Cywar_BirdWatch CTF Writeup
In this digital forensics CTF, we were tasked with breaking the art of steganography💔 . Steganography is the practice of hiding a secret message in something that is not so secret. So, can we safely assume that digital steganography is the method of hiding “something” in “something”? Although there have been many great tools published over the years they aren’t flawless and can come with a learning curve. In the realm of digital forensics tools like Binwalk, Steghide, Stegcracker, and Concealment are indispensable applications when it comes to revealing the unseen. However, after using and learning those tools, I wanted to see how a more user-friendly tool would stack up against them.
In comes CyberChef, Let’s fire up the oven!🔥
Mission:
Based on our mission overview, we can see that we’ll have to search for hidden/Embedded files within Branko’s Thumb Drive.
Hint:
*. Our Mission hint tells us to search for .jpg magic numbers. Magic numbers are the first bits of a file that uniquely identify the type of file.
You can extract a jpeg file embedded within another file by opening the file with your favorite hex editor and searching for the hex digits. jpeg files start with hex digits “ffd8 ffe0.” By finding the proper offsets you can dump out the jpeg file to view its contents.
Extract Files:
After extracting the original archive we get a .001 file. A quick google search lets us know that a .001 file is the first file of a split archive created.
Google Research for .001 file:
Microsoft’s answers give a 7zip solution.
A post from Microsoft answers community forum on “How to Open and Extract .001 Files” refers us to use the 7zip Application to extract the split archive file.
Let’s extract the .001 file using 7zip
Command: “7z -e BirdWacher.001”
The extracted archive gives us a bunch of jpg files. The contents of those files are photos of birds.One thing that stood out to me, was that one particular jpeg file was significantly larger than the others.
Use Binwalk to inspect the larger jpeg file
Binwalk displays a total count of 16 jpg files embedded within the original file.
*
*. While taking a break from the CTF 💤
*. A new tool pops up on my YouTube feed from “BHIS”
Cyberchef’s About page:
* “A simple, intuitive web app for analyzing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption, and compression.”* Why not give Cyberchef a try? Especially after watching BB king give a talk and an example of its capabilities, in “Uncovering Secrets and Simplifying your Life with CyberChef”
* With the ability to search for embedded files. Cyberchef reports 16 jpg file types and the corresponding offsets.
* Note: CyberChef is developed by the GCHQ.
theguardian.com describes it as “The UK equivalent of the NSA (National Security Agency) would be GCHQ”CyberChef :
* We Also Have the Ability to Extract Files, Here we will select images only, since we have done our research.
CyberChef! what a nifty little tool.
Extracted all 16 .jpg files for viewing
Browsing through the extracted jpeg files, we see more photos. mmm, but this time not just pics of birds. Are we getting warmer?
Flag:
Nice! The very last image in the batch contains our flag.
Mission Accomplished :
Synopsis :
There’s more than one way to skin a cat
A deeper understanding of what’s going on under the “hood” is essential to being successful in digital forensics. Nonetheless , for every cyberSEC professional having access to great tools can make life that much easier. CyberChef allows cyber” operations within a web browser. A powerful tool that is completely written in javascript and is entirely client-side I can definitely see cyberchef being implemented as a lite DLP solution .
