Archenemy
by INXS_JOY
John likes Arch Linux. What is he hiding?
Files
Solution
Its always a good practice to check the file format of all files while doing Forensics.
I used the command file arched.png to check the file type. As suspected, I got this,
arched.png: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1920x1080, components 3
So arched.png is a JPEG file. Let’s change the extension to .jpeg
Next, I ran the image file through Stego-Toolkit and noticed that steghide found a embedded flag.zip file in the image.
Trying to unzip the flag.zip asks for a password, but we weren’t provided with any passwords. So I tried to brute force the password using fcrackzip.
Fcrackzip tries all the passwords from any word-list we provide. In this case I used rockyou word-list which is a list of common passwords.
Using the command, fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt flag.zip, we get the following output,
found file 'meme.jpg', (size cp/uc 27553/ 27752, flags 9, chk 9ed1)
PASSWORD FOUND!!!!: pw == kathmandu
So, the password for the flag.zip is kathmandu. Extracting the contents, we get a file meme.jpg. Opening it, we find the flag at the bottom of the image.
Flag
csictf{1_h0pe_y0u_don't_s33_m3_here}