Medium Live

The Keymaker

50 points

108 Solves

Forensics

Medium

kcbowhunter ctflearn++ badge

Community Rating: 4.57 / 5

Jpeg comments can be very interesting.

First 10 Solvers


  • Noxtal

    Really cool challenge! There should be a lot more like that!

  • emo94

    any hint for what is iv and K?

    • kcbowhunter ctflearn++ badge

      you can DM me on Twitter for help, @kcbowhunter... otherwise how far did you get reading the comment blocks? The comments explain how to decode iv and K from within the jpeg

  • Caillou

    Protected

    [REDACTED] This comment is only shown to users who have solved this challenge.

    • kcbowhunter ctflearn++ badge

      https://wiki.openssl.org/index.php/Enc has information on using openssl enc with AES 256 CBC, I am also on twitter @kcbowhunter

      • Caillou

        Protected

        [REDACTED] This comment is only shown to users who have solved this challenge.

    • Caillou

      Where are you stuck? Did you understood the topics "hint"?

      • Dylanwu

        I found CTFlearn{TheKeymakerIsK00l} at the comment of the picture if that's what the hint is about. But it is not the correct flag.

        • Caillou

          You should check the others jpeg comments

    • kcbowhunter ctflearn++ badge

      how far did you get so far? Twitter @kcbowhunter

  • adhinvs

    Learned a Lot.... Thanks for including this challenge @kcbowhunter.....

    For the one who are trying to solve this look at: https://www.ccoderun.ca/programming/2017-01-31_jpeg/ https://wiki.fileformat.com/image/jpeg/

  • Celebrity

    How to find sos marker and sof0 length.... i m stuck help

    • kcbowhunter ctflearn++ badge

      Google 'jpeg file format' or 'jpeg file markers'

  • Celebrity

    It says no such file or directory when i tried ssl connection ..Am i Going in wrong way?

      • Celebrity

        Protected

        [REDACTED] This comment is only shown to users who have solved this challenge.

        • kcbowhunter ctflearn++ badge

          Celebrity, you need to do some research on AES-256-CBC encryption. Research how long the iv and key are. Also you need to research the jpeg file format. The instructions indicate that the jpeg marker 0xff?? is not part of the iv or key. If you are getting the error that flag.enc can't be opened for reading, then you haven't found the encrypted flag yet. You have to extract flag.enc from the jpeg before you can decrypt it.

          • franix808

            How to extract flag.enc? I tried to use strings(command) and i found base64 code, there was openssl command and this "CmmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY". I also tried to rename the file to "flag.enc", then i saw "flag" file(it was empty, 0 bytes). What way should I go? Sorry for my bad English.

            • kcbowhunter ctflearn++ badge

              franix808 can you send me a DM on Twitter? @kcbowhunter

        • kcbowhunter ctflearn++ badge

          Celebrity, my challenges are designed to get more difficult as the number of Challenge points increase. You may want to solve some lower point challenges before this one, because the skills you learn on lower point challenges are used again for the higher point challenges.

          • Celebrity

            Thanks kcbowhunter for the help , i will work hard and solve it !!

  • SquidBoy

    Protected

    [REDACTED] This comment is only shown to users who have solved this challenge.

    • SquidBoy

      Protected

      [REDACTED] This comment is only shown to users who have solved this challenge.

  • pr0ctf

    Definitely not Medium level, much work needed.

  • ankitsumitg

    One of the best questions on forensics. Good job @kcbowhunter

    • kcbowhunter ctflearn++ badge

      Thanks! This was one of my first challenges and I just like the idea of using the data in the jpeg as the iv and key for AES encryption. VargasIsland builds on this problem and probably needs some Python if you are interested.

  • Londek

    wouldnt be able to do it without kcbowhunter help ;)

  • SeeTeeEff

    Protected

    [REDACTED] This comment is only shown to users who have solved this challenge.

    • kcbowhunter ctflearn++ badge

      SeeTeeElf that happened because you used strings, and strings is not specific to jpeg format (it can be used on any file). If you read the jpeg file format spec (google 'jpeg file markers' the format of the comment block is 0xff 0xfe 0x00 0xnn where 0xnn is the length of the comment when it is less than 256 bytes. Because of the 0x00 before the 0xnn, strings treats 0xnn as the first character of a new string and includes 0xnn in the comment string. https://stackoverflow.com/questions/17447201/how-do-text-comments-in-jpg-files-work for a better writeup

      • SeeTeeEff

        Mate, good explanation. I actually copied it out of a hex editor incorrectly identifying the C as part of the Base64 encoding. I didn't actually think to check the actual comment marker and size of file. This was a great challenge. my favorite so far. i thought i knew JPGs before this haha

      • SeeTeeEff

        Further comment: the reason that i enjoyed this is because of the hint. It was still hard enough to figure out but just enough of a push in the right direction to not get frustrated not knowing where to start. Great challenge

        • kcbowhunter ctflearn++ badge

          Thanks! I put a lot of thought into making up the challenges, and it does take some thought to make it difficult / interesting but not impossible. This was one of the first challenges I created and it's one of my favorites, I like the idea of using the bytes in the jpeg as the iv and key to encrypt a message, so in a way the jpeg is the key. Thanks again for your comments. If you are interested, try my Nighthawk challenge, you might enjoy it.

  • franix808

    I just solved it. The best feeling when you see the green text on the top of the screen :D

    • kcbowhunter ctflearn++ badge

      Congrats! I really like this challenge, it's one of my favorites.

  • OSSI

    any hint for what is iv and K?

    • OSSI

      Never mind, i just find it

  • impregnable

    I do not see any flag.enc file after extracting and help me in finding the iv and key(which i think is in CmmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY this comment..

    • kcbowhunter ctflearn++ badge

      Send me a private message please to discuss, I can see your problem already.

  • cuuuuaa123

    Protected

    [REDACTED] This comment is only shown to users who have solved this challenge.

    • kcbowhunter ctflearn++ badge

      Protected

      [REDACTED] This comment is only shown to users who have solved this challenge.

      • cuuuuaa123

        Protected

        [REDACTED] This comment is only shown to users who have solved this challenge.