picoCTF 2021 Very Very Hidden Writeup

Very Very Hidden is a forensics puzzle worth 300 points. You are presented with a packet capture try_me.pcap and the following clue:

Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure.

I started by opening this packet capture with Wireshark. It contained nearly 10,000 packets, and is 9.3 megabytes, so it wasn’t exactly small. A cursory scan of the packet capture showed some http, https, and QUIC traffic, some MDNS and LLMNR traffic, and of course DNS.

Next, I looked at DNS requests to get a general idea of what might be going on using the dns filter within Wireshark:

Filtering DNS traffic within Wireshark.

This showed lookups for google.com, a hostnamed powershell, GitHub, some Microsoft sites, and powershell.org. among other things.

Since HTTP traffic was observed, I thought it might be a good idea to extract any downloaded files within this packet capture. This is easy with Wireshark; File -> Export Objects -> HTTP, then click Save All.

Extract files from HTTP streams using Wireshark.

Next, I checked to see what kind of files these were. An empty file, a text file, two PNGs, and some HTML:

 % file *
%5c:           empty
NothingSus:    ASCII text
duck.png:      PNG image data, 1223 x 812, 8-bit/color RGB, non-interlaced
evil_duck.png: PNG image data, 1223 x 812, 8-bit/color RGB, non-interlaced
favicon.ico:   HTML document, ASCII text

Interestingly, duck.png and evil_duck.png are the same dimensions, but evil_duck.png is over twice as large as duck.png. Looking at the pictures themselves, evil_duck.png looks to be of poorer quality than duck.png, despite being larger. This indicated that there may be data hidden inside of evil_duck.png by means of steganography.

This difference in quality is especially prevalent when comparing the clouds in each image:

Pixelated clouds and ducks.

Next, I tried all of the usual CTF steganography decoding tools hoping for a quick win, but nothing worked. Reviewing what I had discovered already, there were a strange number of PowerShell references within the packet capture. On a hunch, I googled PowerShell steganography and found an interesting blog post and a tool on GitHub:

I tried to find a decoder for images created with Invoke-PSImage but did not find anything useful in the first page of Google search, so I decided to try writing a decoder. Invoke-PSImage outputs one-liners to use the payloads contained within an image, and it looked straightforward enough to decode.

After a few minutes, I ended up with the following Python script:

#!/usr/bin/env python3

import sys
from PIL import Image

with Image.open("evil_duck.png") as im:
    width, height = im.size

    for x in range(width):
        for y in range(height):
            r, g, b = im.getpixel((y, x))
            sys.stdout.write(chr(((b & 15) * 16) | (g & 15)))

Running this decoder yielded a PowerShell script:

Extracted payload from evil_duck.png

This script XOR encrypts $string1, using $string2 as the key, and writes the output to flag.txt. I opted to use CyberChef to decode it instead:

Decoded the flag with CyberChef

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s