defcamp6 [Defcamp Quals 2023]

stego osint
writeup by: sunbather

Challenge Description

Sometimes, we must look back in time to bring all the good vibes back!

Flag format: CTF{sha256}

Intuition

The description and category (OSINT + Stego) seems to hint at using the wayback machine. We search for the photo on the wayback machine and find the “original” photo posted on the Defcamp website. We notice that the top-left corner has modified pixels, so maybe something is hidden in it with the LSB/MSB technique. We’ve tried different scripts to extract them, with different offsets and bit concatenation but we couldn’t get anything.

At some point I had the idea to compare the original pixels to the ones provided. We notice that if we substract any channel value (R, G, B) between the two pixels, we get a number that lands in printable ASCII range. Last pixel decodes to } so we’ve got our flag.

Solution

Simple script to make the substractions:

#!/usr/bin/env python3

from PIL import Image
from itertools import permutations

image_path = "flag_encoded.png"
alt_image_path = "./2015_buc_1.jpg"

image = Image.open(image_path)
alt_image = Image.open(alt_image_path)

pixels = list(image.getdata())
alt_pixels = list(alt_image.getdata())

extracted_data = ""
for i in range(69):
	pixel_values = pixels[i]
	alt_pixel_values = alt_pixels[i]
	print(chr(alt_pixel_values[0] - pixel_values[0]), end='')

Flag

CTF{fc5cbfe2cae683a39e7a8376e69a76e759e5720ec5babcb188fc2ffda316ed47}