Project Sekai - ✅-forensics-paleontology

Project Sekai

🔒 BYUCTF 2023 / ✅-forensics-paleontology

Paleontology - 500 points

Category: Forensics Description: Dinosaurs lived a long time ago, but they left traces of their existence all over! Grab your paleontology tools and learn all about fossil hunting on this dino digging adventure! Files:

https://cyberjousting.com/files/d98a3bf9ddc0173001dc861ea11600c7/paleontology.jpg?token=eyJ1c2VyX2lkIjoyMjAsInRlYW1faWQiOjkxLCJmaWxlX2lkIjo1N30.ZGeraQ.TFyAhyYmyZF6mBAPP1cGdMnB5sA

Tags: Self-loathing, Steg

Sutx pinned a message to this channel. 05/19/2023 10:01 AM

@Violin wants to collaborate

@Legoclones wants to collaborate

@afterworld wants to collaborate

ngl idek

check q10

binwalk gives 2 files, layers_of_dirt.7z with password protected, and trapped_in.ice

19:27

so pwd should be in the file

19:29

https://fileinfo.com/extension/ice#:~:text=An%20ICE%20file%20is%20a,files%20contain%20compressed%20text%20files. maybe this

ICE File Extension - What is an .ice file and how do I open it?

Learn about .ICE files and view a list of programs that open them.

19:32

had issue installing the unzip tool for some reason

19:33

@afterworld you got Window pc?

19:35

gives "format not supported" if trying to open with ALZip

yeah

21:29

got windows PC

layers_of_dirt.7z

5.21 MB

5.14 MB

21:30

these were binwalked

21:30

.ice is supposed to be open with the tool

@Sheep wants to collaborate

@4n0nym4u5 wants to collaborate

@kanon wants to collaborate

Sutx

@kanon wants to collaborate

if you ever wanna try anything just go for crc i guess, more approachable

1

@rubiya wants to collaborate

@Y4nhu1 wants to collaborate

sahuang

.ice is supposed to be open with the tool

i tried

07:00

@sahuang

07:00

or

07:01

@Legoclones is this tool intended? should i be trying to debug my way to get this tool to work? http://www.iceows.com/HomePageUS.html

ICEOWS Official web site

The official web site for ICEOWS....

07:05

Image attachment

sahuang

these were binwalked

binwalk ICE file

07:07

u get sm interesting shit

07:07

seems like theres a PNG

07:07

or smth embedded

07:07

or JPG

07:07

sorry

07:09

k got smth

07:09

finally

07:13

k now im stuck

07:14

wheres key for zip file attt

07:15

only thing i see is a wooly mammoth

07:17

wtf

07:17

this challenge is so trippy

07:17

there is no password

07:17

for the layers of dirt file

07:17

is there

07:20

Image attachment

07:20

this chall is too trippy

07:24

theres some PNG

07:24

flags probably in there

07:24

but its not easy to recover

@Guesslemonger wants to collaborate

i got till woolly mammoth png

07:30

everything else was crap

ok yeah same

07:30

wait

07:30

png or JPG?

png

wtf

07:31

send?

afterworld

Click to see attachment 🖼️

this is JPG

it's a png actually, what you extracted was exif data I think, it was in hex right?

yeah

text file after binwalk .ice file

yk

07:32

if u binwalk

07:32

the zip as well

07:32

u get smth as well

07:32

i think its same tho

07:32

this is not PNG

Image attachment

it is not, some kind of thumbnail inside a png

07:33

goal is to crack 7z right?

7z is corrupt i think? is there even PW required?

07:34

do binwalk -D='.*' layers_of_dirt.7z

it will just extract that mammoth png

im confused did we get the same image? because what i got is not PNG

07:36

its JPG

from 7z file png

07:37

from ice file jpg

oh

07:37

maybe

07:37

theres also IEND and IDAT strings in the zlib files

07:38

maybe find diff between two files, JPG and PNG? (edited)

there is a png in original chall jpg too, but it doesn't have a footer

wont be that minute though

Guesslemonger

there is a png in original chall jpg too, but it doesn't have a footer

oh

at offset 0x4F4735

trapped_in.png

07:40

and yeah i see it

07:40

PNG header

07:43

dont know how this end

Image attachment

07:48

ya i need lego for sanity check, not sure what goal of chall is

that png doesn't even have IDAT till the end, idk what those bytes are after IDAT is finished

theres no IEND

07:51

that ICE file still sus

07:51

i think binwalk extracting is cheese

Image attachment

07:51

seems like this tool is required but not wokring for me (for diff system issue)http://www.iceows.com/HomePageUS.html (edited)

ICEOWS Official web site

The official web site for ICEOWS....

i think trapped in ice has png because binwalk is extracting everything from original jpg till the footer. so mammoth pic gets repeated

could be

07:53

can u try this software

07:53

http://www.iceows.com/HomePageUS.html

ICEOWS Official web site

The official web site for ICEOWS....

craps out

08:00

2003 software bruh

yeah lmfao

08:02

getting the icegui.dll not found error?

yeah, i put it from installation folder where it wants, goes into infinite loop and keep opening windows explorer

https://web.archive.org/web/20120616140527/http://www.iceows.com/Download.htm

ICEOWS Official web site

The official web site for ICEOWS....

08:04

shit is so old, same version for many yrs

08:05

4.20b

08:05

yeah i think just worth waiting for legoclones to see if tool is intended before wasting time debugging 20+ yr old tool

or starting a windows xp vm

ya

08:06

i think it was intended for 95

08:06

lmao

08:06

maybe

08:06

ah nah

08:06

XP works too (edited)

i think we only need the 2 osint lol, i asked lego this chal is too deep

afterworld

Click to see attachment 🖼️

you got this from ice binwalk? still no password right

extracted from trapped_in.ice

Image attachment

binwalk or actually unzipped the .ice?

unzip

oh

using iceows in win xp

08:17

uwu

im not sure if discord will do sth to the image can you send via zip?

08:18

also did we try mammoth as password

2.61 MB

it is the exact same file

08:20

as we extracted

08:21

there are lot of other bytes in that ice file

08:21

so something else important

you mean this image is useless?

afaik

isnt that whats extracted from ice file

08:22

hmm

there are lot of other bytes in that ice file, apart from png

08:22

idk what those are

@Legoclones can you help to confirm if we need more than this mammoth image

08:28

im actually opening a ticket

08:31

Echo8358 — Today at 8:31 AM The image is all you need

08:31

yeah

08:32

so we only need the mammoth image

08:32

this png has exif meta

08:34

its built with gimp, hmm

Y4nhu1

using iceows in win xp

LMFAO

08:35

no way

sahuang

i think we only need the 2 osint lol, i asked lego this chal is too deep

which ill try

08:35

and antyhign else come from iceows in win xp?

sahuang

Echo8358 — Today at 8:31 AM The image is all you need

^

o wtf

08:36

k gonna try a bunch fo shit then

afterworld

which ill try

i think guaranteed win if get 1 out of remaining 4 (edited)

08:38

Q10 is impossible, so only 3

$ pngcheck trapped_in.png
trapped_in.png  illegal (unless recently approved) unknown, public chunk eXIf
ERROR: trapped_in.png

hmm

Y4nhu1

Click to see attachment 🖼️

did you use this?

sahuang

im not sure if discord will do sth to the image can you send via zip?

o u right

08:44

pngcheck trapped_in.png OK: trapped_in.png (1200x900, 32-bit RGB+alpha, non-interlaced, 36.6%).

08:44

ya

also if you binwalk on this png there are some chunkjs

08:46

idk

OriginalDocumentID | xmp.did:29278965-a0a0-436a-bff9-c6577fc270a1 (edited)

08:46

| InstanceID                | xmp.iid:301cdd11-b5cf-4940-a0f9-9ef9fa7497dd

08:53

b1,bgr,lsb,yX

08:53

is that nromal

maybe, since its created with gimp

b1,bgr,lsb,yX .. <wbStego size=194822, data=")\xA0eP(\xFF\xF05\xD0\xC2"..., even=false, enc="wbStego 2.x/3.x", controlbyte="\x95">

08:54

sm random shit (edited)

08:54

not sure if its zsteg

08:54

this =wbstego

wbstego is always not relevant

08:56

i tried checking for original image, it's color gradient changed, dunno if relevant

@afterworld can you ask admin if its steg or image pixel analysis

08:57

tried a lot of steg none working

k

09:01

@sahuang

09:01

if u reverse image search it

09:01

i think they put sm filter

i did, original image is orange

Image attachment

09:01

yea

09:02

feel like that could be related

but image size doesnt match so idk how to check filter

Image attachment

afterworld

feel like that could be related

could be, can we confirm w author?

09:02

ask if image filter is related

he stopped responding bruh

issue is i didnt find a 1200x900 image

09:07

of orange bg

Image attachment

@hfz wants to collaborate

Yeah you gotta use the mammoth picture and keep running

10:04

Very deep

10:04

Gj on the iceows tool

already went way too deep

It's even deeper

write-up makes me cringe

i think we just gotta focus on osint

10:05

not bother these 2 foren

ya this is crazy

10:05

and idek wtf q10 is

yeah too guess

deep as in 1 letter embedded in each pixel

i think after you unzip the 7z there are 3 or 4 more stages

10:05

so i dont wanna dig too much

10:05

matryoshka ++

sahuang

matryoshka ++

no steg in matryoshka tho last year

10:06

xd

10:06

maybe if you consider ipng steg then yes

10:07

but yeah gonna check solution for these 2 forensics lmao

just SE

they didnt answer lmao

11:08

i asked

11:08

wanted to know if we need to manipulate pixels on the image or some steg further

i couldn't actually get same image 1200x900

11:14

to do any difference or something

@Legoclones how many more stages after unzip password protected 7z?

11:15

or thats insta solve afterwards

Hmm lemme check

Guesslemonger

i couldn't actually get same image 1200x900

im only able to get same ratio (12:9) but not size

11:16

and if we shrink it might lose info

11:16

Image attachment

tired googling exif info, it should be standard

11:16

nothing

this is 960x720 webp

11:17

still 4:3

U got picture from layers of dirt.7z?

no we trying to find password to that from mammoth lmao

Oh okay wasn't sure where picture was from

how much more work inside layers of dirt?

Not guessy after opening layers of dirt

o

Mammoth came from trapped in ice?

yes

11:20

the blue one tho

11:20

orange one from google, and trying some pixel diff stuff

11:20

didnt work obviously

Okay yeah

11:21

Next part kinda guessy

11:21

But

11:21

Think buckeye billy

is OSINT part of the chal?

11:21

@Guesslemonger remember buckeye?

nope

Image attachment

11:22

now?

mf

11:22

this shit

11:22

hated it

1

what tool did you use

Legoclones

Think buckeye billy

Image attachment

don't even remember

11:24

wait

11:24

yeah so i was right

11:24

zoom in and try to read text

there is?

buckeye billy had that

yeah but you used some tool?

nope, just bit planes

ic

11:26

this image is consisted of pixels

11:26

pixel blocks

11:26

maybe sth

11:26

oh

11:26

yeah

11:26

saw it

11:26

lol

yeah

11:26

saw it

lmfao

11:26

tail -c sth

idk how i missed it earlier, i was zooming in constantly

yeah

right

same

11:27

good

11:27

it writes to some file

any ideas?

yeah

11:27

but not solve, cuz there's more to it

bruh

tail -c 97341 paleontology.jpg > lo_brco.tar.pit

11:28

this?

yeah

11:29

la_brea.tar.pit

yeah

11:29

doesnt matter

might

la brea is mammoth

11:30

but yeah

reference to la brea tar pits

yep

11:30

if anyone needs

la_brea.tar.pit

95.06 KB

some weird file format

11:31

need to osint

yep

tar?

11:33

https://en.wikipedia.org/wiki/PackIt

ye

11:33

packed tar

11:34

ah

11:34

lemme get my mac

11:36

wait maybe not needed

11:36

https://web.archive.org/web/20030908092720/http://www.tug.org/tex-archive/tools/mcvert/unpack.c

wtf

11:37

this whole chall finding weird ass file extract tools (edited)

1

http://ibiblio.org/pub/linux/utils/compress/macutils.tar.gz

11:38

use this i guess

need mac or not?

should not lol

11:39

inclusive ctf

Guesslemonger

http://ibiblio.org/pub/linux/utils/compress/macutils.tar.gz

is this linux command or sth

ok unar does it, i just did apt search packit

11:43

and it suggests unar

11:43

works

yeah

11:44

just extracted

11:44

2 files inside one is not viewable

sahuang

Click to see attachment 🖼️

oooof

1 is just metadata or something

11:45

steg.png now

Guesslemonger

inclusive ctf

we like to be inclusive

sahuang

Click to see attachment 🖼️

yeah that's awkward

sediment

11:46

124.68 KB

yeah

11:48

gives fossil.jpg at the end

send it?

solved

11:49

just strings

11:49

on that jpg

ah ok

cool

11:49

finally

11:49

bruh chal

Guesslemonger

used /ctf solve

✅ Challenge solved.

credited legoclones too

1

idk how i missed the reading

11:50

super weird

11:50

i did so many layers too

we didn't believe in ourselves

11:50

lmao

there are just too many attack surfaces, pixels, meta, steg, etc.

11:51

and inspecting is the least likely from what i thought lmao

Guesslemonger

we didn't believe in ourselves

yeah you guys could've gotten it

11:52

might've taken some time trying out different things

11:52

but yeah

wait

11:53

im confused what happened

11:53

after you got the woolly mammoth

11:53

what was next step

inspect the text on it

what text

on image

11:54

zoom in

the fuck

11:54

where

11:54

i tried

Image attachment

no way

all of us

11:54

failures

1

yeah no way lol

11:54

billy

11:54

lol

i tried so much random SHIT

next year we know there's gonna be billy chal for sure

1

lmao

Exported 369 message(s)