CTF After Dark - OSINT - Where is my Supersuit?

Pascal Peinecke published in OSINT CTF After Dark

2023-01-22 729 words 4 minutes

Contents

Where is my Supersuit?

task

Where is my supersuit? (Hints for submission: Enter as flag{street_address}, all lowercase. Separate word with underscores. Use standard street abbreviations (i.e. blvd, ln, dr).)

Author: Laura

Tags: osint

writeup

let’s download the image file first:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
wget https://acmcyber.com/static/files/2b88871584d66cff/secretsuit.png

--2022-11-19 01:35:06--  https://acmcyber.com/static/files/2b88871584d66cff/secretsuit.png
Resolving acmcyber.com (acmcyber.com)... 54.215.8.184
Connecting to acmcyber.com (acmcyber.com)|54.215.8.184|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 844279 (824K) [image/png]
Saving to: ‘secretsuit.png’

secretsuit.png           100%[==================================>] 824.49K   473KB/s    in 1.7s    

2022-11-19 01:35:08 (473 KB/s) - ‘secretsuit.png’ saved [844279/844279]

Here is the image:

First I like to do some common checks using file and exfitool

1
2
3
file secretsuit.png 

secretsuit.png: PNG image data, 1080 x 686, 8-bit/color RGB, non-interlaced

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
exiftool secretsuit.png 

ExifTool Version Number         : 12.44
File Name                       : secretsuit.png
Directory                       : .
File Size                       : 844 kB
File Modification Date/Time     : 2022:11:17 08:13:57+01:00
File Access Date/Time           : 2022:11:19 01:35:15+01:00
File Inode Change Date/Time     : 2022:11:19 01:35:08+01:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1080
Image Height                    : 686
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Warning                         : [minor] Trailer data after PNG IEND chunk
Image Size                      : 1080x686
Megapixels                      : 0.741

Exiftool tells us, that there is some data appended after the PNG file end chunk:

Warning : [minor] Trailer data after PNG IEND chunk

If I am looking for any kind of png steganography I first check the file against zsteg

So let’s do that:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
zsteg secretsuit.png 

[?] 135 bytes of extra data after image end (IEND), offset = 0xce170
extradata:0         .. file: Zip archive data, at least v2.0 to extract, compression method=store
    00000000: 50 4b 03 04 14 00 00 00  00 00 da 6b 6e 55 12 84  |PK.........knU..|
    00000010: 0b 9a 15 00 00 00 15 00  00 00 08 00 00 00 6e 75  |..............nu|
    00000020: 6d 73 2e 74 78 74 33 37  2e 38 33 32 30 31 35 2c  |ms.txt37.832015,|
    00000030: 2d 31 32 32 2e 32 38 33  36 36 31 50 4b 01 02 14  |-122.283661PK...|
    00000040: 00 14 00 00 00 00 00 da  6b 6e 55 12 84 0b 9a 15  |........knU.....|
    00000050: 00 00 00 15 00 00 00 08  00 00 00 00 00 00 00 01  |................|
    00000060: 00 20 00 00 00 00 00 00  00 6e 75 6d 73 2e 74 78  |. .......nums.tx|
    00000070: 74 50 4b 05 06 00 00 00  00 01 00 01 00 36 00 00  |tPK..........6..|
    00000080: 00 3b 00 00 00 00 00                              |.;.....         |
imagedata           .. text: "\t\n\n\n\t\t\n\n"
b1,g,msb,xy         .. file: 370 XA sysV pure executable
b1,rgb,lsb,xy       .. text: "74NSCp?0"
b2,b,msb,xy         .. text: "Va\u9,HVUU+"
b4,r,lsb,xy         .. text: "VVwvefgvww"
b4,g,lsb,xy         .. text: "uwgvUU4DC\"$DC32\""
b4,b,msb,xy         .. text: "5=3333333="
b4,rgb,lsb,xy       .. text: "sw7sdE5Qe"

zsteg also tells us that there are 135 bytes of extra data appended after the end of the image (IEND).

But we do not get any data from it yet.

In most cases we can use binwalk to carve out any piece of data from image files.

So let’s try that:

1
2
3
4
5
6
7
8
binwalk -e secretsuit.png         

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1080 x 686, 8-bit/color RGB, non-interlaced
41            0x29            Zlib compressed data, best compression
844144        0xCE170         Zip archive data, at least v2.0 to extract, compressed size: 21, uncompressed size: 21, name: nums.txt
844257        0xCE1E1         End of Zip archive, footer length: 22

1
2
3
4
5
cd _secretsuit.png.extracted

ls

29  29.zlib  CE170.zip  nums.txt

binwalk was able to extract a file called nums.txt .

That should be interesting !

Let’s see what’s in there:

1
2
3
cat nums.txt       
         
37.832015,-122.283661

That pretty much looks like some kind of coordinates.

We can use Google Maps to find the location of these coordinates!

https://goo.gl/maps/eSSNBLWgapxCP7Gc9

https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d3243.550414163673!2d-122.28588167289328!3d37.83190104558327!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0x8a4359ebd7d1dbc5!2zMzfCsDQ5JzU1LjMiTiAxMjLCsDE3JzAxLjIiVw!5e0!3m2!1sde!2sde!4v1668822071145!5m2!1sde!2sde

The address we found is: 1200 Park Ave, Emeryville, CA 94608, USA

Because the flag format for this challenge is: flag{street_address} , is this the correct flag:

1
flag{1200_park_ave}