Halloween Masks Are Overrated

SpookyCTF2023 Oct 29, 2023

📜Scenario

🔎Solve

Lets get started with this picture

First I tried to analysed exif metadata

$ exiftool mask.jpg
.ExifTool Version Number         : 12.67
File Name                       : mask.jpg
Directory                       : .
File Size                       : 615 kB
File Modification Date/Time     : 2023:10:28 02:29:27+02:00
File Access Date/Time           : 2023:10:28 02:30:12+02:00
File Inode Change Date/Time     : 2023:10:28 02:30:05+02:00
File Permissions                : -rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Little-endian (Intel, II)
Orientation                     : Horizontal (normal)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : GIMP 2.10.32
Modify Date                     : 2023:10:09 01:27:59
Exif Version                    : 0210
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 95553024
Exif Image Height               : 127404032
Subfile Type                    : Reduced-resolution image
Compression                     : JPEG (old-style)
Photometric Interpretation      : YCbCr
Samples Per Pixel               : 3
Thumbnail Offset                : 364
Thumbnail Length                : 6941
XMP Toolkit                     : XMP Core 4.4.0-Exiv2
Document ID                     : gimp:docid:gimp:d02b606b-73cf-4a58-a695-22ff579fbaf2
Instance ID                     : xmp.iid:5f14b079-25eb-4e89-ba92-4d2a43df3783
Original Document ID            : xmp.did:3fd03f9c-5e59-444c-b384-f466c183f6f1
Format                          : image/jpeg
Api                             : 2.0
Platform                        : Windows
Time Stamp                      : 1696829281052252
Version                         : 2.10.32
Creator Tool                    : GIMP 2.10
Metadata Date                   : 2023:10:09T01:27:59:04:00
History Action                  : saved
History Changed                 : /
History Instance ID             : xmp.iid:a652b8e9-fb47-4d42-af52-4b25cd5a9165
History Software Agent          : Gimp 2.10 (Windows)
History When                    : 2023:10:09 01:28:01
Profile CMM Type                : Little CMS
Profile Version                 : 4.3.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2023:10:09 05:15:41
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             :
Device Model                    :
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 0
Profile Description             : GIMP built-in sRGB
Profile Copyright               : Public Domain
Media White Point               : 0.9642 1 0.82491
Chromatic Adaptation            : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168
Red Matrix Column               : 0.43604 0.22249 0.01392
Blue Matrix Column              : 0.14305 0.06061 0.71393
Green Matrix Column             : 0.38512 0.7169 0.09706
Red Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)
Chromaticity Channels           : 3
Chromaticity Colorant           : Unknown
Chromaticity Channel 1          : 0.64 0.33002
Chromaticity Channel 2          : 0.3 0.60001
Chromaticity Channel 3          : 0.15001 0.06
Device Mfg Desc                 : GIMP
Device Model Desc               : sRGB
Image Width                     : 1458
Image Height                    : 1944
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1458x1944
Megapixels                      : 2.8
Thumbnail Image                 : (Binary data 6941 bytes, use -b option to extract)

Nothing seems to be amazing yet

$ binwalk mask.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8
364           0x16C           JPEG image data, JFIF standard 1.01
300430        0x4958E         Zip archive data, at least v2.0 to extract, compressed size: 314753, uncompressed size: 320472, name: flag.mp3
615275        0x9636B         End of Zip archive, footer length: 22

I find this file interesting which I hasten to extract with the -e option of binwalk.

audio-thumbnail
Flag
0:00
/31.185541

We therefore open audacity to analyze this file, with Daeras we flipped the audio every which way to make it more understandable. And after reversing it and slowing it down the flag became a little more audible

audio-thumbnail
Flag2
0:00
/26.019791

Which gives us : qlff{e4fnp4vnlqj_lv_frrro}
What is the Caesar code that can be deciphered with decode

WriteUp made by Shaym

Tags

Shaym

Recommended for you