Voices in the Head — STACK The Flags 2020 Writeup
We found a voice recording in one of the forensic images but we have no clue what’s the voice recording about. Are you able to help?
Please view this Document for download instructions.
This challenge:
- Unlocks other challenge(s)
- Is eligible for Awesome Write-ups Award
- Prerequisite for Mastery Award — ForensicatorHint:
Xiao wants to help. Will you let him help you?
Tools used:
- Audacity
- Tutorialspoint Brainfuck IDE
- Hexed.it
- Xiao
- WinRAR
The Solution, in Short
Use a password encoded in the spectrographic info of the .wav file to extract a .zip file using Xiao. Use stegsolve to extract a different password from said .zip file to access the document inside which contains the flag.
The Solution, in Long
Opening the spectrogram of the given file forensics-challenge-2.wav gives us the following:
Decoding the base64 in the file using an online decoder gives us a pastebin link, showing some Brainfuck code.
However, running said code greets us with this message:
Well shoot. A dead end. Time to try something else.
From viewing the file in a hex editor, we can note several sections of the file that contain the bytes 0x00 and 0x01, implying that information has been encoded in the least significant bit (LSB) of each byte in the file:
Running an LSB analysis on the file (using a modified version of the code from this medium post) reveals the text “This is it”. We’re on the right track.
Using Xiao, an image steganography program, we try to extract the encoded file from the .wav, but this only yields gibberish and a non-functional .zip file. We can confirm this by viewing the output in a hex editor, showing that the first two bytes of the .zip file have been scrambled.
However, it is possible that this is because we have not given Xiao the appropriate password required to properly extract this file. This much is implied in the free hint given in the challenge description, made public partway through the competition.
We don’t really have much to go off of for a password. The only plaintext string the challenge has given us so far would be “thisisnottheflag” from the spectrograph, which luckily, works in giving us an openable .zip file.
However, access to the document is prohibited by another, different password.
Trying “thisisnottheflag” doesn’t unlock the document, and neither do other strings related to the challenge (e.g. the name of the user who posted the pastebin, “starrystarsisme”). It isn’t likely that the original .wav file contains this password along with the others either, considering two separate modes of steganography were already applied to it. So either the password’s probably hidden in this new .zip file, or we’re not supposed to access this document at all.
Putting this new .zip into a hex editor confirms our hunch:
Since the STACK the Flags website refuses to accept this string as our flag, we can assume it’s probably the password to retrieving the document, which it turns out, it is!
