WARNING - CTF SPOILERS AHEAD

It all started with a tweet by @jms_dot_py...

Well this looks pretty interesting: https://www.reddit.com/r/Information_Security/comments/68qsko/help/ #osint ;)

Justin posted the above tweet back on May 2nd, and I checked it out for a second, not knowing it was the first stage of a CTF put together by @beast_fighter. It wasn't until this week that @beast-fighter plugged the post again, letting everyone know this was his CTF he'd been working on.

After realizing that, I decided to check it out and see what it was all about. First, let's look at this Reddit post and see what's going on.

So, we see that this user is asking for help for a "weird" file they received. They give us a link to VirusTotal, and that's basically it. Luckily for us, someone asked to have the file uploaded, and "charlie_books" @beast_fighter uploads it to https://ufile.io/g6hdb

So, let's go ahead and grab that file. Also to note real quick, while I don't think T3CHSTR00DL3 is @beast_fighter, they commented about "static analysis", which may come into play later...

Anyways, I grabbed the file, and it's a zip file called follow.zip. We unzip it and get a directory called follow, along with two new files in that directory, delivery.zip and foxy.jpg.

First, let's check out foxy.jpg. Remembering what the one commenter said about static analysis, the first thing I tried was running strings on the file:

JFIF  
Exif  
pyExifToolGui 0.5  
Follow the hash  
nothing is as it seems  

So, we see a little hint here, "Follow the hash", along with "nothing is as it seems", with the latter potentially indicating steganography coming into play.

With the previous hint, let's generate some hashes...

MD5 (foxy.jpg) = 84f75a6044e3d4550882a699bc7d5877  

Doing a Google search for the hash, we get one result, https://malwr.com/analysis/YmY4YTUxMTAzMzBhNGUzYTk5ZjQxOTg0Zjc0ZmM2NDY/ which takes us to the analysis of foxy.jpg. Looking around, not seeing much, however, I notice the comment section has some activity...

A user by the name of raigenjohnston left a comment for &&02!grown!PLANE!brought!HERS!05&& on April, 29th, 2017 which is around the same day/time as the Reddit thread was started.

So, this looks to be some sort of flag/secret/password, wonder what it goes to...

Moving on to the delivery.zip file, we need to enter a password, which sure enough, the password we just discovered works.

Inside the zip was a file, sneaky.png, (MD5 - 9aa007e5c6987a2241e9a6b84fd8ad1b)

The file is about 3.6MB, which is quite large for a png, so, something else is going on here. At this point, I spent about an hour looking all around for Steganography related tools, or looking at the file headers to see if this was something more than a png, and came up empty. I've never messed with stego before, so, this was all new to me. I reached out to @beast_fighter to confirm that stego was at play, and he provided me with the name, openstego, which is a common steganography tool for linux, and some further googling on my part may have yielded that result.

When trying to open the file in OpenStego, we realize we need a password for it. Remembering that the previous MD5 hash gave us a link to the previous password, we used the MD5 hash of sneaky.png and got a link to Pastebin (https://pastebin.com/fiG5b4q9). Going to Pastebin, we are left with a new password to use later on, ::14&dance&STAR&lead&PLANTS&52::

* Side note, we could have easily found the above password from the VirusTotal comments in the initial Reddit thread. User raigenjohnston posted two comments, "fiG5b4q9" and "I hear people put stuff on Pastebin a lot". So, putting those together would give us the same Pastebin link as we found earlier.

After putting that password in, we get a new file, nearlythere.jpg (MD5 - bce1e1665d1598a346379960fae131ce). First, we check out what the file type is:

nearlythere.jpg: ASCII text  
[email protected]:/home# head nearlythere.jpg  
find me on twitter: @raigenjohnston  

Alright, so, let's look at @raigenjohnston on Twitter...https://twitter.com/raigenjohnston and viola.

Conclusions

Overall, I had a fun time with this CTF. I think these OSINT-styled CTF's are a great idea, and look forward to more levels by @beast_fighter.

All but the steganography part I was familiar with, and felt like a good level 1 challenge, however, to someone with no experience with steganography, I felt lost when trying to find out what was behind the picture. It seems like there are multiple tools for hiding things in pictures, with each one having their own ways to decrypt the hidden content. When chatting with @beast_fighter about it, he said the thought process would be, linux > steganography > openstego or kali based stego tools. Thinking back, that seems like what I should have googled for, but, again, to someone with no stego experience, I was just throwing terms out and messing with whatever tools I could find, to no avail.

Besides that, this was super fun and allows people to put on their internet detective hats for a bit. Bravo @beast_fighter! Looking forward to the next level.