échange floral 🐛
🥑 whoami 🥝 Posts 🍀 Plants ☔ Categories 🐝 Music 🍒 Books 🍂 CTFd
échange floral 🐛

BARBHACK2024 - La Taupe

 included in  category Write-Ups
     1624 words  8 minutes 

La société Cravatech a été compromise, un flag secret a pu être exfiltré de leur système. Des premières investigations, le coupable aurait utilisé le système de messagerie.

Il nous a été fourni les dernières correspondances des divers employés qui avaient accès au flag, saurez-vous le retrouver ?

First, after unzip the archive, we can see many .eml files

In order to see the content, I managed to open them in Thunderbird, let’s see !

we can see many suspicious things, with many users. After checking one by one every email in Thunderbird, I started to see some strange messages

On every email from Camille A to Sales, she put a strange caps in her sentences. So I managed to extract them in order to see if this was our exfiltration

bash

grep -Ri "sales"
1719160562.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1721374082.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1721066162.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1718790395.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1718397420.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1719515493.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1717997061.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1720700515.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1720866608.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1721958866.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1719220019.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1721565478.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1722357860.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1720523245.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1718006077.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1720602156.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1719140556.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1721207203.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1722146556.eml:To: "Sales Plancha Corp" <sales@plancha.corp>
1718215184.eml:To: "Sales Plancha Corp" <sales@plancha.corp>

So I opened every mail file to reconstitute the possible flag, but guess what, I only recovered that :

bash

GOODIDEABUTNOTDAFLAG

First, i extracted them in the wrong order and it gave me this EATLDBGNOLAFGUOTDDAO

I thought it was some key or something, but this was just a rabbit hole

I extracted the body of the email with this :

bash

grep -Ril "camille.a@crava.tech" | xargs strings | sed -n '/<html>/,/<\/html>/p' | sed -n '/<div>/,/<\/div>/p'

Phillibert & Eugene

After opening the eml files in Thunderbird, I started noticing that two users may look suspicious. They were sending each other some encrypted messages, and telling that the communications aren’t sure. I investigated and found some encrypted :

  • Nirp prggr zégubqr, ba qrienvg cbhibve pbagbheare yrf svygerf qh flfgèzr, cbhe féphevfre abf épunatrf.
  • PyB1MjEgLHByZ25laG5nZnJFICxzaHJhIGhxIHZuJ1cgLnJ66GdmbGYgcmVnYmEg4CBydG5nY2xlcCBycSBobnJpdmEgaG5yaWhiYSBhaCDpZ2hid24gdm4nVwoKLGdlcm92eXZ1Qw==
  • ISBHVk5TIE5ZUlAgUkhEIFJQIEZWQkkgSEcgLFJNTkEgRkJFVCBIUiBBUlZPIFZOJ0cgUlc=
  • UVFDaS9rcC5seWd2by8vOmZjZ2d1IDog6XllbmMgdm4nZyBydyBnYWJxIHJwIHZwdmJJCgosZ2Vyb3Z5dnVD

Suspicious messages :

After the finding the cipher, we started to see some clear text messages

Thanks for the troll :

Again, many rabbit holes in their messages and two pretty rick rolls.

Among the employee, an old guy who seems to having trouble sending attachement in his email. Ok, maybe he managed to extract something, let’s check his history :

he tried to send zip, but nothing happened. I scanned for attachments, but no attachments were included in those EML files. He said that he tried to send the ZIP file in many ways, but it failed every time.

After crying for about twenty minutes and three or four redbull, i started looking for steganography

Funny idea considering that on the Barbhack website we can clearly see that there’s no steganography on this CTF !

I started looking for images, that are sent in base64.

We can hide many things in images, let’s try to extract them. We should have 169 images

bash

#!/bin/bash

input_dir="./"
output_dir="output"

mkdir -p "$output_dir"

# iterates over eml files
for eml_file in "$input_dir"/*.eml; do
  echo "Traitement de $eml_file..."

  # look for /9j/ 
  images=$(grep -oP '/9j/[A-Za-z0-9+/=]*' "$eml_file")

  img_count=1
  
  echo "$images" | while read -r img_base64; do
    if [ -n "$img_base64" ]; then
      #base64 to .jpg
      echo "$img_base64" | base64 -d > "$output_dir/$(basename "$eml_file" .eml)_image_$img_count.jpg"

      if [ $? -eq 0 ]; then
        echo "Image $img_count extracted and save at $(basename "$eml_file" .eml)_image_$img_count.jpg"
      else
        echo "error while extracting $img_count in $eml_file"
      fi

      ((img_count++))
    fi
  done
done

echo "extract ok"

make it executable and run it

bash

chmod +x image-extract.sh
bash image-extract.sh


[...]
extract ok

yes got it!

And now what? When an image is altered using steganography, meaning that some text, metadata, or other information is embedded, the integrity is no longer guaranteed, and we can detect if someone attempts to exfiltrate data.

let’s try to hash all this beautiful AI pictures.

First, I took the same image from the same guy but not from the same email :

bash

┌─[auteqia@parrot][~/CTF/brb/brb/output]
sha256sum 1718703139_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718703139_image_1.jpg

┌─[auteqia@parrot][~/CTF/brb/brb/output]
sha256sum 1718368736_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718368736_image_1.jpg

pretty good, they are the same!

Let’s generalize this with all the images

bash

sha256sum * | sort
172305c63589e60b1066679a3b8d654d01639c9a542d90f4e6e3ef443a54d67e  1718363527_image_1.jpg
30179e755405837e3813c9571fcf7c35db577bba37ea806f438798f5446a32ba  1718198814_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1717398942_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1717591527_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1717662611_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718028055_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718183703_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718264734_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718803819_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718967647_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1718989247_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719218706_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719289822_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719318622_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719329422_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719331239_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719351058_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719367258_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1719997214_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1720422909_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1720616433_image_1.jpg
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25  1720776612_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1717486936_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1717664378_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1717763147_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718026461_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718177209_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718183825_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718264919_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718622230_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718803272_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1718956664_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1719318929_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1719479673_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1719842576_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1719992718_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1720175322_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1720446008_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1720599113_image_1.jpg
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc  1721122206_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1712734304_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1714659841_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1714738054_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1715677654_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1715774222_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1715780047_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1716193371_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1716559632_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1717055872_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1717081140_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1717421178_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1717423355_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718008291_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718368272_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718371737_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718613703_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718701654_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1718960042_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1719223029_image_1.jpg
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2  1719912274_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1717402939_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1717407466_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1717502612_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718092691_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718199387_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718199482_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718696002_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718790483_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1718979645_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1719302728_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1719561096_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1720085351_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1720438824_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1720595568_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1720961853_image_1.jpg
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b  1721118605_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1717485914_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1717665038_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1717768041_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718022832_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718180284_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718287543_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718610567_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718709696_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1718891770_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1719220075_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1719385950_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1719491987_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1719929649_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1720081583_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1720360082_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1720518824_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1720783936_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1721114077_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1721299310_image_1.jpg
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88  1721636948_image_1.jpg
bb60f60e559eb6fc69deebe0bb4a057606f7e3dfd0041d0e2c2f8d71401f4ca2  1719405797_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1717997061_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1718006077_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1718215184_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1718397420_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1718790395_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1719140556_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1719160562_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1719220019_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1719515493_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1720523245_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1720602156_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1720700515_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1720866608_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1721066162_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1721207203_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1721374082_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1721565478_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1721958866_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1722146556_image_1.jpg
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d  1722357860_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1717400162_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1717485954_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1717573023_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1717658614_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1717746136_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718004447_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718090271_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718179297_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718262165_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718349902_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718608293_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718695921_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718782076_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718870065_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1718953964_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1719213903_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1719300861_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1719388148_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1719472710_image_1.jpg
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e  1719559666_image_1.jpg
d930b58515707f72b4cd2477712d3d08f7334f79c58e2d56a57a8f80ae946ef6  1719926159_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1717314138_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1717503165_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1717666179_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1717833191_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718019927_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718180494_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718368736_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718534849_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718703139_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1718884743_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1719044774_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1719235102_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1719387818_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1719568614_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1719837469_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1720001133_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1720164521_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1720428799_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1720610066_image_1.jpg
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030  1720776777_image_1.jpg

Ok, huge output but we can handle it. As we can see, there’s some hashes that are uniq, wtf?

hash all the images, print only the hash (not the filename) and print the unique ones :

bash

sha256sum * | awk '{print $1}' | sort -u
172305c63589e60b1066679a3b8d654d01639c9a542d90f4e6e3ef443a54d67e
30179e755405837e3813c9571fcf7c35db577bba37ea806f438798f5446a32ba
906c75bb34e003ed0f41c64560cc51dd36c39efb0a848dd9647cd28d9dfbfc25
9451be9bb64b6688b338233596775b4efe2d6c7fd59318c7b9ed4fca7c90edbc
9cbcf3e044106200db28d53b07baff5a7c6799c056c838a96254fea9d3a7dee2
b40ec5559aca48e8f7f2aa5db21db02842691865574b677ffeb3b469545a5a1b
b78db02fd193c41f524db077a2ca4290cb8601eef7721700fcf6292954bcfd88
bb60f60e559eb6fc69deebe0bb4a057606f7e3dfd0041d0e2c2f8d71401f4ca2
d4b71086ab7a3784263887f3f00800796d4e30c03f66cadc9b94baaedbba779d
d5d0f6dae2b46ee8fcf0437ef6baefd544b2cddd70015e7220f6f7ad3d82ed3e
d930b58515707f72b4cd2477712d3d08f7334f79c58e2d56a57a8f80ae946ef6
fd871bc760a7aa3a159cd5ea792e7780ac333eb34657031f8cbfbef1d2aef030

ok let’s go back, we got some hashes that are uniq but sharing the “same picture”, strange innit?

here’s the uniq ones who looks suspicious :

bash

d930b58515707f72b4cd2477712d3d08f7334f79c58e2d56a57a8f80ae946ef6
30179e755405837e3813c9571fcf7c35db577bba37ea806f438798f5446a32ba
bb60f60e559eb6fc69deebe0bb4a057606f7e3dfd0041d0e2c2f8d71401f4ca2
172305c63589e60b1066679a3b8d654d01639c9a542d90f4e6e3ef443a54d67e

Those hashes are attached to theses pictures :

bash

sha256sum * | grep -E 'd930b58515707f72b4cd2477712d3d08f7334f79c58e2d56a57a8f80ae946ef6|bb60f60e559eb6fc69deebe0bb4a057606f7e3dfd0041d0e2c2f8d71401f4ca2|172305c63589e60b1066679a3b8d654d01639c9a542d90f4e6e3ef443a54d67e|30179e755405837e3813c9571fcf7c35db577bba37ea806f438798f5446a32ba'
30179e755405837e3813c9571fcf7c35db577bba37ea806f438798f5446a32ba  1718198814_image_1.jpg
172305c63589e60b1066679a3b8d654d01639c9a542d90f4e6e3ef443a54d67e  1718363527_image_1.jpg
bb60f60e559eb6fc69deebe0bb4a057606f7e3dfd0041d0e2c2f8d71401f4ca2  1719405797_image_1.jpg
d930b58515707f72b4cd2477712d3d08f7334f79c58e2d56a57a8f80ae946ef6  1719926159_image_1.jpg

ok the filenames are : 1719926159_image_1, 1719405797_image_1, 1718198814_image_1 and 1718363527_image_1

Let’s isolating them :

bash

mkdir strange
cp 1718363527_image_1.jpg 1719405797_image_1.jpg 1718198814_image_1.jpg 1719926159_image_1.jpg strange

Here we are old guy !!!!!!!!!

Aperisolve found nothing :(

Ok, let’s see what have been changed from the original picture. I took the base64 from a regular one and compared it to the strange ones

Regular eml file who contains the suspicious images :

  • 1719926159.eml
  • 1719405797.eml
  • 1718198814.eml
  • 1718363527.eml

And 1717407466.eml who contains the regular image

bash

cp 1719926159.eml 1719405797.eml 1718363527.eml 718198814.eml 1717407466.eml output/strange
cd output/strange
mv 1717407466.eml regular.eml

and I edited the script in order to extract the base64 from the eml

bash

#!/bin/bash

input_dir="./"
output_dir="extract-base64"

mkdir -p "$output_dir"

# iterates over eml files
for eml_file in "$input_dir"/*.eml; do
  echo "Traitement de $eml_file..."

  # look for /9j/
  images=$(grep -oP '/9j/[A-Za-z0-9+/=]*' "$eml_file")

  img_count=1

  echo "$images" | while read -r img_base64; do
    if [ -n "$img_base64" ]; then
      #base64 extract
      echo "$img_base64" > "$output_dir/$(basename "$eml_file" .eml)_image_$img_count.b64"

      if [ $? -eq 0 ]; then
        echo "base64 $img_count extracted and save at $(basename "$eml_file" .eml)_image_$img_count.b64"
      else
        echo "error while extracting $img_count in $eml_file"
      fi

      ((img_count++))
    fi
  done
done
echo "extract ok"

And now I looked at the differences between the regular one and the others

a pretty script that underline the differences

python

import sys
import os
import base64

def read_file(filename):
    with open(filename, 'rb') as file:
        return file.read()

def compare_base64_strings(reference_base64, file_data):
    reference_bytes = base64.b64decode(reference_base64)
    file_bytes = base64.b64decode(file_data)
    
    max_len = max(len(reference_bytes), len(file_bytes))
    reference_bytes = reference_bytes.ljust(max_len, b'\x00')
    file_bytes = file_bytes.ljust(max_len, b'\x00')
    
    differences = []
    
    for i in range(max_len):
        if reference_bytes[i] != file_bytes[i]:
            differences.append((i, reference_bytes[i], file_bytes[i]))
    
    return differences

def main(reference_file):
    with open(reference_file, 'r') as file:
            reference_base64 = file.read().strip()
    
    differences = []
    
    # Obtenir la liste des fichiers .b64 et les trier par ordre alphabétique
    files = [f for f in os.listdir('.') if f.endswith('.b64')]
    files.sort()
    
    for filename in files:
        try:
            file_data = read_file(filename)
            file_base64 = file_data.decode('utf-8').strip()
            file_differences = compare_base64_strings(reference_base64, file_base64)
            differences.extend(file_differences)
    
    if differences:
        print("Différences trouvées :")
        for index, ref_byte, file_byte in differences:
            print(f"diff: {file_byte:02x}")
    else:
        print("Aucune différence trouvée.")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python diff.py reference_file")
        sys.exit(1)
    
    reference_file = sys.argv[1]
    main(reference_file)

this gave us something like

bash

Différences trouvées :
diff: 59
diff: 6e
diff: 4a
diff: 69
diff: 65
diff: 30
diff: 67
diff: 78
diff: 5a
diff: 47
diff: 51
diff: 7a
diff: 62
diff: 6c
diff: 38
diff: 78
diff: 62
diff: 6c
diff: 39
diff: 51
diff: 62
diff: 44
diff: 51
diff: 78
diff: 62
diff: 6c
diff: 39
diff: 54
diff: 4d
diff: 57
diff: 64
diff: 6f
diff: 56
diff: 48
diff: 30
diff: 3d

pretty format : 596e4a69653067785a47517a626c3878626c395162445178626c39544d57646f5648303d

bash

echo "596e4a69653067785a47517a626c3878626c395162445178626c39544d57646f5648303d" | xxd -r -p | base64 -d


brb{H1dd3n_1n_Pl41n_S1ghT}

kinda tricky challenge ;)

Updated on 2024-09-06
 ForensicMediumEmailSteganographyBarbhack2024
 | Home