Skip to content

Intigriti 1337UP CTF 2024: No Comment

TL;DR

  • JPEG contains an EXIF Comment field with an Imgur album ID.
  • Imgur album comment is base64-encoded text.
  • Decoded text links to a password-protected Pastebin.
  • Pastebin password is hinted in the decoded message.
  • Paste reveals hex data which is XOR-encrypted.
  • XOR with the same password recovers the flag.

Video Walkthrough

No Comment video walkthrough

Challenge Description

Or is there? 🤔

Solution

Players download this cool image 😎

Original challenge image containing EXIF comment

Could check for embedded files or stego, or perhaps do a reverse image lookup on Google or TinEye.

In fact, the title and description is a hint! If we check the image metadata (EXIF), we'll see a comment.

exiftool ripple.jpg
ExifTool Version Number         : 12.57
File Name                       : ripple.jpg
Directory                       : .
File Size                       : 6.5 MB
File Modification Date/Time     : 2024:09:21 15:51:46+01:00
File Access Date/Time           : 2024:11:10 11:24:06+00:00
File Inode Change Date/Time     : 2024:11:12 11:10:15+00:00
File Permissions                : -rwxrw-rw-
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Comment                         : /a/pq6TgwS
Image Width                     : 4032
Image Height                    : 3024
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 4032x3024
Megapixels                      : 12.2

Recognise the comment format? It's from Imgur, where URLs are formatted like imgur.com/a/{alphanumeric} (albums) and imgur.com/g/{alphanumeric} (galleries).

Let's visit the imgur link and see the same image, along with a comment.

V2hhdCBhICJsb25nX3N0cmFuZ2VfdHJpcCIgaXQncyBiZWVuIQoKaHR0cHM6Ly9wYXN0ZWJpbi5jb20vRmRjTFRxWWc=

We base64 decode it..

What a "long_strange_trip" it's been!

https://pastebin.com/FdcLTqYg

Visit the pastebin link and find a password protected note. Enter long_strange_trip to uncover a hex string.

Converting from hex doesn't work, so we check the users public pastes and find this one..

I've been learning all about cryptography recently, it's cool you can just XOR data with a password and nobody can recover it!!

I think I've learnt enough about that now, hopefully I'll learn something new in next weeks topic: https://specopssoft.com/blog/password-reuse-hidden-danger

Quite a hint, but at the last minute I worried this part was too guessy. We XOR the data with the same password and get the flag 🙂

Flag: INTIGRITI{instagram.com/reel/C7xYShjMcV0}

Fun fact: the insta reel is from a concert I saw in the Las Vegas sphere and I will never stop talking about it 😂