NozZy
Writeups Articles Tags Categories ./aboutme
NozZy

Contents

Silent Hill 2

 included in Writeups Midnight Flag 2024
   490 words   3 minutes 

Midnight Flag 2024 - Silent Hill 2

Category

Steganography

Description

by memory

retrouve le flag lol

Files

Silent_hill_2.png

Difficulty

  • Author: kuorashi

Write up

Aperisolve

Putting the file on Aperisolve helps us find the entry point:

/posts/silent_hill_2/img.png

It really looks like there is som LSB hidden in 3 bits in the two corners. We can suppose there is the same on the bottom left, but is not easily visible.

It appears for the three colors, so there might be LSB 3-Bits RGB

Looking even closer, let us find that:

/posts/silent_hill_2/img_1.png

There is also a LSB 3-bits RGB for this corner as well, but really smaller.

Let’s cut our image in for equal images:

from PIL import Image
img = Image.open('Silent_hill_2.png')
w, h = img.size
img.crop((0, 0, w//2, h//2)).save('split1.png')
img.crop((0, h//2, w//2, h)).save('split2.png')
img.crop((w//2, 0, w, h//2)).save('split3.png')
img.crop((w//2, h//2, w, h)).save('split4.png')

/posts/silent_hill_2/img_2.png

Stegonline

It’s now time to recover data. I used Stegonline, because of its flexibility in LSB :

/posts/silent_hill_2/img_3.png

Using the split3, we can easily see the data sing the three least significant bits:

Speak. I am the Crimson One.

The lies and the mist are not they but I. You all know that I am one. Yes, and the One is I.

Believers hearken to me! Twenty score men and seven thousand beasts. Heed my words and speaketh them to all, that they shall ever be obeyed even under the light of the proud and merciless sun.

I shall bring down bitter vengeance upon thee and thou shalt suffer my eternal wrath.

The beauty of the withering flower and the last struggles of the dying man, they are my blessings.

Thou shalt ever call upon me and all that is me in the place that is silent.

Oh, proud fragrance of life which flies towards the heart. Oh Cup which brims with the whitest of wine, it is in thee that all begins.

MCTF{d1D_y

The next part is composed of split2, sing the same bits we recover some base64 data. Cyberchef helps s decode it:

/posts/silent_hill_2/img_4.png 0u_FinD_

The third part is made of split4, once again decoded from base64. But it is not plain text. The string is so big, it looks like a file. However, cyberchef is not able to detect of what kind.

Download it, and use the command file to know what it is :

$ file download.dat
download.dat: MPEG ADTS, layer III, v2,  48 kbps, 24 kHz, Monaural

MPEG file ambedded in a picture of a radio: this is sound

/posts/silent_hill_2/img_6.png

It says : All letter are lowercase : four l l underscore one t three m underscore : 4ll_1t3m_

And the last consists of split1, which also embedd a big base64 string. Cyberchef helps us find the type of data this time: MP4 video /posts/silent_hill_2/img_5.png

h1d3_h3r3_?}

recap
  • Corner top right: text -> MCTF{d1D_y
  • Corner bottom left: base64 -> text -> 0u_FinD_
  • Corner bottom right: base64 -> MPEG file -> 4ll_1t3m_
  • Corner top leftt: base64 -> MP4 file -> h1d3_h3r3_?}
Flag
🚩 MCTF{d1D_y0u_FinD_4ll_1t3m_h1d3_h3r3_?}
Updated on 30-04-2024
 SteganographyImage
Back | Home