NDH 2015 Cooper Writeup
Point = 300
Category = Stegano
“I am not crazy, my mother had me tested.” (Sheldon)
What did Sheldon … huh sorry, Dr. Cooper really mean? (http://quals.nuitduhack.com/challenges/view/14)
The tar zip contains a Windows executable, so the first thing I did was opening it in CFF Explorer.
Doing so I found a picture of Sheldon … or better say
"Dr. Cooper" in resources and a section called .hidden containing a ZIP file.
Within the zip file there was a C++ code project with encrypt and decrypt functions.
> dir Stegano-BMP-master ... 2013-06-21 05:24 PM 533 decrypt.cpp 2015-04-04 12:10 PM <DIR> easybmp 2013-06-21 05:24 PM 768 encrypt.cpp 2013-06-21 05:24 PM 28 main.cpp 2013-06-21 05:24 PM 564 Makefile 2013-06-21 05:24 PM 238 README.md 2013-06-21 05:24 PM 2,705 stegano.cpp 2013-06-21 05:24 PM 196 stegano.h 7 File(s) 5,032 bytes
First thing that strikes the mind is to compile the project and decrypt (extract) the flag from it, and I did, and I FAILED :(
>decrypt cooper.bmp 3
3 cannot be the flag! (but I did submit it and the server did reject it :))
So I insepected the files more, and I found a PDF file in the EXE’s hex dump.
I fixed and opened it and finally found “my precious”!
BTW: The PDF is password protected which the reader has to guess :D
Written by MMS