Midnight Flag 2024 - MyFace

Category

Steganography

Description

Description by memory

You will need to find my face to decode our messages

Link

Access to an instantiated website

Difficulty

• Author: TBD

Write up

MyFace

We are given a website, with few messages between two people. The first ones are in plain text, while the two lasts are in base64.

As it was said in the description, they cannot be decoded like this: they are ciphered

The first thing I noticed was the icon of the tab in the browser.

That looks like a… face? I think this is my entry point.

I browsed the default favico.ico and favicon.ico but not found. So we need to take a look at the network tab of the dev tools (F12 or Ctrl + Shift + I)

That’s our image:

¹

Two more images were loaded by the website, but full of false tracks.

The ico is minuscule, cannot hide something in plain color. If something is hidden, it must be inside the bytes at some point.

Binwalk doesn’t give acceptable files. However, I had the idea to put my file in Cyberchef, and see if any intersting result comes out:

A PNG file with a significantly different size has been found, smaller than the one found by binwalk. If we save and open it:

face

We have found a key, and the word ECB, which refers to one of the AES encryption methods.

I like to use this tool to decrypt simple AES inputs, like this:

Which give us the actual plain text:

Ne t'inquiète pas ! J'ai sécurisé la porte avec mon cadenas. Les voyageurs n'auront pas la 0 Day. Au cas où, voici le mot de passe : MCTF{L3_C@DeNas_E5t_L3g3r}