Skip to content

Intigriti 1337UP CTF 2024: In Plain Sight

TL;DR

  • JPEG contains an embedded encrypted ZIP archive.
  • Binwalk or foremost extracts the hidden ZIP payload.
  • ZIP password is recoverable via strings on the original image.
  • Extracted image hides the flag using a single-color overlay.

Challenge Description

Barely hidden tbh..

Solution

Players download an image of a cute cat (his name is Yang 💜).

original challenge image of a cat containing embedded data

Running a tool like foremost or binwalk will reveal an embedded file.

binwalk -e meow.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2144878       0x20BA6E        Zip archive data, encrypted at least v2.0 to extract, compressed size: 1938, uncompressed size: 3446, name: flag.png
2146976       0x20C2A0        End of Zip archive, footer length: 22

If we try to unzip the archive, we'll see it's encrypted.

unzip 20BA6E.zip
Archive:  20BA6E.zip
[20BA6E.zip] flag.png password:

Returning to the original JPG, check the strings.

strings -n 10 meow.jpg

)D8^FricdRr
Y'~>vfc]*.
YoullNeverGetThis719482
flag.pngUT

Try YoullNeverGetThis719482 as a password.

unzip 20BA6E.zip
Archive:  20BA6E.zip
[20BA6E.zip] flag.png password:
replace flag.png? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: flag.png

Opening the image, it appears to be pure white.

extracted flag image appearing completely white after unzip

However, if we open with MS paint (or alternative) and use the paint bucket (fill) tool, the flag will be revealed.

flag revealed after using a fill tool to expose hidden content

Flag: INTIGRITI{w4rmup_fl46z}