 Hey, what's up guys? John Haman here bringing you another YouTube video for the junior CTF In this case, I want to show off the clone attack challenge, which was supposedly the trivial like easy beginner level one for forensics So we're 300 points now because they're fluctuation and since gravity falls under clones attack find the real dipper and save the town And there's a bunch of stuff here. So this is believe it or not a link. This image is a link I don't know if you would have have seen but regardless It's a seven zip archive. You can go ahead and download that and I'll open it with archive manager and there's a bunch of images here, which are bunch of base 64 stuff So I want to go ahead and extract this stuff. I'll put it to juniors and I'll create a new folder for it clone attack So extract them all there Show the files. Okay. So now we have a bunch of images of dipper who I guess is the character in in gravity falls The CTF is based off of that. So Let's get back to it. Let's check out the clone attack challenge and there is all of our stuff. So These are all jpeg files They all are actual jpeg files, they're all clones though, so Like you can see the file name changing, but they're literally just duplicates of themselves However, yet all of them are the same Like if you select one of them and try to diff it with some other things what I did was I actually I think I did like LS I did like wow read line I guess I could yeah, all the jpegs are fine while read line Diff this like one of what a random one with another one It I shouldn't put a do here It does tell me that every single one of them differs in some way. So okay, what is the real? What is the actual original image? Whatever Some other thing I was interested in was the base 64 stuff. So what I did was I again read through everything I Would base 64 Okay, so I'd echo the line So I get the file name for everything and I do some bash string substitution So I removed the jpeg extension with nothing and then I displayed that and I piped it into the base 64 D-code, but it is garbage. There's nothing really there So that didn't help me Next because I'm curious what all these things are I actually ran through with exit tool on one of them and I get this information. Here's a file name jpeg image. Obviously. I didn't know what this current IPTC digest is It looked like a hash so I googled that for a little bit and the comment here was interesting It said the flag is the MD5 some of this file. It's true I don't okay. I thought okay immediately sweet. I got the flag and then I just take the MD5 some of like that file and I submitted that and you know, whatever the case did that didn't work. That's that is incorrect. So What I do this I actually I actually try to run exit tool on all of the jpeg images and You'll notice that It has the exact same Comment for every single file So interesting Whatever an exit tool on The old one though, I'm sorry Another thing that I should have noticed or was looking at is this object name Because this object name is another thing that changes with everything 230 Currently, but this is this is Russian text, right? So I don't know what this actually is what I did is I googled it initially I googled translate I think I just Whatever just get me to a translator No photocopies, I don't know what that means. I know I should be Russian Yeah, photocopy room or whatever Regardless, I thought I was very curious because that also changed with everything I tried to see if exit tool wasn't giving me all the information that I needed So I actually ran like identify verbose on all these files And that would fluctuate really quick This must be like Caesar inducing but I notice again the comment changes and the photocopy room changes with every single file It still says though, and I'm still caught up on the fact that the The signature is the same. I thought that was interesting for every single file I'm still caught up on the fact that the exit tool says the file name is the MD the flag is the MD five of this file so So what I did for one thing is I tried to see oh is the MD five some equivalent to this current IPTC digest because I had googled that and Apparently an exit tool if you do a little bit of research on it It says oh sure. It's just the MD five digest of existing IPTC data I like Google like okay. What is IPTC data? Etc. Etc. So I thought MD five it must be MD five So I compared I literally took the MD five some of every single one of these files and then compared it with this Did their IPTC digest to see what maybe one of those matches up again? I was just like a gross disgusting like bash while loop, but that wasn't right so What I ended up doing was Grepping through more of them and because I use identity I saw that this photocopy room changes. So I took Because it changes I was wondering like I wonder if any of these have an odd thing to them So I looked through all the JPEGs again all the images and I grep for In active tools called object name. So object name and I got whoa I don't know if you saw it breeze by but one of them looked different than all the others You can see it real quick. It just like flies by. I was too quick. I was too quick that time. Oh You can see it this guy right here again Russian tech. So I I'm not Russian. I don't know what this says or what it does so just to like Display more easily I can grip out all the other stuff and there's this guy. So I'm curious. What is this? Again Russian tech. So I go to my Google translator Translate English. It says oh the original dipper. Okay, so I know it must be this one. I know this must be it So what I ended up doing just to like track it down I again took all this like the exit tool and I put this in like a All log thing and I tried to like search for I just can I opened it up in sublime and search for that String so I know okay. It's this guy. It must be this file It looks the same as all the other ones because it's just a duplicate. It's a clone But when I take out exit tool on that guy the original dipper and That is what I want to take the actual interpretation the flag is the MD5 some of this file the original dipper So I ended up taking the MD5 some That guy and that is the flag. So you submit that doing the MD5 some of the original dipper and you get points so I Struggle with this one for a while because like I don't know how to how do I determine what all these are different because they all look Different, which is the original one. How is there like I tried googling? Is there a real picture already established jpeg image of this character and gravity falls? That's the exact same size and everything that they didn't tamper with But eventually I saw this object name and how it was differing and how there's a unique one so That again the Russian translation led me to find this is the original dipper take the MD5 some of the file and this is the flag So crazy crazy challenge and again a lot of guessing, but whatever that's okay. I Still got a flag so a flag is a flag Thanks for watching guys. Hope you enjoyed this one. We'll check out some of the other challenges Dirty repo and some other ones coming in a future video. So see y'all soon