Question: Nothing unusual about a FAST logo right! Format: "FASTCTF{FLAG}"
Hint: Ave, True to Ceaser. There also appears to be some low level genin jutsu at play…
Answer: FASTCTF{HIDDEN FLAG}
Challenge 3 sees the FAST logo being used unusually. Similar to the first challenge this challenge has some traces of steganography but it can be detected easily. Using strings shows nothing out of the ordinary. The Linux tool binwalk reveals there is an archive inside this image. Binwalk can be used to find files hidden within files.
binwalk file3.png
Binwalk finds that there is an archive and another PNG image in the image. In Windows you can even extract the file out of the image by using 7zip.
With binwalk you can then extract the files with “e” flag.
binwalk file3.png -e
This creates a “_file3.png.extracted” directory. The file of most importance is the additional FAST logo that was hidden in the first FAST logo.
Using strings on this image gives an interesting result. And the end of the file appears to be the encoded flag.
This is where the hint comes to help. “Ave, true to Ceaser” is a popular quote from the video game Fallout New Vegas. Ceaser also famously created a substitution cipher now known as the Ceaser Cipher or rot13, as it shifts the alphabet 13 characters. We can paste this encoded text into a rot13 decoder (www.rot13.com) and see the result.
The result is still a jumbled mess. If you continued to keep shifting the cipher to rot14, rot15, you would have gone down the wrong path. This is the correct output. Now the second part of the hint makes more sense - “There appears to be some genin level jutsu at play”. For anyone who watched Naruto, genin ninja are the lowest ranked ninjas and only know a couple of jutsus. If you guessed shadow clone jutsu you were wrong, as it is a reference to substitution jutsu. A substitution cipher substitutes one character for another, like Rot13. The output has been encoded with a mixed-alphabet substitution cipher. We will have to manually swap out each character for the correct one. There is an easy to use substitution cipher decoder at http://substitution.webmasters.sk/simplesubstitution-cipher.php. Using this, we can find out the flag.
First let’s look out our encoded message “BCY KYF IQ RIGCB ZOQBVBZ{CIDDYN ZTOG}”. As stated by the challenge, the flag should be in the format “FASCTF{FLAG}”. Given this we should try substituting “ZOQBVBZ” for “FASCTF”.
Once decoded the flag is becoming more legible. All we have to do know is keep swapping haracters until we have a correct sentence. This decoder also does a frequency analysis of the letters used. “Y” is the most frequent letter in the sentence. In the English alphabet, “E” is the most commonly used letter, so we should try swapping “Y” for “E”.
Eventually, you would have discovered all of the substitutions.
B = T
C = H
F = Y
O = A
Q =S
T = L
V = C
Y = E
Z = F
Now we can see our decoded text, and see that FASTCTF{HIDDEN FLAG} was the flag.
No steganography tools were used to create this challenge. Originally, a text document containing the cipher text was appended to a PNG image of the FAST logo with the command prompt. Then the PNG was zipped in a .zip archive, and this archive was combined with the another FAST PNG by using the command prompt. You can perform this action with the Windows command prompt with the following command:
copy /B picture.png + Archive.zip picture_with_Archive_inside.png
The same process was done to combine the text document with the picture.
