Very Very Hidden is a forensics puzzle worth 300 points. You are presented with a packet capture
try_me.pcap and the following clue:
Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure.
I started by opening this packet capture with Wireshark. It contained nearly 10,000 packets, and is 9.3 megabytes, so it wasn’t exactly small. A cursory scan of the packet capture showed some http, https, and QUIC traffic, some MDNS and LLMNR traffic, and of course DNS.
Next, I looked at DNS requests to get a general idea of what might be going on using the
dns filter within Wireshark:
This showed lookups for google.com, a hostnamed
powershell, GitHub, some Microsoft sites, and
powershell.org. among other things.
Since HTTP traffic was observed, I thought it might be a good idea to extract any downloaded files within this packet capture. This is easy with Wireshark; File -> Export Objects -> HTTP, then click Save All.
Next, I checked to see what kind of files these were. An empty file, a text file, two PNGs, and some HTML:
% file * %5c: empty NothingSus: ASCII text duck.png: PNG image data, 1223 x 812, 8-bit/color RGB, non-interlaced evil_duck.png: PNG image data, 1223 x 812, 8-bit/color RGB, non-interlaced favicon.ico: HTML document, ASCII text
evil_duck.png are the same dimensions, but
evil_duck.png is over twice as large as
duck.png. Looking at the pictures themselves,
evil_duck.png looks to be of poorer quality than
duck.png, despite being larger. This indicated that there may be data hidden inside of
evil_duck.png by means of steganography.
This difference in quality is especially prevalent when comparing the clouds in each image:
Next, I tried all of the usual CTF steganography decoding tools hoping for a quick win, but nothing worked. Reviewing what I had discovered already, there were a strange number of PowerShell references within the packet capture. On a hunch, I googled
PowerShell steganography and found an interesting blog post and a tool on GitHub:
I tried to find a decoder for images created with
Invoke-PSImage but did not find anything useful in the first page of Google search, so I decided to try writing a decoder.
Invoke-PSImage outputs one-liners to use the payloads contained within an image, and it looked straightforward enough to decode.
After a few minutes, I ended up with the following Python script:
#!/usr/bin/env python3 import sys from PIL import Image with Image.open("evil_duck.png") as im: width, height = im.size for x in range(width): for y in range(height): r, g, b = im.getpixel((y, x)) sys.stdout.write(chr(((b & 15) * 16) | (g & 15)))
Running this decoder yielded a PowerShell script:
This script XOR encrypts
$string2 as the key, and writes the output to
flag.txt. I opted to use CyberChef to decode it instead: