 Hey there use you this is a video write-up for the challenge called rabbit hole from the steganography category of ICT F 2018 again the Website platform infrastructure is currently down so I can't show you the original challenge prompt But you would download this file called rabbit hole dot jpeg so we can take a look at what this file is And it's a picture of a couple onions Didn't particularly know what to do with this I run through the kind of checklist that I do strings exif tool Z-steg but it wouldn't work because it is a jpeg file steg solve j steg j steg go etc But nothing came from it So I thought I'd go check out my own like personal checklist or some other things just to get an idea for what I could do This is a CTF katana and I occasionally send this link out to some people just to like kind of brainstorm and get some ideas Going but I'd check out the steganography category just try and rack my brain to remember things That we could probably use or some tools that might be able to help us and I remembered steg hide And this is kind of a strange Guess and I really don't like it and I'm not particularly happy with it But it is just the fact here is that if you end up using steg hide Keeping in mind that the picture that we're looking at here is of a couple onions You could try using steg hide to extract some steganography information from this image You could try passphrase as onions, but that wouldn't work if you try it with onion You do get actually a hit and some results here So we have this new file address dot text kind of bummed It's not just the immediate flag, but we can check this out and it looks like a random set of strings I didn't always a string with a random set of letters numbers and again I didn't know what to do with this like okay great Is this a Caesar cipher? No, is this some sort of veneer cipher? No Just didn't know what to do even if it's steganography so Someone on the team had a great idea Referring to that this like associates with an onion that this could very well be an address From the onion and that it's a location on the tour browser So if you haven't heard of tour or whatever you can Google tour browser and learn a little bit about it But it's essentially just another network of like network devices and computers to Essentially have a segment of the internet that I'm doing a horrible job explaining this But it's a pretty neat thing whatever for the purpose of our cta if you can download it and install it and work with it I have it downloaded for Linux, so I'm gonna go ahead and copy that over here just in downloads tour browser I think it's What options do I have here and that's it the English version just put it here and let's make this recursive So I get the entire directory good I'll nautilus that tour browser and try and fire it up because I do already have this installed So if I just open that I should be able to get tour browser So once we go ahead and connect to it We have the address just on our clipboard and then every address that we're trying to go to in tour is dot onion so this will take a long time to load and We do actually get a result though and you can see that the title has actually kind of returned to us It is a rabbit hole and that was enough to say okay. Maybe this isn't a complete red herring Maybe this is something that is actually what we wanted to find within the CTF challenge again This is gonna take a long time to load so I'm gonna pause the video until it finally returns to us Okay, the web page finally returned to us. You can see the time change and the timestamp up top here So we have this ginormous page literally take a look at the scroll bar It's humongous of a lot of Chinese characters and other Whatever those characters are we just don't know I could scroll through this and maybe it'll be able to render some of it At the beginning in the top of the page. There is a jiff The very top you saw error being displayed down to the very bottom It shows this eyes jiff and you could view the source if you wanted to or select all of these and copy them And that's kind of what I did is that I went ahead and copied all of this Just so I could actually be able to work with it So copy these characters I put them in sublime text and when I pasted it It again takes a pretty long time because it's trying to just work with all of these and we'll put it here Just in the folder that we are working with. I'll call it like all text dot text or something and then if we wanted to we could particularly work with this My team and I spent way too long trying to just decipher what this could be we downloaded these gifs We tried to compare them with the well-known ones that are actually found on the internet if you were to just research them We tried to see if there was ICT of hidden in this at all in any kind of way We just were to translate some of these Chinese characters And it looked like even from the weird things that we were thinking void update shout out to you man It thought it was like a dictionary just translated into Chinese over and over again Because we would see words like fish or jump or Apple or strange things But when we were lurking in the IRC channel or the discord server for support for ICTF We ended up trying to glisten for hints and trying to track some things down and the admin had said And props to Yiggles moto for noticing this and catching on to it as the admin had said it's about Unicode and coding from like binary bits and He went to Google like a lot just trying to figure out what he what he could he find and Eventually we I think it was like Unicode and code and honestly I was the one that I wanted to put in GitHub or something to get a little bit more results because maybe there's some kind of Implementation or something else that's that's doing this that this is just a well-known thing or some understanding and Yiggles is the one that had tracked down this base 65 536 Unicodes answered a base 64 and again just exploring these we went through and read through this GitHub article Let's get a read me and page and all and it explained that when you're working with this code at your output when you have encoded base 65 536 is essentially Like Chinese characters in random spaces. So we thought oh, okay. This has to be it This must be it and that was awesome. So we took a look at the installation figured We tried to understand how to actually use it. It's just npm install base blah blah blah because it's a note JS application. So sweet. Let's take a look. Let's see what we can do NPM install base 65 536 and We got it cool. So now let's set up like a get something We have no idea what we're gonna. That'll be JS. So let's JavaScript So they gave us some coder that we can take a look at and try and understand We're gonna end up using the module. So require just like this We would essentially create a UN 30 or UN 8 array of the data that we're working with But we'll have to be able to read it from the file system because we save it in all text dot text Oh boy, I clicked that tab. Oh, but it didn't have a sublime text break. So that is FS in JavaScript and Node.js so FS for file system and we can read it with X or something or whatever Data can equal FS dot read file sync and I think we just give it the file name here So all text dot text and let me make sure this will actually work for us Let's know JS get something JS. Okay, cool So now let's go ahead and try and convert that into this UN 8 array. Let's say bytes can equal data or new UN 8 Array, yep, and I forgot a T here And if we wanted to we could just make sure this is this is what we what we think it is Let's go ahead and run console log on bytes here And we've got some of these numbers so that should hopefully work okay for us now, let's go ahead and decode it Let's do you decode it equals this base number here dot decode and The bytes now can we console log The decoded form. Oh, looks like we got it wrong here. Hmm. Oh, it may help if we put this to UTF-8 so we know it is Unicode that we're reading in a okay, and then let's try this one more time You went it array. Oh That requires new. Okay, so that's a new object and now nothing weirdness let's try to Decode the specific data that we're doing Rather than creating the UN to ray before it Let's just do that all in one piece. So we're not duplicating that UN to ray here console log decoded Okay, we're getting stuff perfect. So now let's go ahead and make that a new file. Let's do FS read file sync but instead of read we will write and we'll call it to coded or Or like new data, whatever this may be And then no errors. Cool. We can check out. We do have the file new data Let's see what that is and it's a zip archive. So let's go ahead and move that to have the zip extension let's unzip it and We've got stuff here. Let's take a look. We've got smash words Whatever these things are so at this point. I went ahead and just kind of ran for strings Can I track down? I CTF can I find the flag format? I don't know one. I didn't want to use are there strings I CTF Or strings on everything and then let's grab for I CTF I don't know where my where my brain was going in that one and we get the flag awesome So we can cut this up with spaces one two Three let's rev this and then cut with the delimiter of spaces get the third field and then rev it back So we get just the flag and that will be our get flag script in just a second Let's grab that directory so we can just pretty do it pretty simple in one Get flag dot sh Then bash Let's do strings everything in that directory Mark that as executable and we get our flag redirect that to flag dot text and we can mark that challenge as complete Really weird challenge and a lot of struggling took us way too long because we just couldn't piece together Okay, for one thing that's the iconography lead of onion being the password then the leap of faith to this is a Tor browser web address and then tracking down that base 6 5 5 3 6 thing That's just stuff. I'd never seen before so a lot of research a lot of learning and a lot of banging our head against the wall But finally got it. So hope you guys enjoyed this Quick shout out to the people that support me on patreon. Thank you guys so much I can't say it enough one dollar a month on page. I don't give you a special shout out Just like this at the end every video five dollars a month will give you early access to everything They're released on YouTube So it's put in a little Google share drive and pretty neat and nice for you Don't have to wait until YouTube schedules. They're in releases all these videos You just have them all at once once I'm done recording them So if you did like this video, please you like comment subscribe if you're willing to hang out with me some other cool people other CTF players programmers and hackers join our discord server link in the description It is an awesome community and we'll probably tag team for like pico CTF 2018 that'll come out very soon See saw see saw red a lot of the really cool upcoming games. So if you want to hang out That's the place to do it. Thank you guys so much. Hope to see you on patreon Hope to see you in the next video. Have a great time