I was familiar with the zlib data compression. Our disassembler showed three items labeled pills_wav_len, pills_wav_zliblen, and pills_wav_zlibdat. The reference to pills alerted me that this was going to be useful.
Fig 4. What do we have here?
The next step was to figure out where the data existed in the binary, how much data there was, and then extract it for further analysis. I opened the binary in hexeditor and scanned for the start of the zlib data header (0x78 9c) and found that it existed at only one point in the file, at offset 0004c660 (312928 dec). The label pills_wav_zlib_len from Hopper told me the size of the zlib data 0xd8bc (55484 dec). With that information I used dd to extract the data from the binary into a new file.
root@kali:~# dd skip=312928 if=./cat.rar.bin of=./pills count=55484 bs=1
55484+0 records in
55484+0 records out
55484 bytes (55 kB) copied, 0.105637 s, 525 kB/s
Now that I had my extracted data, I ran it through python quick to decompress it to yet another file.
data = open(‘./pills’, ‘r’).read()
contents = zlib.decompress(data)
f = open(‘./contents’,’w’)
Inspecting my newly decompressed data showed (unsurprisingly) that my new file was a wav file.
root@kali:~# file contents
contents: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
Playing the file in Audacity revealed that the audio clip was the character Louis from Left 4 Dead 2 yelling “Pills here!”We attempted to add this to our original part1.txt extraction but without any luck.
Related: The number of times I listened to the wav file.
Finally, we decided to run the wav file through steghide again to see if there might be something hidden in our wav file using the same passphrase we obtained for part1.
root@kali:~# steghide extract -sf ./contents -p ‘the passphrase cannot be pills here.’
wrote extracted data to “part2.txt”.
root@kali:~# cat part2.txt
We put the two parts together and ended up with “st3g0_suck5_needs_moar_reversing“. Submitting that as our flag yielded another 150 points and our sweet new gear.
Additional credit to @amillerrhodes and @InsanityBit among others whose Twitter handles I don’t have for helping solve this challenge.