This task is by Vlad Roskov (vos) and called Gemorroy (i. e. Hemorrhoid).
We are given a png image:
I've written simple Python script to get all IDAT blocks from png image and decompress them.
At the end of decoded data we've got the next part - a link: http://ctf.su/EggNog :)
The link is with a high frequency video with a sequence of QR-codes. So, we need to go deeper...
Using ffmpeg I've extracted all the frames from this video.
And then using zbar I've decoded all QR codes. After concatenation I've got the next data string:
"\x52\x61\x72\x21\x1a\x07\x01\x00\x20\xb6\xfa\x11\x0a\x01\x05\x06\x04\x05\x01\x01\x80\x80\x00\x4f\x0b\x4a\x57\x24\x02\x03\x0b\xb0\x00\x04\xa4\x00\x20\x0c\x11\xcf\x47\x80\x1d\x00\x08\x66\x6c\x61\x67\x2e\x74\x78\x74\x0a\x03\x02\xb8\x9e\x9d\x22\x65\x29\xd2\x01\xc7\xb0\x2d\x24\x04\x42\xf8\x40\x33\xa5\x5a\x13\xb4\x7c\x83\x40\x32\x34\x2e\x88\x28\xb0\x2f\x44\x83\x7f\xcf\xd4\xd6\x47\x97\x4d\x79\x7d\x51\xd1\x9b\xe5\x0b\x21\xf8\xf6\xc2\x96\xc3\xa7\x08\xb9\x1d\x77\x56\x51\x03\x05\x04\x00"
We are given a png image:
I've written simple Python script to get all IDAT blocks from png image and decompress them.
import struct import zlib with open('steg300_where_8c7f6f7.png', 'rb') as f: data = f.read() # get all IDAT blocks idats = [] while True: idat_pos = data.find('IDAT') if idat_pos < 0: break size = struct.unpack('>I', data[idat_pos - 4:idat_pos])[0] idats.append(data[idat_pos + 4:idat_pos + 4 + size]) data = data[idat_pos + 4:] # concat all blocks idats_str = ''.join(idats) # decompress IDAT blocks d = zlib.decompressobj() print(d.decompress(idats_str))
At the end of decoded data we've got the next part - a link: http://ctf.su/EggNog :)
The link is with a high frequency video with a sequence of QR-codes. So, we need to go deeper...
And then using zbar I've decoded all QR codes. After concatenation I've got the next data string:
"\x52\x61\x72\x21\x1a\x07\x01\x00\x20\xb6\xfa\x11\x0a\x01\x05\x06\x04\x05\x01\x01\x80\x80\x00\x4f\x0b\x4a\x57\x24\x02\x03\x0b\xb0\x00\x04\xa4\x00\x20\x0c\x11\xcf\x47\x80\x1d\x00\x08\x66\x6c\x61\x67\x2e\x74\x78\x74\x0a\x03\x02\xb8\x9e\x9d\x22\x65\x29\xd2\x01\xc7\xb0\x2d\x24\x04\x42\xf8\x40\x33\xa5\x5a\x13\xb4\x7c\x83\x40\x32\x34\x2e\x88\x28\xb0\x2f\x44\x83\x7f\xcf\xd4\xd6\x47\x97\x4d\x79\x7d\x51\xd1\x9b\xe5\x0b\x21\xf8\xf6\xc2\x96\xc3\xa7\x08\xb9\x1d\x77\x56\x51\x03\x05\x04\x00"
First four bytes are "Rar!", i.e. it is a RAR archive with flag.txt inside.
After extracting I got a flag:
Flag: 57364N0_w1th1n_57364N0_1m_d0ne
hi, could you help me from : using ffmpeg and extracted all the frames from this video. Thanks you
ReplyDeleteI've used the next command to get all frames:
Deleteffmpeg -i steg300_video_375bee2.mp4 -vsync vfr frame-%%05d.png
and I've noticed that each frame with QR code repeats 4 times.
Therefore I've decoded frames 1, 5, 9, and so on.