we’re given a PNG file:

lockpicking.png

First thing to notice is it’s pretty big at 41M. So let’s take a closer look at it:

$ pngcheck -vt lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
File: lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png (42964010 bytes)
  chunk IHDR at offset 0x0000c, length 13
    1692 x 672 image, 24-bit RGB, non-interlaced
  chunk IDAT at offset 0x00025, length 65536
    zlib: deflated, 32K window, default compression
  chunk IDAT at offset 0x10031, length 65536
  chunk IDAT at offset 0x2003d, length 65536
  chunk IDAT at offset 0x30049, length 65536
  chunk IDAT at offset 0x40055, length 65536
  chunk IDAT at offset 0x50061, length 65536
  chunk IDAT at offset 0x6006d, length 65536
  chunk IDAT at offset 0x70079, length 65536
  chunk IDAT at offset 0x80085, length 65536
  chunk IDAT at offset 0x90091, length 65536
  chunk IDAT at offset 0xa009d, length 65536
  chunk IDAT at offset 0xb00a9, length 65536
  chunk IDAT at offset 0xc00b5, length 65536
  chunk IDAT at offset 0xd00c1, length 65536
  chunk IDAT at offset 0xe00cd, length 65536
  chunk IDAT at offset 0xf00d9, length 65536
  chunk IDAT at offset 0x1000e5, length 65536
  chunk IDAT at offset 0x1100f1, length 65536
  chunk IDAT at offset 0x1200fd, length 65536
  chunk IDAT at offset 0x130109, length 65536
  chunk IDAT at offset 0x140115, length 24188
  chunk IEND at offset 0x145f9d, length 0
  additional data after IEND chunk
ERRORS DETECTED in lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
$ zsteg lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
[?] 41628805 bytes of extra data after image end (IEND), offset = 0x145fa5
extradata:0         ..
    00000000: 38 7a bc af 27 1c 00 04  6a fe f5 c8 c0 8e 6c 02  |8z..'...j.....l.|
    00000010: 00 00 00 00 29 00 00 00  00 00 00 00 fa ba 6a 17  |....).........j.|
    00000020: b8 ed d8 f3 ae c5 65 fb  41 d6 95 7c bc 81 2e c3  |......e.A..|....|
    00000030: c7 92 5c bc 92 db 8b 57  5f 05 00 65 29 e6 ce 8f  |..\....W_..e)...|
    00000040: 6b b0 32 0d fc aa d6 b1  bb 7b f5 59 4f 7c 20 78  |k.2......{.YO| x|
    00000050: de 96 5a fe 71 8b 7b 7d  51 30 cf c3 37 d7 0d 89  |..Z.q.{}Q0..7...|
    00000060: 7b 00 a1 16 17 f2 6d 1a  4d 8b ce fd 78 00 90 c1  |{.....m.M...x...|
    00000070: d4 1a 49 03 8a 34 66 2e  2c 66 ab e2 b5 9f bc 1c  |..I..4f.,f......|
    00000080: b1 7f e1 89 21 6f c1 e1  c2 9a a2 69 02 1e 4a a6  |....!o.....i..J.|
    00000090: 0d 20 84 87 8d b8 98 18  3e 43 81 40 b2 aa 8d 56  |. ......>[email protected]|
    000000a0: db ff 68 5a fb d7 14 e9  0c e8 40 43 f7 69 30 52  |[email protected]|
    000000b0: 57 46 1d 5e af 2b e2 ed  97 4e 0f fb e6 f9 84 ee  |WF.^.+...N......|
    000000c0: 41 58 fe cd c7 c8 0c 0d  27 c5 dc 3d 68 fb 08 f4  |AX......'..=h...|
    000000d0: 53 bf fc 1e 0d 6b f8 b5  77 04 29 ef f1 ad 24 68  |S....k..w.)...$h|
    000000e0: 1c f9 c7 ce 02 45 d5 57  14 f6 1a 32 55 d2 fe 76  |.....E.W...2U..v|
    000000f0: aa 1d 89 83 a5 6d c3 ec  42 0d 72 21 3e 9f dd ee  |.....m..B.r!>...|
imagedata           .. text: "\n\n\t\r\r\r\r\r"
b1,b,lsb,xy         .. text: "SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0rceMuahahahaha"
b1,bgr,lsb,xy       .. text: "n{cW~Brb"
b2,g,lsb,xy         .. text: "(<|)r\"oW"
b3,bgr,msb,xy       .. text: "dlU1H/W^"
b4,r,lsb,xy         .. text: "DVv2S%e4%ffQBF"
b4,g,lsb,xy         .. text: "/)Th#0G`"
b4,b,lsb,xy         .. text: "gge1B5dE"

That’s interesting, there’s trailing data (starting with 8z) and a password: SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0rceMuahahahaha. So let’s try to extract the trailing data:

$ # +1335206 = 0x145fa5 + 1
$ tail -c +1335206 lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png > trailing_data
$ file trailing_data
trailing_data: data

Substituting the first byte of the data with a 7 gives us a valid 7zip archive:

$ xxd trailing_data | head -n1
00000000: 377a bcaf 271c 0004 6afe f5c8 c08e 6c02  7z..'...j.....l.
$ file trailing_data
trailing_data: 7-zip archive data, version 0.4
$ 7z x foo.7z

7-Zip [64] 15.09 beta : Copyright (c) 1999-2015 Igor Pavlov : 2015-10-16
p7zip Version 15.09 beta (locale=utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)

Scanning the drive for archives:
1 file, 41628806 bytes (40 MiB)

Extracting archive: foo.7z

Enter password (will not be echoed): SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0r

WARNINGS:
There are data after the end of archive

--
Path = trailing_data
Type = 7z
WARNINGS:
There are data after the end of archive
Physical Size = 40668937
Tail Size = 959869
Headers Size = 185
Method = LZMA2:24 7zAES
Solid = -
Blocks = 1

Everything is Ok

Archives with Warnings: 1

Warnings: 1
Size:       40758153
Compressed: 41628806

This gives us a rather large MP4-File, S3CR3T:

$ file S3CR3T
S3CR3T: ISO Media, MPEG v4 system, version 1

Also, interesting: “There are data after the end of archive“: Let’s check that out:

$ binwalk trailing_data

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             7-zip archive data, version 0.4
40668937      0x26C8F09       PNG image, 970 x 450, 8-bit/color RGB, non-interlaced
40669056      0x26C8F80       Zlib compressed data, best compression

Huh, another png? let’s extract it:

$ tail -c +40668938 trailing_data > foo.png
$ file foo.png
foo.png: PNG image data, 970 x 450, 8-bit/color RGB, non-interlaced

keys.png

However, it seems like that image didn’t have anything further to hide…. So maybe the MP4 File? After some searching, I found this blog Post about using MP4 files as TrueCrypt containers. In this context, the image of keys hints that it is used as a key file for the truecrypt container. Unfortunately, I spent a few minutes trying to set up TrueCrypt and failing, until:

2016-11-06 23:57:28     @plonk  nurfed: can you check if it is truecrypt? I can't install it rn
2016-11-06 23:57:43     @plonk  I have the feeling the mp4 is some container and the keys image is the key
2016-11-06 23:58:06     &nurfed plonk: do you have a pass.
2016-11-06 23:58:17     @plonk  nurfed can't you use a file as a key?
2016-11-06 23:59:39     &nurfed The volume "/home/nurfed/ctf/pwnvote/for/5/S3CR3T" is already mounted.
2016-11-06 23:59:40     &nurfed eh
2016-11-06 23:59:42     &nurfed wtf
2016-11-07 00:00:06     nsr     it's over
2016-11-07 00:00:40     @plonk  nurfed, can you get me a flag?
2016-11-07 00:00:50     &nurfed plonk: idk where it is mounted
2016-11-07 00:00:57     @plonk  it is truecrypt
2016-11-07 00:01:03     @plonk  admin confirmed
2016-11-07 00:01:03     TiHebTak        game over it seems
2016-11-07 00:01:04     &nurfed idk truecrypt...
2016-11-07 00:01:27     TiHebTak        gg guys
2016-11-07 00:01:37     @immerse        gg, it was fun to have everyone playing :)
2016-11-07 00:01:39     nsr     pretty close to #1 :/
2016-11-07 00:01:46     nsr     ccm was missing, due to broken box :<
2016-11-07 00:01:54     @plonk  yeah, and really fucking close to solving last forensics
2016-11-07 00:02:06     nsr     and also that web
2016-11-07 00:02:13     nsr     1h more time would've been nice :P
2016-11-07 00:02:36     TiHebTak        we collaborated better this time, that makes it much more fun
2016-11-07 00:02:58     &nurfed flag{p4dl0ck5_us3_A3S_n0w4d4ys_wh0_kn3w}µ
2016-11-07 00:03:29     nsr     welp, damn
2016-11-07 00:03:29     @plonk  shit
2016-11-07 00:03:37     TiHebTak        aww
2016-11-07 00:03:59     &nurfed it auto mounts to /mnt/ ...
2016-11-07 00:04:07     &nurfed how the shit should I know where it mounts
2016-11-07 00:04:15     &nurfed my usb's dont mount in /mnt ><
2016-11-07 00:04:17     @plonk  nurfed: don't worry
2016-11-07 00:04:49     &nurfed plonk: if you said truecrypt a bit earlier
2016-11-07 00:04:52     &nurfed daamn
2016-11-07 00:05:20     &nurfed LOL
2016-11-07 00:05:22     nsr     funneh
2016-11-07 00:06:15     @plonk  sorry
2016-11-07 00:06:43     &nurfed I submitted the flag
2016-11-07 00:06:56     &nurfed but it didnt give points anymore :P
2016-11-07 00:07:32     @plonk  ah well, #2
2016-11-07 00:07:43     nsr     with that fflag it would've been #1
2016-11-07 00:07:44     nsr     so classic
2016-11-07 00:07:45     nsr     :D
2016-11-07 00:07:47     @plonk  sorry, I should have communicated more
2016-11-07 00:07:51     @plonk  I was setting up tc
2016-11-07 00:07:54     @plonk  and didn't work
2016-11-07 00:07:55     &nurfed plonk: damn
2016-11-07 00:08:00     @plonk  then panicked and asked you
2016-11-07 00:08:00     &nurfed I have like everything
2016-11-07 00:08:05     @plonk  should have asked you first
2016-11-07 00:08:14     @plonk  I'm sorry
2016-11-07 00:08:25     &nurfed I panicked because I didnt know where it mounted
2016-11-07 00:08:32     @plonk  lol

For me the main takeaway here is that especially when timing is tight, communication is trivial and it’s definitely worth dumping knowldedge for others to see earlier rather than later. But all in all, shits and giggles and cograts to DragonSector!

nurfed & plonk