Ghost - Forensics
Points: 420 | Flag: 0xfun{l4y3r_pr0t3c710n_k3y} | Solved by: Smothy @ 0xN1umb
what we got
one file: wallpaper.png - a 320x256 linux meme image with "1n73rc3p7_cOnf1rm3d" and "LINUX ME" text. challenge says something about intercepting a transmission and recovering a network capture... but we got a png? sus
the solve
ran exiftool on it first thing and immediately caught this:
Warning: [minor] Trailer data after PNG IEND chunk
classic move lol. theres data hiding after the PNG ends. extracted everything after the IEND chunk:
data = open('wallpaper.png', 'rb').read()
iend = data.find(b'IEND')
end_of_png = iend + 4 + 4 # IEND + CRC
trailer = data[end_of_png:]
# 235 bytes, starts with 37 7a bc af = 7z magic bytes!so the "ghost" was a 7z archive chilling after the PNG data. sneaky
$ 7z l trailer.bin
Method = LZMA2:12 7zAES <-- password protected
fishwithwater/nothing.txt (27 bytes)
password protected with 7zAES encryption. tried a bunch of obvious stuff - "ghost", "fishwithwater", etc. nope
then i looked at the image text again: 1n73rc3p7_cOnf1rm3d. the password was almost that but with a zero instead of the capital O: 1n73rc3p7_c0nf1rm3d
ngl that lowercase O vs 0 swap had me stuck for a sec
$ 7z x trailer.bin -p"1n73rc3p7_c0nf1rm3d"
Everything is Ok
$ cat fishwithwater/nothing.txt
0xfun{l4y3r_pr0t3c710n_k3y}
flag
0xfun{l4y3r_pr0t3c710n_k3y}
the "ghost" = hidden 7z archive appended after PNG IEND. layer protection key fr fr - data hiding in layers. easy once you check exiftool but that password O vs 0 was lowkey annoying lmao
smothy out ✌️