Project Sekai - ✅-steganography-bitmap

Project Sekai

🔒 RITSEC CTF 2023 / ✅-steganography-bitmap

bitmap - 400 points

Category: Steganography Description: Some of these squares are not like the others. Files:

https://ctf.ritsec.club/files/dd4d6cfdd27e3598096a3a5858eb158c/bitmap.bmp?token=eyJ1c2VyX2lkIjo3MTcsInRlYW1faWQiOjQ1OCwiZmlsZV9pZCI6Nn0.ZCcD6g.p_8fm8NQ7F2a54JnPHzKmh-NqjY

Tags: No tags.

Sutx pinned a message to this channel. 03/31/2023 9:01 AM

@crazyman ai wants to collaborate

@hfz wants to collaborate

pure guessing

10:45

Image attachment

10:45

Image attachment

10:45

array([[[179, 189, 255],
        [185, 168, 176],
        [183, 172, 182],
        [186, 180, 160],
        [216, 194, 166],
        [182, 173, 160],
        [186, 172, 171],
        [216, 160, 188],
        [223, 223, 223],
        [169, 182, 223],
        [189, 216, 194],
        [168, 176, 179],
        [172, 182, 185],
        [223, 216, 183],
        [223, 223, 223],
        [187, 176, 178],
        [188, 194, 186],
        [223, 188, 189],
        [223, 223, 223],
        [194, 177, 182],
        [167, 186, 183],
        [223, 223, 223],
        [170, 176, 223],
        [183, 194, 171],
        [223, 167, 186],
        [223, 223, 223],
        [175, 182, 188],
        [173, 186, 183],
        [172, 170, 215],
        [182, 223, 186],
        [183, 223, 177],
        [214, 167, 186],
        [155, 216, 194],
        [245, 164, 187],
        [ 64,  78, 212],
        [ 39, 101,  90],
        [216,   9, 202],
        [ 99, 178, 158],
        [ 29,  76,  46],
        [  4, 123, 172],
        [ 82,  47, 243],
        [211, 104, 182],
        [237,  92, 229],
        [255, 216, 255]]], dtype=uint8)

10:45

we need GM

@rubiya wants to collaborate

time to rename teamname to guessctf then vote 1

did a few times before lol

10:52

its so bad

hfz

Click to see attachment 🖼️

what is this

13:07

like how did you get the array from this image?

I justed cropped it

13:07

and grabbed the pixels

@Guesslemonger wants to collaborate

subtract all from 255?

13:16

give me the string

that array?

13:17

hold on

13:19

there're a lot of 255 there

13:19

subtracting makes 0

13:20

[76, 66, 0, 70, 87, 79, 72, 83, 73, 69, 75, 95, 39, 61, 89, 73, 82, 95, 69, 83, 84, 39, 95, 67, 32, 32, 32, 86, 73, 32, 66, 39, 61, 87, 79, 76, 83, 73, 70, 32, 39, 72, 32, 32, 32, 68, 79, 77, 67, 61, 69, 32, 67, 66, 32, 32, 32, 61, 78, 73, 88, 69, 72, 32, 32, 32, 85, 79, 32, 72, 61, 84, 32, 88, 69, 32, 32, 32, 80, 73, 67, 82, 69, 72, 83, 85, 40, 73, 32, 69, 72, 32, 78, 41, 88, 69, 100, 39, 61, 10, 91, 68, 191, 177, 43, 216, 154, 165, 39, 246, 53, 156, 77, 97, 226, 179, 209, 251, 132, 83, 173, 208, 12, 44, 151, 73, 18, 163, 26, 0, 39, 0]

13:21

makes no sense i think

13:21

"LB\x00FWOHSIEK_'=YIR_EST'_C   VI B'=WOLSIF 'H   DOMC=E CB   =NIXEH   UO H=T XE   PICREHSU(I EH N)XEd'=\n[D¿±+Ø\x9a¥'ö5\x9cMaâ³Ñû\x84S\xadÐ\x0c,\x97I\x12£\x1a\x00'\x00"

hfz

I justed cropped it

crop as using windows tool?

13:37

will it be the same?

sahuang

crop as using windows tool?

inside gimp

i guess we need to get what bits to take from flag format

yes, it's same

well zsteg says xor by ff

13:43

so it should be that

hm

13:47

[179, 189, 255, 185, 168, 176, 183, 172, 182, 186, 180, 160, 216, 194, 166, 182, 173, 160, 186, 172, 171, 216, 160, 188, 223, 223, 223, 169, 182, 223, 189, 216, 194, 168, 176, 179, 172, 182, 185, 223, 216, 183, 223, 223, 223, 187, 176, 178, 188, 194, 186, 223, 188, 189, 223, 223, 223, 194, 177, 182, 167, 186, 183, 223, 223, 223, 170, 176, 223, 183, 194, 171, 223, 167, 186, 223, 223, 223, 175, 182, 188, 173, 186, 183, 172, 170, 215, 182, 223, 186, 183, 223, 177, 214, 167, 186, 155, 216, 194, 245, 164, 187, 64, 78, 212, 39, 101, 90, 216, 9, 202, 99, 178, 158, 29, 76, 46, 4, 123, 172, 82, 47, 243, 211, 104, 182, 237, 92, 229, 255, 216, 255]

13:47

original data

13:50

i think probably one color is one flag char? (edited)

13:50

so we shouldnt group them

13:50

like 179, 189, 255 -> R 185, 168, 176 -> S

13:51

but maybe not

13:51

could be some data then decoded to flag

13:52

44 color blocks

yeah, 1 set should be a char, 223,223,233 should be _

why 223,223,223 is _

13:55

ah guessed?

it repeats quite a bit

right

maybe not, repeats quite close by

nothing else is repeated

yeah, not the way

@hfz alpha channel is all 255?

yes

yeah idk so weird lol

3 solves smh

yeah

14:28

guessing stuff

14:29

thc solved both 500 pt pwns so prob they are more doable technically

14:29

gonna wait till pwn guy wake up

I feel like I'm close with Alphabet but I'm getting dizzy lmao

sahuang

gonna wait till pwn guy wake up

Piers?

idk he isnt in this chat

@hfz i downloaded the RGBA's in this whole QR, some parts are different

wdym?

15:14

the alpha channel?

Image attachment

15:14

no the rgb

oh wtf

like the 6,6,6

did cropping cause things to break?

they are from black and whites

15:14

not that color block i think

ah, yes, the gray stuff

ill try extract all different ones

15:15

aka non 0,0,0 or 255,255,255

@Deleted User wants to collaborate

yeah alpha all 255

15:18

that color block must be there for a reason

15:19

there're a LOT of pixels not pure black or white

@kanon wants to collaborate

ok i guess those are the "grays"

Image attachment

15:20

so we still should not count those

hfz

array([[[179, 189, 255],
        [185, 168, 176],
        [183, 172, 182],
        [186, 180, 160],
        [216, 194, 166],
        [182, 173, 160],
        [186, 172, 171],
        [216, 160, 188],
        [223, 223, 223],
        [169, 182, 223],
        [189, 216, 194],
        [168, 176, 179],
        [172, 182, 185],
        [223, 216, 183],
        [223, 223, 223],
        [187, 176, 178],
        [188, 194, 186],
        [223, 188, 189],
        [223, 223, 223],
        [194, 177, 182],
        [167, 186, 183],
        [223, 223, 223],
        [170, 176, 223],
        [183, 194, 171],
        [223, 167, 186],
        [223, 223, 223],
        [175, 182, 188],
        [173, 186, 183],
        [172, 170, 215],
        [182, 223, 186],
        [183, 223, 177],
        [214, 167, 186],
        [155, 216, 194],
        [245, 164, 187],
        [ 64,  78, 212],
        [ 39, 101,  90],
        [216,   9, 202],
        [ 99, 178, 158],
        [ 29,  76,  46],
        [  4, 123, 172],
        [ 82,  47, 243],
        [211, 104, 182],
        [237,  92, 229],
        [255, 216, 255]]], dtype=uint8)

this should be correct, shouldn't be any other info on the bmp file

Yeah, there's something else that caught my attention at first when I read the challenge description (some squares aren't like the others)

15:32

some black squares of the QR code appear slightly bigger

15:32

idk if intended or just compression stuff

i think just the colored pixels matter

yes

@Iyed wants to collaborate

@afterworld wants to collaborate

Image attachment

17:17

those are the only ones that seem not like others

17:18

but there isn't anything helpful with it ig

did you get anything out of the color pixels?

17:18

i still think that's the flag related

17:18

the QR code is just rickroll so likely doesn tmatter..

I'm still guessing

17:18

it redirects to some ip logger

17:18

before redirecting to youtube

oh really

HTTP/2 301 
date: Fri, 31 Mar 2023 23:46:50 GMT
content-type: text/html; charset=UTF-8
location: https://grabify.link/DSAU3W
cache-control: max-age=0, public, s-max-age=900, stale-if-error: 86400
referrer-policy: unsafe-url
x-tinyurl-redirect: eyJpdiI6IkhWQWkyMU83MzdQVStLQzQ1a2RjMHc9PSIsInZhbHVlIjoiTEI5K0YvYUQ3YW45M3hDZHA2Z1J5aHovbTFCOEl5NkdzaGF2cVJIYzNxY1BBKzQrcmlSUUxEMVF5QkJvOFkrVjBaQ0VtaHRwZ0VRaTkzZENBRzVGVGc9PSIsIm1hYyI6ImM4NmNjNzBlM2FhNmJlYjZkMTUyOGQ4N2VjYTA0ODBmMTk5NmVkZjBmMDZmOTczMTk1YmIxMmRhZGY3ZTllZWQiLCJ0YWciOiIifQ==
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 7b0c7953ed2aeee4-ATH
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://grabify.link/DSAU3W'" />

        <title>Redirecting to https://grabify.link/DSAU3W</title>
    </head>
    <body>
        Redirecting to <a href="https://grabify.link/DSAU3W">https://grabify.link/DSAU3W</a>.
    </body>
</html>

this is the QR code scanned data?

a curl request to the tinyurl link that is provided when I scan the QR code

17:20

I don't think that's helpful tho but why ip logging

not sure if its related

i asked author it's not related

hfz

array([[[179, 189, 255],
        [185, 168, 176],
        [183, 172, 182],
        [186, 180, 160],
        [216, 194, 166],
        [182, 173, 160],
        [186, 172, 171],
        [216, 160, 188],
        [223, 223, 223],
        [169, 182, 223],
        [189, 216, 194],
        [168, 176, 179],
        [172, 182, 185],
        [223, 216, 183],
        [223, 223, 223],
        [187, 176, 178],
        [188, 194, 186],
        [223, 188, 189],
        [223, 223, 223],
        [194, 177, 182],
        [167, 186, 183],
        [223, 223, 223],
        [170, 176, 223],
        [183, 194, 171],
        [223, 167, 186],
        [223, 223, 223],
        [175, 182, 188],
        [173, 186, 183],
        [172, 170, 215],
        [182, 223, 186],
        [183, 223, 177],
        [214, 167, 186],
        [155, 216, 194],
        [245, 164, 187],
        [ 64,  78, 212],
        [ 39, 101,  90],
        [216,   9, 202],
        [ 99, 178, 158],
        [ 29,  76,  46],
        [  4, 123, 172],
        [ 82,  47, 243],
        [211, 104, 182],
        [237,  92, 229],
        [255, 216, 255]]], dtype=uint8)

so probably still focus on this 44 pixels

@Y4nhu1 wants to collaborate

no admin SE?

dont know author

sahuang

i asked author it's not related

?

its admin

20:47

not author

Image attachment

20:48

find this in bitmap.bmp

xor with 0xff?

20:48

didnt we do that

20:48

hmmmm

yes i already wrote above, zsteg gives this

hmmm

i also tried xoring with string 'FF'

20:50

8 solves, lol

i think they meant 255 cuz thats natural for pixel values

guess game weak

76 66 0
70 87 79
72 83 73
69 75 95
39 61 89
73 82 95
69 83 84
39 95 67
32 32 32
86 73 32
66 39 61
87 79 76
83 73 70
32 39 72
32 32 32
68 79 77
67 61 69
32 67 66
32 32 32
61 78 73
88 69 72
32 32 32
85 79 32
72 61 84
32 88 69
32 32 32
80 73 67
82 69 72
83 85 40
73 32 69
72 32 78
41 88 69
100 39 61
10 91 68
191 177 43
216 154 165
39 246 53
156 77 97
226 179 209
251 132 83
173 208 12
44 151 73
18 163 26
0 39 0

After ^ 0xff btw

it's most likely decimal to ascii, can form some words lsb, pictures but seems jumbled (edited)

what lsb

20:54

the second half is weird because values are small and then a lot of >127 values

it's aes, can see mode = ecb, iv

20:55

in there

i didnt see any AES

20:56

oh

20:56

well i didnt see "aes" still

20:56

after convertting to ascii

we need to read in a certain way I guess

how did you read aes

20:58

i didnt see it

i saw VI, DOMC=E CB

20:58

mode = cbc

oh

jumbled (edited)

right

Guesslemonger

we need to read in a certain way I guess

so yeah

the second half is likely iv/ciphertext then

20:59

or key

iv is also text, key is also text

20:59

part after 10 is cipher

printable ascii?

yes

ah yeah

just have to jumble

weird thing is there's 0 in first vector

they just had to have it because full thing might not be divisible by 3

21:01

try it now, should be gettable, gotta go

LBFWOHSIEK_'=YIR_EST'_CVIB'=WOLSIF'HDOMC=ECB=NIXEHUOH=TXEPICREHSU(IEHN)XEd'=

21:02

printable part

21:02

looks promising

21:02

there is base64 there in ''

21:02

not base64

21:02

but length 8

21:04

oh that = is like key=xxx iv=xxx ciphertext=xxx maybe

21:05

oh

21:05

found it out

21:05

lol

?

yeah

21:05

i think i can solve

nice, what was it?

BLOWFISH_KEY='_RITSEC_' IV='BLOWFISH' MODE=CBC IN=HEX OUT=HEX CIPHER(USE IN HEX)='d (edited)

2

Ah

21:06

rot13?

LOL

this is first part

21:07

last part i havent finished cuz they arent printable

21:07

need to convert to hex

sahuang

need to convert to hex

b"BLOWFISH_KEY='_RITSEC_'    IV='BLOWFISH'    MODE=CBC    IN=HEX    OUT=HEX    CIPHER(USE IN HEX)='dD[\n+\xb1\xbf\xa5\x9a\xd85\xf6'aM\x9c\xd1\xb3\xe2S\x84\xfb\x0c\xd0\xadI\x97,\x1a\xa3\x12\x00'"

(edited)

thats wrong order

21:08

[::-1] for each row

21:08

and remove first \x00 and last \x00

21:10

last part is a bit weird cuz length isnt exactly 64

21:10

that 'd' is converted from char for "100"

21:10

but later they need hex

21:13

445b0a2bb1bfa59ad835f627614d9cd1b3e25384fb0cd0ad49972c1aa3120027 is already length 64, but this didnt include the "d"

21:14

ok got it

sahuang

used /ctf submit

✅ Well done, challenge solved!

nice, wp

64445b0a2bb1bfa59ad835f627614d9cd1b3e25384fb0cd0ad49972c1aa31200

21:15

for ct

cipher = b"dD[\n+\xb1\xbf\xa5\x9a\xd85\xf6\'aM\x9c\xd1\xb3\xe2S\x84\xfb\x0c\xd0\xadI\x97,\x1a\xa3\x12\x00"

no not d

21:16

100->0x64

21:16

ah yeah you didnt do it in hex

this cipher worked for me

21:16

yeah, not hex

convert to hex and online tool ez solve

>>> from Crypto.Cipher import Blowfish
>>> cipher = b"dD[\n+\xb1\xbf\xa5\x9a\xd85\xf6\'aM\x9c\xd1\xb3\xe2S\x84\xfb\x0c\xd0\xadI\x97,\x1a\xa3\x12\x00"
>>> b = Blowfish.new(b"_RITSEC_", Blowfish.MODE_CBC, iv=b"BLOWFISH")
>>> b.decrypt(cipher)
b'RS{CONSIDER_THESE_BITS_MAPPED}\x02\x02'
>>>

Image attachment

python ftw xd

xd

Nice, guess game strong

yeah lol

Exported 203 message(s)