So, extract the appended RAR file from the JPG, use something like the Linux command "tr -d [SNOW]" to remove the characters from the exif data, which reveals the password to extract the RAR file.
Here's where I kind of made it a bit harder, the PNG file inside the RAR is XOR encoded with the key "FireWorks".
In an attempt to make this somewhat obvious, or to provide some sort of clue, I appended a bunch of NULL bytes to the end of the PNG prior to encoding the whole file.
As you can see from the image above, this is what the end of the file looked like in the HEX editor.
Obviously you could use "strings" and other static property analysis techniques to see similar data.
There were a few people who solved the challenge, and some admitted that it took them a while to find a tool to decode multi-byte XOR. They said they had issues in CyberChef as well.
I actually didn't think much of it, since I always just used Bless Hex Editor to XOR decode with a known key.
In Bless Hex Editor go to Tools > Bitwise Operations
From there you can "Select All"
Choose XOR AS Text enter in the key "FireWorks" and execute.
I was asked about other tools for this type of decoding, I know of many single byte XOR tools, but was not too familiar with multi-byte tools that are available. I did find a couple, but they didn't seem as easy to use as I would like, so I built my own. Forgive the sloppy, ugly scripting, it's not what I do, I just usually pound away at a script to make it do what I want and that's it.
Anyway, I the script I made is available for download on my site http://www.lukeacha.com/downloads/xorkey.zip
Below is a screenshot of the Before and After XOR decoding with the known key:
I hope this tool is found to be useful by other analysts or CTF enthusiasts.
Comments
Post a Comment