picoCTF 2019 WhitePages Writeup

WhitePages is a forensics puzzle worth 250 points.

The description for this puzzle is:

I stopped using YellowPages and moved onto WhitePages... but the page they gave me is all blank!

This puzzle supplies a text file whitepages.txt.

Viewing the file with Emacs, it appears that whitepages.txt contains a couple of lines with spaces and tabs. This and the white in the challenge made me think that the flag is encoded in the whitespace somehow.

Lots of whitespace.

Next, I check out what this file looks like with whitespace-mode. There is definitely a discernable pattern:

Emacs whitespace-mode

Next, I use hexl-mode to view a hex dump of whitepages.txt:

Emacs hexl-mode

I noticed that the pattern e28083 and 20 repeated throughout this hex dump. Since this shows up as whitespace and not any bizarre characters in notepad, I assume that e28083 is probably a Unicode character that is some kind of whitespace.

I verify this theory using Python:

>>> with open("whitepages.txt", "rb") as fp:
...     data = fp.read()
>>> decoded = data.decode("utf-8")

This didn’t throw an error, and the decoded variable now contains spaces and escaped Unicode character \u2003 repeatedly.

From having worked on so many CTF puzzles, binary encoding comes up frequently. It is usually a safe bet to assume that a message is encoded in binary if there are only two characters in a message. Even more so if the length of the message divides cleanly by 8, because one byte is 8 bits. In this case, the decoded whitespace cleanly divides by 8:

>>> len(decoded) / 8

Next, convert the decoded text into a string of ones and zeroes:

>>> for x in decoded:
...     print("0" if x == '\u2003' else "1", end="")

Finally, I decode the binary string with CyberChef, which reveals the flag:

Decoded binary

One thought on “picoCTF 2019 WhitePages Writeup

  1. Pingback: picoCTF Writeups – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s