[TUCTF 2017] Misc – Gr8 Pictures (50 points)

Gr8 Pictures

Files: flag.png flag50As.png gr8pic.py


To decrypt the hidden message from the flag.png picture we will need to find out how the service running on gr8pics.tuctf.com:4444 encrypts the provided text message within the picture. By messing around with the service we find out out that we need to provide exactly 50 bytes to receive back a base64 string which contains the picture with our message encrypted. So let’s try to provide 50 A’s for a message and see how it goes :-

$ python -c "print 'A'*50" | nc gr8pics.tuctf.com 4444 | base64 -d > flag50As.png

The flag50As.png received picture has the same size and looks the same as the flag.png. So let’s run a binary diff to these images :-

The results from the binary diff are clear enough. We can see that from the offset 0×335371 with step 8 bytes for 50 bytes we have all the differences. But how can we decrypt the hidden message? This requires some guessing… So we provided 50 A’s (0×41) and at the first position we got 0×08, what if the XOR operation of those give us the key to decrypt all the encrypted messages for any picture? By trying this chr( (0×41 ^ 0×08) ^ (0x1d) ) give us the letter ‘T’ -the first letter for the flag- so let’s write some python code to get the flag!



for i in range(0x335371,0x335371+(8*50),8):
	flag += chr(ord(f1[i:i+1]) ^ ord(f2[i:i+1]) ^ ord('A'))

print flag

# TUCTF{st3g@n0gr@phy's_so_c00l,No0ne_steals_my_msg}

Leave a Reply



November 29th



© 2018 SuRGeoNix | Security Blog