HACKvent 2020 - Day 20

01-01-2021 - 3 minutes, 26 seconds - CTF

Challenge - Twelve steps of Christmas

On the twelfth day of Christmas my true love sent to me...
twelve rabbits a-rebeling,
eleven ships a-sailing,
ten (twentyfourpointone) pieces a-puzzling,
and the rest is history.

An 11MB large image contains the challenge

Hints You should definitely give Bread's famous easy perfect fresh rosemary yeast black pepper bread a try this Christmas!


Todays challenge really takes us down the rabbit hole...

First, let's look at the Hint. A recipe for a delicious bread - in case we are starving during the challenge we can make a snack. Or is there more? Of course. Chef.

So the source code was put into a Chef online compiler and the output is:

breadbread is a good egg

No idea what to do with it, but let's keep it in mind.

Next, let's look at the picture. Typical tools like binwalk or stegsolve are not very helpful, but at least we can quickly find out that there is HTML hidden in the image. Even very far up in a PNG text field. You can even rename the image to the .html extension and open it in the browser!

There is not much in the html file, except an image tag that points to itself - which actually works, because the html file is actually a PNG - and some javascript code. The code seems to want to read data from the image and download it as 11.py. However, it wants a password first, which is checked against a SHA1 hash. Since the password is not used anywhere else, we extract the "real" HTML file from the PNG and remove the password check. We then load the whole thing via nginx over localhost instead of file:/// to avoid various browser security checks (for example CORS). After clicking on the image, the browser automatically downloads the 11.py Python file extracted from the image:

import sys
i = bytearray(open(sys.argv[1], 'rb').read().split(sys.argv[2].encode('utf-8') + b"\n")[-1])
j = bytearray(b"Rabbits are small mammals in the family Leporidae of the order Lagomorpha (along with the hare and the pika). Oryctolagus cuniculus includes the European rabbit species and its descendants, the world's 305 breeds[1] of domestic rabbit. Sylvilagus includes 13 wild rabbit species, among them the seven types of cottontail. The European rabbit, which has been introduced on every continent except Antarctica, is familiar throughout the world as a wild prey animal and as a domesticated form of livestock and pet. With its widespread effect on ecologies and cultures, the rabbit (or bunny) is, in many areas of the world, a part of daily life-as food, clothing, a companion, and a source of artistic inspiration.")
open('11.7z', 'wb').write(bytearray([i[_] ^ j[_%len(j)] for _ in range(len(i))])) 

The script loads a file from the path in parameter 1, splits it with parameter 2, and XORs it with what appears to be the Wikipedia entry of Leporidae.

If we look at the original image in the hex editor, we find the string "breadbread" at the end of the PNG part of the file (IEND tag). Also the Hint had said "breadbread is a good egg".

So we start the script with the following command:

python .\11.py bfd96926-dd11-4e07-a05a-f6b807570b5a.png breadbread

and get an 11.7z output, which can be unpacked without problems. It contains some files which seem to be Docker images. Most interesting is the image containing breads home folder and a kind of docker log file containing the commands to create the image. In this file we find these commands:

cp /tmp/t/bunnies12.jpg bunnies12.jpg
steghide embed -e loki97 ofb -z 9 -p \"bunnies12.jpg\\\\\\\" -ef /tmp/t/hidden.png -p \\\\\\\"SecretPassword\" -N -cf \"bunnies12.jpg\" -ef \"/tmp/t/hidden.png\"
mkdir /home/bread/flimflam
xxd -p bunnies12.jpg \u003e flimflam/snoot.hex \u0026\u0026 rm -rf bunnies12.jpg
split -l 400 /home/bread/flimflam/snoot.hex /home/bread/flimflam/flom
rm -rf /home/bread/flimflam/snoot.hex
chmod 0000 /home/bread/flimflam
apk del steghide xxd

Since we have the output files, we simply undo these commands in the reverse order and get the missing bunny image from the first image and the hidden.png:

Depending on which viewer the QR code is viewed with, it may or may not be legible. It seems to have been made "unreadable" by means of alpha layer. However, the default viewer displays it correctly, and the code can be scanned:


Next Post Previous Post