Juniors CTF - 200 - Clone Attack - Forensics

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

categories: trivial, forensics

Gravity Falls is under clones attack. Find the real Dipper and save the town

https://yadi.sk/d/ekEIo3nwy22JC, http://juniors.ucoz.net/dipper2.png

Lupanov M.Iu.

Solution

  • dipper2.jpg is useless.
  • unzip dipper.7z
  • We have 201 images:
1
2
3
4
5
6
7
8
[...]
Ab9t2MDhgeCdtIWM.jpg HjBQKJSOhcieolm4.jpg n3dQQ0ZDx3S3UsBr.jpg T1uPfBLnZwT4gnLy.jpg zaDSq7pwGh4a38xy.jpg
ABDOzIFq6epnCnhx.jpg hk0hHu8tI5DkDyiV.jpg N4M2CtJ7gr7Jzo9S.jpg t1xoHMAR0IAkwfd7.jpg Zb1RJWvpVjXFKfxq.jpg
aBHn54lpn0JuymBI.jpg HKjCtFdy5EL15cXH.jpg N5muaN8pZFaQizT6.jpg t2FNLj2HOKnT1naO.jpg ZcAZFv16zVB2Xoih.jpg
AbmIxXZ4ReLk7UYM.jpg hlB31hrzrOU5RYQg.jpg N5ZGl2k84vyFp5Br.jpg t3sXG01KznKJiN9v.jpg zCYJB6XDGlt8UB58.jpg
ABNclrsAR0By1bUx.jpg HLIqYcwvszKfJ2mh.jpg n6bfa5irSSBzz1IU.jpg t9IRCSMIJBrvArav.jpg zD3o8PsmbXmRWNON.jpg
ac9q61SRl4vlF0td.jpg hmrrHYgpxaW6V6XU.jpg n6BS4SVXzrkIRpsu.jpg TBHJwtjbcXh2GYv9.jpg zdd9UFYGdxytCbCz.jpg
[...]
  • Let's take a look at the first image:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[noraj@rawsec]––––––––––––––––––––––––[~/CTF/JuniorCTF/2016/Clone-Attack/dipper]
$ exiftool 07snLOxf2k0rRrT3.jpg
ExifTool Version Number : 10.20
File Name : 07snLOxf2k0rRrT3.jpg
Directory : .
File Size : 26 kB
File Modification Date/Time : 2016:11:03 04:56:07+01:00
File Access Date/Time : 2016:11:25 16:47:44+01:00
File Inode Change Date/Time : 2016:11:25 16:48:53+01:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Current IPTC Digest : 1f6df1813fc08f735211d55b866d1cca
Coded Character Set : UTF8
Envelope Record Version : 4
Object Name : Ксерокопия номер 086
Application Record Version : 4
Comment : Flag is MD5sum of this file. Its TRUE
Image Width : 193
Image Height : 400
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 193x400
Megapixels : 0.077
  • Comment : Flag is MD5sum of this file. Its TRUE but all images have the same comment.
  • Object Name : Ксерокопия номер 086 means n° of copie 086, let's fidn the original:
1
2
3
4
5
6
7
[noraj@rawsec]––––––––––––––––––––––––[~/CTF/JuniorCTF/2016/Clone-Attack/dipper]
$ exiftool * | grep 'Object Name'
[...]
Object Name : Ксерокопия номер 644
Object Name : Оригинальный Диппер
Object Name : Ксерокопия номер 702
[...]
  • We found it, Оригинальный Диппер means The original Dipper:
1
2
3
4
5
6
[noraj@rawsec]––––––––––––––––––––––––[~/CTF/JuniorCTF/2016/Clone-Attack/dipper]
$ grep -r 'Оригинальный Диппер' ./
Binary file ./atvF2wf1tfB2IkuV.jpg matches
[noraj@rawsec]––––––––––––––––––––––––[~/CTF/JuniorCTF/2016/Clone-Attack/dipper]
$ md5sum atvF2wf1tfB2IkuV.jpg
cd4d19b8471cecbc8ea7544de59db368 atvF2wf1tfB2IkuV.jpg
  • cd4d19b8471cecbc8ea7544de59db368 was the flag.

Feedback: it's a international CTF, so please use only english, russian content everywhere is pain for non-russian

Share