 Hello everyone and welcome to a video write-up for the challenge, I Love Bees, which was a miscellaneous category challenge for ICTF 2018. And a lot of people were confused by it, so I want to showcase it in a little bit of a video here. Here's the webpage, it's still up, static.ic.tf forward slash I love flowers. And you're greeted with this thing. Looks like it has some kind of page with some black box taking it over. Don't know entirely what that is, at least at first sight. You can try some of these links here, but nothing other than the home or index page actually works. So you get this weird XML thing, which if you want to go down that route is a rabbit hole, not really anything to do with the challenge. Just an unfortunate strange error message, so don't get tripped up too much on that. You can obviously go for low hanging fruit, check out robots.txt, throw it at Nikdo, stuff like that. Look at the webpage source, a lot of HTML and kind of just information strangely in capital letters for most of a lot of this. And there's not a whole lot here that does anything dynamic. There's nothing particularly volatile that changes or anything that we can kind of work with. Other than a strange, seeming countdown to wide awake and physical, which again, at the time of immediately seeing this, I didn't entirely know what to do with it. Very, very strange, very, very weird. But if I scroll all the way down, I saw, okay, it's creating JavaScript, at least a little bit of JavaScript, in that I can see that as client side code, maybe it's doing something interesting. Sets a variable India time to some date, and then there's a countdown to India file that does something. And again, if we wanted to, we could manipulate this variable, we could head over just to the page itself and say India time set it to a date, which if we wanted to, again, we could literally just steal this code and then set it to something, but this is a rabbit hole. Like, this isn't going to get us anything. Set it to something new, like that has already passed and looks like it's not even going to update the page for me, whatever. That's stupid. And then we'd probably have to run the function that's doing that countdown anytime, but whatever. Again, rabbit hole, not real. If you wanted to, you could kind of Google some of these words here and you'll find it is the I love bees, Halo, like alternate reality game. You can see these text, these webpages look very, very similar to it and they're product identical. But I just didn't get anything out of it. The code didn't mean anything. So I thought fine, I'll look somewhere else. I'll look at the images, I'll look at the text, I'll look at the gif stuff like that. So I would go to each of them and I'd try and explore them. Eventually I thought like, well, if I want to check every rock, I may as well go ahead and like mirror the entire web page or download everything. So I did that and I W get tack M for mirror, went ahead and pulled it all and it downloaded all the files. I checked it out. And once I got in there, I looked at everything and just check the size of it just to kind of see, okay, how big are these things that I'm actually working with? Can I throw them in steg? So I'll look at them in strings, et cetera, et cetera. And I found something really, really strange in that the fav icon, the icon there is big, like bigger than the rest of the gifs or any other images here. So I thought that was very, very strange. So I went ahead and like took a look at it. But it doesn't look like much other than colors scrolling across in an animated section. But I thought, is this PIET? Is this PyT? I don't know if that's the proper way to pronounce that. Another esoteric programming language that works with just colors and images. That didn't seem to be it. Thought that was strange. Thought that was weird. I didn't know what I was looking at here. So I went ahead and ran strings on it for a little bit. And there's a lot there. So I threw it in less and then explored solid, typical gif header. And as I scrolled through this, I saw interesting things that just kind of stuck out to me. Like GNU, IBC, or 6.0, or some strings that like a shared object thing. They looked like there were just things that you'd find in a binary just kind of scrambled. Same thing. Okay. Like a little bit of printf stuff in here that just looks like they would be segments of a binary or regular executable file on Linux. So I stared at this for a little bit and then eventually had some crazy epiphany or some weird thought that slices of the binary may be being stored in that favicon, in the gif. So I thought, okay, let's go ahead and convert this thing. Let's get all the frames out of it. So I just did 02d.png. And then we've got all the frames about, what is it, 100? Oh, I should have went for three, my bad. Let's remove all these png files and do that again. I'm doing that because there are over 100. So I want to keep the files properly sorted. So let's go to three here. And then, okay, now we'll get 109 all the way at the end, not upfront in when we're sorting. We're trying to display the files out in quote unquote alphabetical or numeric order. So we can, if we wanted to, go ahead and run strings on these things now. Each individual string.png. If I wanted to, we could grep for things that we know, like might be the flag format. And there we go. Able to go ahead and just see, there are segments of there that weren't properly extracted or would get messed up in the different frames. Like, had I done that on the gif, would I be able to find it? greptech ictf? No. Odd, odd and strange, odd and weird. If you actually run exit tool, and this is how I solved it originally, not even realizing that I could just find the flag from the strings in each individual or some, whichever one, whichever, whichever frame or png file had the flag in it. We could actually take a look at the metadata for all of these, any of these png files. And you can see it has binary data included in there. And you can use 0B to extract it, or hyphen B, sorry. And then you get segments of it. You could just cut up, okay, get the date out of it, get the very, very end off of it. You could cut it up and you could put a binary back together. It's not all correct. So again, I would just end up running strings on whatever file comes out of it. So if we were to jump that step, we could just run strings on any of these frames or all of these frames and try to see if we find a flag in that. And we did. So pretty neat. I thought that was strange. I just thought, okay, let's mirror everything. Let's grab all the resources that we can from the webpage. Look at them. And the Favicon just kind of stuck out because it was larger than the others. Just kind of a big file size. Nothing, not what I would expect for a little icon that would just be displayed in your browser. So cool. Quick shout out to the people that support me on Patreon. Thank you guys so much. Can't say it enough. $1 a month or more on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything that I released on YouTube before it goes live. If you did like this video, please do like, comment, and subscribe. Please do join our Discord server. Link in the description. Really cool community full of CTF players, programmers, and hackers. So if you want to hang with me or other cool people, that's the place to do it. We're going to be playing CSaw CTF together. We're going to be playing Pico CTF together. Just kind of a cool community. If you want to team people hang out with Jam on CTF, cool cyber security stuff, that's the place to do it. Thanks guys. Love you. Hope to see you on Patreon. Hope to see you in the next video. Later.