 Hello everyone, my name is John Hammond and welcome back to their YouTube video We're looking more at the down under CTF or that CTF that was on over the weekend And I want to showcase the forensics category a little bit here just a few small challenges This one starts off with on the spectrum for a hundred points. It says my friend has been sending me lots of wave or WAV files I think he's trying to communicate with me. What is the message he sent? So we have a file to download here I'll go ahead and copy that link location and I will open up my terminal and I will hop over to my CTF directory do you CTF and this is in the forensics category Let me make a directory for YouTube on the spectrum Hop over to that and let's W get that file down I'm gonna save it with attack capital O as what is it called? Message one dot WAV as I don't want that whole token in the name there So it'll pull that down and now I have message one dot WAV so I can M player this I'm gonna turn my sound down. So hopefully I don't know what this is and it's not gonna. Oh god I still blare your eardrums or at least mine. I'm sure hope you didn't have to deal with that I'm sorry turn that off. So a lot of noise a lot of static a lot of scrumbling a lot of nothing good to listen to When I see that in a capture the flag challenge, it makes me wonder, okay What does the spectrogram look like or kind of the audio display in an image? Rendition look like and I'm assuming when they're mentioning the title here on the spectrum that might be what they're referring to is it the Spectrogram or spectrograph There we go a spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time when applied to an Audio signal spectrograms are sometimes called sonographs voice prints or voice grams So I'm running Ubuntu Linux right now and I normally view the spectrogram with sonic visualizer If you don't have that downloaded you can just go check out their web page Sonic visualizer I'll hop over to the downloads and I'll grab a Linux Ubuntu. It looks like okay. There's a primary link there and It gives me a deb file great I'll download it and then I'll move that for my downloads sonic visualizer into this current directory And it finished downloading great So I will pseudo d package tack I that's sonic visualizer and it will need my password because I'm running pseudo But that will go ahead and install that or it'll try to it totally failed. It relies on all of these things Can I pseudo apt install those let me let me carve those out and just fire up sublime text I want Lib all of these things so Nope, I don't need that. I want Lib Lib Lib Lib Lib Lib. I'm here. I'm holding down the control key on my keyboard So I can select those and I'll replace all those new lines with a space and let me see if I can pseudo apt Install those will that work? Yes Okay. Oh, and then it also sets up sonic visualizer for me. Nice so all that I did there is I just took that original message copied it and Hit control or hold down control so I could click on each of those and then I would like copy them and extract them into a new Page and I would control H to find a place and I removed all the new line characters or a backslash And with the space so I could get them all on one line and quickly pseudo apt install them and install those as necessary So can I run sonic visualizer now? Maybe yes, okay No I've decided you you can't send my personal data So let's go ahead and open a file and this is in CTF to use CTF And it's forensics on the spectrum message one dot WAV a lot of stuff if I go into the view Or pain there we go pain. It's add spectrogram. That's that option there in G so I could Kind of move that up and kind of zoom in a little bit on it You can see just barely down at the bottom and I'll kind of try and zoom in here And drag this along DU CTF. Oh, man, that's really hard to make out. That's really hard to see Can I zoom in on that a smidge more? Please okay. Yeah Can I change the color on this let's do sunset. Oh, that's bright. It's a that's a that's a red man magma I Can see the DU CTF right there the window That doesn't specify kind of the color that I want can I I Oh, I can adjust threshold a Little bit log. Oh, it's even harder to read bins peak bins Frequency that doesn't help Blue on black Sorry, I don't mean to be frantically changing the colors there But I wanted to make this a little bit easier for people to make out I can actually see it. I can I can read this. I see a DU CTF a curly brace M for H Why? Mate is that a what? Okay. Now I can't see it all that well magma ma be Is it a B? I Think that's supposed to say maybe Not so hidden in elite speak, but this I Don't know if that's spelt wrong M4 B. Why E mad be? Let me try and bring this up to the top Can I not do that? Okay, nano flag flap dot tags DU CTF may I Guess I'll just keep the weird misspelling because it looks like a why it may be not so hidden With a zero and then so zero and then h1 dd 3n Good, I'm gonna keep the typo in there and see if that submits I guess I've already solved this challenge, so it probably won't tell me Or you can switch the why and the be there and then that is the flag I feel like that's a strange typo But Regardless, let's wrap up that challenge and go do the next one. So this is called spot the difference It says an employees files have been captured by the first responders The suspect has been accused of using images to leak confidential and information Steg hide has been authorized to decrypt any images for evidence And then we have a file to download on Google. Okay, I'll save this and then let's make a directory For youtube What was that called spot the difference? Yeah spot the difference And let's hop over there. Let's move our downloads public dot zip or publish. Yeah publish dot zip In this directory and I can go ahead and unzip That there we go. Looks like we had a lot of stuff in there Bad files I see in this directory here With a lot of jpeg image files. I can check that out. Oh, and there's a dot config secret Secret is funky A lot of text files. Okay a lot of text files interesting Whatever let's let's hop in there and see what we got publish as the directory And bad files desktop downloads images messages, etc Let's go into bad files and see what those were a lot of jpegs So i'm the eog or i of gnome all those And I have this incredible picture of random colors And seemingly looks like static They're all like this Do I need to spot the difference like the differences in each of these? Is that a thing? Let's move back and see what else we got in there. What's in the desktop? Cyber security URLs URL files. So these like links. Yeah. Yeah. Yeah Oh internet shortcuts to facebook down under and ut cyber. Okay, cool Neat. I don't care about that too much. What's in downloads down under ctf faq Um, is that just the same thing from the webpage? Yeah, it is Okay, so nothing extremely interesting in that Images What do we got in here eog all these things? Thanks. Thank you. Thanks. Thanks ctf. That was great Download.jf I like that one Normie memes and the spider it's gone and that was good Okay, thanks. Thanks internet We survived another day. Let's go into messages. What is this annotation? We've recently been receiving a lot of questions about the difficulty of our ctf Especially if it's beginner friendly want to clarify the ctf was designed for everyone from challenges in the first time ctf players The challenges that we've had to rate as insane Suppose your heads didn't you don't know anything about cyber security never played a ctf before we recommend you play It won't be a walk in the park, but you learn to try harder Nice good Good good good that's in music Uh another jfif file Let me eog all those Cool Cool cool cool, okay Uh videos tenor.jf Uh Nice perfect. That's exactly what we wanted guys man We asked You delivered That's a story of the century. We had a dot config directory So it's hidden right because it has that dot prefix So let me hop into that dot config directory And we have a reminder dot png. What is that reminder dot png? Fiddle error reading png not a png image What is it reminder so i'm gonna run file on that It's a zip archive Apparently, okay, can I try and uh, I guess I need like I make a copy because it has to have the right suffix So I can do like other dot zip and let me unzip that other dot zip and that failed Okay Is it genuinely a zip file? Let me hex edit that. I'll hence it other dot zip. It has a pk structure Oh, it also has i headers and idats So those are like markers or file structure stuff for png images There's an in so it looks like a png or a portable network graphic Can I extract that out if I do a little foremost? on I guess reminder dot png We got an output directory now because that's where foremost will automatically put stuff But nothing other than audit tech so it didn't find anything else lame Do we need to be like harder on I'll use like a forced bin walk So bin walk has a neat trick if you guys don't know, uh, if you use tap capital M and then a dd equals Dot star with two hyphens there You'll get Bin walk to be a little bit more of a jerk and like force carve everything Whenever can find any structure of a file, but It still didn't find anything Oh, sorry lame. I meant to say ls So it didn't extract any output with bin walk That didn't work for me Um If I look at the hex edit though, maybe this pk is just wrong. Maybe this is actually supposed to be a png file Uh, maybe it's just like damaged like the file header is wrong So let's try and change the hex of this to not reflect a zip archive But rather a png image so you could go ahead and research like okay png File header or like the magic numbers, etc. And you can get the png specification here The first eight bytes of a png file image always contain the following decimal values one three, uh, I don't want decimal. I just want hex Can wikipedia tell me Yeah, yeah, okay. There we go. There's a magic number over here eight nine five zero four e etc So let's modify that that should be eight nine Five zero four e four seven zero d Zero a one a zero a uh, oh, sorry Zero a okay, so i'm hit control o to save it and control x and Hex edit so if I file reminder dot png now. Oh did I break it? Eo g can I open that file now? No then I did I mistype 89 five zero four e not four three for seven zero d zero a all right gotcha Now I see the problem I had mistyped Now if I run file it is a png image. Okay, great. So let's I have known that guy And it says how am I meant to recall an encrypted password? I know it had one cmvq in the middle. What? Am I supposed to like brute force? Some password with that in the center once the mvq What else is in here? Oh, this is this this has the secret directory. So If I go into secret Oh, no, it's a bunch of like nested File folders in here and if I run fine just to get all this output in here I just ran the fine command to tell me all the files in the current directory and onward Just a bunch of text files. Oh gosh Okay Um, so if I I'll run fine I'll pipe it to xargs cat just so I can cat all those files out and is are each of those literally just a base 64 string Is it just random base 64 strings? What if I had a I'll get the output of fine one more time and I'll try and cat out one of those files And it's just base 64 string. That's all this Okay Oh, oh, oh, oh, and that reminder thing Was telling us that it just had one cmvq in the middle of it. So if I Were to run fine and then do that xargs and then I were sorry xargs cat To display all the contents of each of these and if I were to grep For that one cmvq Oh It gets a lot of errors because some of those are directories, but this actually returns It actually had a hit and if this is just base 64 I'm going to go ahead and echo this into base 64 tack d It says one two three four is a secure password. Okay. So now we have a password And I'm just going to follow some context clues here Because it says steg hide has been authorized to decrypt any images for evidence. So we have a potential password And we know we had a lot of images in that bad files directory so let's try And extract out Maybe a potential string out of all of these files with that password. So I'm going to Let me let me echo my ps1 to actually equal a sane prompt so you don't have to keep watching the video from the corner Oh, sorry and export that So now I have a prompt over on the far left side. You don't have to not be able to see what I'm typing. Sorry Let's ls everything and let's ls And do a while read line so I can capture inside of a while loop The current line or the file name that I'm working with So if I do inside of that loop And I'll just run like something something echo just to proof of concept So I know that the value of this bash variable line is going to equal that that that file name Done to denote the end of my loop. So there we go Now I can just control that out on standard output and I have access to the file name as a variable So what I'm going to do is I'm going to run steg hide So steg hide actually takes some arguments, right? If you were to try and run steg hide It'll tell you look dude if you want to extract something you got to use the syntax steg hide extract tack sf to denote the Like stego file and then the jpeg file or the image that you want to extract from You can also specify a password or that tack p passphrase there to to know what we're working with as our password rather than typing it in Interactively, so let's use steg hide extract tack sf On line being the file name and let's use tack p And paste in that one two three four is a secure password So inside of our wild loop. We're just doing steg hide to extract That image file that file name there with our password And we still have that semicolon done to denote the structure of our wild loop So if I turn the crank on this You might have seen that fly by a lot of these failed. We said, oh, sorry. We can't extract any data with that passphrase however One of these files did exactly it did actually extract something we have secret message dot text So let's go ahead and cat that out And there's our flag Super cool That one was kind of fun a little bit of recovery a little bit of a just I don't know Navigating and looking through that file system that we had worked through and pulled out but Finding that passphrase that password What you could have done and A road that I kind of went down is once I had that Config secrets and I saw all of these text files in there One thing that I did and I actually Is it just maybe if you guys want to play with it? You could use steg cracker Steg cracker is a tool that will automate Steg hide by letting you use a dictionary file or like a word list or a list of passwords all in a text file You can gem install steg cracker and you can work with it But it's just going to try any passwords that you specify in a word list On a file and try and crack it with steg hide that same utility we used earlier So what I had done is I had actually taken all of those base 64 strings that we saw previously in those text files and just made a word list out of that and tried those I didn't think to go ahead and like Base 64 decode some of those because when I tried to look at some of those They would just give me nonsense and garbage and that wasn't exactly helpful What I should have done and what I realized you could have done is when we ran find When we had all of the output Xrgs pipe to cat so we had all this base 64 strings in here Uh, if you still base 64 tac d each and every one of those you're going to get a lot of nonsense You're going to get all the base 64 output So if you were to pipe that into strings Sure, you'd get a couple weird odd balls But you would find that one two three four is a secure password There's going to be a lot of output in this so what you can do is you can pass an argument to strings tac n to specify like them the Minimum length string that you actually care about so let's say like Anything greater than 10 characters is probably weaker about anything less than that I don't want to see it. Don't bother showing it to me. There we go One two three four is a secure password and everything else just Is errors, uh, if you don't want those you can just take that xrgs cat and redirect that error to dev null And you could tweak and modify that tac n argument and slowly find what you're looking for But uh, if if you wanted to kind of narrow that or filter all that output You'd find that password. You wouldn't even have to have recovered that png file So that's a thing to note and uh, you could you could crank on that but Great That's that Kind of neat kind of fun. Uh, it was it was enjoyable to use stig hide and kind of that loop and and crank through a Bunch of stuff originally when I saw some of those bad file images that it looked like something that was like a two times pad image And I was like, oh man, do I have to spot the differences in all those? Different images or like blend and blow them together to find out what the pixels might spell out And it was lots of fun thoughts But uh, I liked uncovering the secrets and and kind of navigating through all this all these files here in this little Data dump. So thank you so much for watching everybody. I think that's the end of this video Very very cool to showcase those challenges But if you did like this video, please do press that like button Maybe leave a comment subscribe do the whole youtube algorithm things if you guys like capital flag if you like ctf's Uh quick announcement. I'm hosting a capital flag game myself besides boston besides boss dot ctf dot games You can go online register now that game. Is this coming saturday september 26th? It'll run for eight hours. So it'll be a little bit of a short game, but hopefully fun a lot of good challenges So thanks so much for watching everybody. I hope you enjoyed this video. I love you. I'll see you in the next one. Bye. Bye