Challenge – Twelve steps of Christmas
On the twelfth day of Christmas my true love sent to me…
twelve rabbits a-rebeling,
eleven ships a-sailing,
ten (twentyfourpointone) pieces a-puzzling,
and the rest is history.
You should definitely give Bread’s famous easy perfect fresh rosemary yeast black pepper bread a try this Christmas!
Todays challenge really takes us down the rabbit hole…
First, let’s look at the Hint. A recipe for a delicious bread – in case we are starving during the challenge we can make a snack. Or is there more? Of course. Chef.
So the source code was put into a Chef online compiler and the output is:
breadbread is a good egg
No idea what to do with it, but let’s keep it in mind.
Next, let’s look at the picture. Typical tools like binwalk or stegsolve are not very helpful, but at least we can quickly find out that there is HTML hidden in the image. Even very far up in a PNG text field. You can even rename the image to the .html extension and open it in the browser!
import sys i = bytearray(open(sys.argv, 'rb').read().split(sys.argv.encode('utf-8') + b"\n")[-1]) j = bytearray(b"Rabbits are small mammals in the family Leporidae of the order Lagomorpha (along with the hare and the pika). Oryctolagus cuniculus includes the European rabbit species and its descendants, the world's 305 breeds of domestic rabbit. Sylvilagus includes 13 wild rabbit species, among them the seven types of cottontail. The European rabbit, which has been introduced on every continent except Antarctica, is familiar throughout the world as a wild prey animal and as a domesticated form of livestock and pet. With its widespread effect on ecologies and cultures, the rabbit (or bunny) is, in many areas of the world, a part of daily life-as food, clothing, a companion, and a source of artistic inspiration.") open('11.7z', 'wb').write(bytearray([i[_] ^ j[_%len(j)] for _ in range(len(i))]))
The script loads a file from the path in parameter 1, splits it with parameter 2, and XORs it with what appears to be the Wikipedia entry of Leporidae.
If we look at the original image in the hex editor, we find the string “breadbread” at the end of the PNG part of the file (IEND tag). Also the Hint had said “breadbread is a good egg”.
So we start the script with the following command:
python .\11.py bfd96926-dd11-4e07-a05a-f6b807570b5a.png breadbread
and get an 11.7z output, which can be unpacked without problems. It contains some files which seem to be Docker images. Most interesting is the image containing breads home folder and a kind of docker log file containing the commands to create the image. In this file we find these commands:
cp /tmp/t/bunnies12.jpg bunnies12.jpg steghide embed -e loki97 ofb -z 9 -p \"bunnies12.jpg\\\\\\\" -ef /tmp/t/hidden.png -p \\\\\\\"SecretPassword\" -N -cf \"bunnies12.jpg\" -ef \"/tmp/t/hidden.png\" mkdir /home/bread/flimflam xxd -p bunnies12.jpg \u003e flimflam/snoot.hex \u0026\u0026 rm -rf bunnies12.jpg split -l 400 /home/bread/flimflam/snoot.hex /home/bread/flimflam/flom rm -rf /home/bread/flimflam/snoot.hex chmod 0000 /home/bread/flimflam apk del steghide xxd
Since we have the output files, we simply undo these commands in the reverse order and get the missing bunny image from the first image and the hidden.png:
Depending on which viewer the QR code is viewed with, it may or may not be legible. It seems to have been made “unreadable” by means of alpha layer. However, the default viewer displays it correctly, and the code can be scanned: