HACKvent 2020 - Day 11

01-01-2021 - 2 minutes, 22 seconds - CTF

Challenge - Chris'mas carol

Since yesterday’s challenge seems to have been a bit on the hard side, we’re adding a small musical innuendo to relax.

My friend Chris from Florida sent me this score. Enjoy! Is this what you call postmodern?

Image of a music sheet

Hints: He also sent this image, but that doesn’t look like Miami’s skyline to me.


The first thing we did was follow up on the hint (the “Miami” picture). With the help of TinEyes ‘Reverse Image Search’ feature we found this page, on which the same exact picture (checksum is the same) is used. Since the picture is only listed under hints, we assume that it only should help to find the tool on the website.

After the hint led us to the steganography tool, we tried using the score sheet there, but had no password. It took us a little time, trial and error and a hint to figure out that the password for the image was blank. Ups. With an empty password, the website spits out a flag.zip. Inside this zip file was an encrypted flag.txt.

To get the password for the zip file, you obviously have to solve the puzzle on the sheet of music. For this we first write down the notes of the treble and bass clef.

Treble clef
e h f e d e d a h d a e a e a

Bass clef
h e d d a d a c e e d d d d d

Since everything on the sheet of music is supposed to be hexadecimal numbers (the “0x” hint on the sheet), the “h” in the notes makes no sense. But wait! The sheet of music comes from Miami, and in America the note “h” is called “b”. Thats better.

Furthermore, 15 notes (or hexadecimal letters) cannot be converted to bytes without working with assumptions. Since the jumps of the notes are so large, we used octave+note notation. That yielded much nicer and nearly printable numbers.

Treble clef

Bass clef

If you look very closely, you will see a character between the two clefs that conveniently symbolizes an XOR operator (⊻). So we XOR’ed the bytes of the two lines with the following code and get the password for the zip file.

using System;
using System.Linq;

var bViolin = Convert.FromHexString("e3b4f4e3d3e2d3a5b5d5a2e5a5e3a3");
var bBass = Convert.FromHexString("b3e3d5d3a3d1a1c4e3e4d1d4d1d3d1");

var noteSheet = bViolin.Zip(bBass);

var password = new string(noteSheet.Select(n => (char)(n.First ^ n.Second)).ToArray());

Unzipping the encrypted flag.zip with this as password reveals the flag:


Dead Ends

We tried extracting and decoding the payload in the music sheet ourselves without using the online tool. Extraction was easy enough as it was regular LSB steganography, but we failed on decoding.

While deciphering the password for the encrypted .zip file we also ran “john”, but never expected to get a result anyways.

Next Post Previous Post