SANS National CTF Tournament 2021

SANS National CTF Tournament 2021 - File Medium #2

November 13, 2021

This CTF is introduced with the following description:

"Something has gone wrong with the police departments modern new photo ID system. Here we’ve got a photo ID of our latest suspect but the ID appears to have vanished, can you find it?"

The file can be downloaded here.

This CTF was not hard but I loved the picture and idea behind it.
I will propose two different solution for this CTF.

First it's always a good idea to start with a small EXIF data review using exiftool.

					
user@kali:~/Documents/SANS CTF/FM02$ exiftool cat-photo-id.jpg
ExifTool Version Number         : 12.32
File Name                       : cat-photo-id.jpg
Directory                       : .
File Size                       : 281 KiB
File Modification Date/Time     : 2020:09:02 18:00:03+02:00
File Access Date/Time           : 2021:11:13 21:22:58+01:00
File Inode Change Date/Time     : 2021:10:28 12:24:16+02:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 240
Y Resolution                    : 240
Image Width                     : 800
Image Height                    : 751
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 800x751
Megapixels                      : 0.601

Well, information we want is not in the exif data. Always worth a try.
It's time to get the big guns of steganography:

foremost
stegsolve

I will start with the not so well known stegsolve as foremost is like using cheat code ;)

Solution using Stegsolve:

More information on Stegsolve.

					
user@kali:~/Documents/SANS CTF/FM02$ java -jar Stegsolve.jar

Stegsolve

Click on the arrow to show the second frame.

Stegsolve

Solution using Foremost:

More information on Foremost.
Here it's easy-peasy, execute foremost by specifying the file type and the file itself.

					
user@kali:~/Documents/SANS CTF/FM02$ foremost -t jpg -i cat-photo-id.jpg -v
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon Nov 15 20:29:46 2021
Invocation: foremost -t jpg -i cat-photo-id.jpg -v 
Output directory: /home/user/Documents/SANS CTF/FM02/output
Configuration file: /etc/foremost.conf
Processing: cat-photo-id.jpg
|------------------------------------------------------------------
File: cat-photo-id.jpg
Start: Mon Nov 15 20:29:46 2021
Length: 281 KB (287750 bytes)
 
Num      Name (bs=512)         Size      File Offset     Comment 

0:      00000000.jpg         135 KB               0      
1:      00000270.jpg         145 KB          138335      
*|
Finish: Mon Nov 15 20:29:46 2021

2 FILES EXTRACTED

jpg:= 2
------------------------------------------------------------------

Foremost finished
user@kali:~/Documents/SANS CTF/FM02$ ls
cat-photo-id.jpg  output
user@kali:~/Documents/SANS CTF/FM02$ cd output/jpg
user@kali:~/Documents/SANS CTF/FM02 ls
00000000.jpg  00000270.jpg

Stegsolve

That wasn't hard work but fun!

Anyway, whoever created this picture: Beautiful work!