picoCTF 2021 Information Writeup

This is my writeup for Information, a Forensics challenge worth 10 points.

This challenge’s description is as follows:

Files can always be changed in a secret way. Can you find the flag?

A jpeg named cat.jpg is provided with a SHA256 hash of b639e3a45a4f76efe104953a77b709e441e0546ec9fb08780e57fe3644d4250

The first thing I did was look at this file’s metadata using exiftool, which provided this output:

ExifTool Version Number         : 11.88
File Name                       : cat.jpg
Directory                       : /mnt/c/Users/DanielRoberson/Downloads
File Size                       : 858 kB
File Modification Date/Time     : 2021:08:22 21:53:57-07:00
File Access Date/Time           : 2021:08:22 21:54:37-07:00
File Inode Change Date/Time     : 2021:08:22 21:53:57-07:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Current IPTC Digest             : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice                : PicoCTF
Application Record Version      : 4
XMP Toolkit                     : Image::ExifTool 10.80
License                         : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Rights                          : PicoCTF
Image Width                     : 2560
Image Height                    : 1598
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2560x1598
Megapixels                      : 4.1

Looking at the License field, I recognized this as a base64 encoded string. I decoded it with CyberChef to reveal the flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s