 What's going on everybody? My name is John Hammond. We're looking at the hidden flag challenge in the miscellaneous category of HSCTN. It says, this image seems wrong. Did Keith lose the key again? And we have a challenge.png to go ahead and download. I'll go ahead and save this. Looks like I already have it downloaded. That's fine. We'll go ahead and overwrite it. I am in that HS directory I've been using to keep track of some of these challenges and work with them. I should organize this better, but hey, that's alright. Just for the video's sake, we're rolling through it. So we have a chow.png. I want to make sure it is in fact a png with the file command, except it tells us that it's not. If I actually were to view this thing, EOG, I have known for chow.png. Fatal error. It's not a png file. Gotcha. Okay, so what do we have to work with, right? We can do our other low-hanging fruit reconnaissance techniques. I'll just go ahead and run strings on chow.png. And there's a lot of nonsense it seems like. Down at the very bottom, I see this string key is invisible. So I thought maybe, okay, maybe if it has normally stag hide, right, you could extract stuff given a key or a password with the source file chow.png. And I know the description says, did Keith lose the key again? Again isn't bold. So I tried, let's try again. And it says, okay, the file format of that is not supported. So I guess because it's not a png, right, not doesn't have that header at all, it's not supported. I started this for a while. And normally, I jumped to the conclusion because I've been trained that way and been exposed to way too many caps to the flags where this is the case. I wonder if I can find that security meme. I'll track that down. If you don't have a whole lot of guidance in a CTF challenge, try XOR, the exclusive war operation. So because this is labeled a png and is not, maybe it's supposed to be. What we can do, wow, I just zoomed way out of my terminal. Okay, zoom it back in. Let's, sorry, I'm bad at this apparently. Let's use Python. And let's import PON so we can XOR stuff. And let's go ahead and open up that chow.png just as a value, right? And let's go ahead and read it so we get that content. So A is now the inside of all that crap. I imported PON, didn't I? Yeah. Wow, I told you I'm getting bad. This is not good. PON will allow us to use the XOR function really, really easily. So you can pretty much note any information and strings and data, whatever data type you want, merged with it, whatever the other kind of data type you want. And it would allow you to please subscribe just fine, except it'll allow you to XOR it just fine. Except if it's out of order and not in the rotated spot. And not able to use a cyclic pattern the right way. That's better. Sorry, my number must have been a little bit too big. So I was using a bad example. But if we were to go ahead and try and XOR the contents of that file, A that we have read, right, that's that's everything that we just read out of that shall.png file, we can go ahead and XOR that with some that we can presume is the key. Again, I noted that again word is in bold. So we can go ahead and XOR that but that didn't give us anything worthwhile. And then I remembered, looking at the strings, the contents of this file, it says key is invisible, just kind of trailing at the end. And I thought maybe that means it's literally, that's what the key is, right, the key is invisible. So let's go ahead and use the word invisible as our key, right. And when we crank that out, I see a couple more worthwhile things that I end, I note as the file structure for a PNG file, that means the end of a PNG chunk. So maybe we do have, in fact, a PNG file now. If I keep scrolling through this, I know this is horrible and terrible to read with all these raw bytes in here. I thought I saw an IHDR, a header for a PNG chunk, I can't score to the top of this. Okay, but regardless, let's go ahead and try and just save this as a file and see if the file command will be able to work with it. So let's just open like new dot PNG, open it in write mode, and we'll go ahead and write these values here. So now we should have, if I were to check my directory, a new dot PNG file. And if we open that up with file, we can see, okay, this is in fact a PNG image. Let's view it. And there is our flag. HSCTF not invisible anymore. I don't know how five becomes a Y, but whatever. So that's that. That's what it was. Maybe that was a guessing challenge. Maybe that was a little, that was intuitive, right? It's got the key is invisible. And it means the word literally invisible. So that's the flag. That's how we solve that challenge. And that is some X or stuff. Let me track down that meme. It's got it. There's got to be somewhere randomly X or in data. CTF meme. This is dangerous. Because I'm straight up going to Google images at the end of a YouTube video. O'Reilly. It was an O'Reilly book meme. Okay, I'm getting pictures of strange people. Security memes for theater people. The theater memes for security people. That's a page on Facebook that you can open some of the stuff up. Let me go get this. And I'll let me pause the recording and I'll go track it down so I can show you. Okay, this is it. This is the is it a standard flag format randomly X or in data for the definitive capture the flag guide. I like that one a lot. This is another good one. Hoping this works with the hiding his face. Solutions that might fix the problem without breaking anything. I love I love these. The O'Reilly and O'Reilly jokes. These are the best. Please share these. Please jump in the Discord server and spread these memes around. I'd love these. All right. Thank you guys for watching. I hope you enjoyed this video. If you did, please do like comment and subscribe. Love to see you in the Discord server. There is a link in the description. I just bumped the microphone. I'm sorry. That probably sounded horrendous. I'm gonna end the video. Love to see you on Patreon. Love to see you on PayPal. I'll see you.