Like Finding a Needle in the Hay Stack

Steganography 500 pts Hard

Challenge Information

  • Challenge Name: Like Finding a Needle in the Hay Stack
  • Category: Steganography
  • Points: 500 pts
  • Teams Solved: 0
  • Description: "The flag is here, I believe, I can hear see it already. Note: A lot of fake flags here, you have been warned."
  • Initial File: absolutely_normal.zip
  • Real Flag: EOF{b3war3_!t$_c0m!ng_f0r_u}

Table of Contents

Phase 1: Initial Extraction

Step 1: Extract ZIP Archive

unzip absolutely_normal.zip
# Extracted: absolutely_normal.png (2.5 MB)

Step 2: File Analysis

file absolutely_normal.png
# Output: PNG image data, 1920 x 1080, 8-bit/color RGB, non-interlaced
# Observation: 2.5 MB is reasonable but could contain hidden data

Phase 2: Hunt for Obvious Flags (Fake Flags)

Step 3: String Search for EOF{} Patterns

strings absolutely_normal.png | grep "EOF{"

Flags Found (Both FAKE):

  1. EOF{this_is_not_a_real_flag} ❌ - Obviously fake by its own admission
  2. EOF{F00l'$_3rr@nd} ❌ - Name literally means "Fool's Errand", also appears in MP3 Comment field (double decoy)

Note: These are the "lot of fake flags" mentioned in the challenge description!

Phase 3: Deep Steganography Analysis

Step 4: PNG Structure Examination

hexdump -C absolutely_normal.png | grep -A 5 "IEND"

Critical Discovery: Data exists after the PNG IEND marker (end of PNG). This is a classic steganography technique: appending files to PNG

Step 5: Binwalk Analysis

binwalk absolutely_normal.png

Output:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1920 x 1080
82096         0x140B0         Zip archive data

Discoveries:

  • ZIP archive at offset 82096
  • PDF file (a.pdf) embedded
  • MP3 audio file embedded ← This is the key!

Phase 4: Extract Hidden MP3

Step 6: Extract MP3 from PNG

dd if=absolutely_normal.png of=extracted.mp3 bs=1 skip=82096
# Alternative using binwalk:
binwalk -e absolutely_normal.png

Result:

  • extracted.mp3 successfully extracted
  • Format: MPEG-1 Layer 3
  • Bitrate: 192 kbps
  • Sample Rate: 44.1 kHz
  • Duration: ~1 minute 44 seconds

Step 7: Listen to Audio (Hint Analysis)

Observation: No obvious audio steganography (no morse code, hidden speech, etc.)

The challenge hint: "I can hear see it already" → Metadata, not audio content!

Phase 5: MP3 Metadata Analysis (The Real Flag)

Step 8: Extract All MP3 Metadata

exiftool extracted.mp3

Complete Output:

Title                           : Absolutely Normal
Year                            : 2024
Needle                          : FP.G{.c3x.bs.3_!.u$._d0.n!o.h_.g0.s_v.}
Comment                         : (Audio_Info) EOF{F00l'$_3rr@nd}

CRITICAL FINDINGS:

  1. "Comment" field: EOF{F00l'$_3rr@nd} ❌ - Another fake flag (fool's errand)
  2. "Needle" field: FP.G{.c3x.bs.3_!.u$._d0.n!o.h_.g0.s_v.} ⚠️ - This is suspiciously named "Needle" (challenge is "Finding a Needle in the Haystack"). Obfuscated format suggests encoding.

Phase 6: Decode the Real Flag

Step 9: Analyze the Obfuscation

Obfuscated String:

FP.G{.c3x.bs.3_!.u$._d0.n!o.h_.g0.s_v.}

Pattern Analysis:

  • Dots (.) appear to be noise/padding
  • Letters seem shifted (FP.G → EOF?)
  • Numbers and special characters remain unchanged

Step 10: Caesar Cipher Detection

F → E (shift back by 1)
P → O (shift back by 1)
G → F (shift back by 1)

Method: Caesar cipher with +1 shift (each letter moved forward by 1)

Solution: Reverse the shift by -1

Step 11: Python Decryption Script

#!/usr/bin/env python3

def caesar_decrypt(text, shift=1):
    """Decrypt Caesar cipher by shifting back"""
    result = []
    for char in text:
        if char.isalpha():
            base = ord('A') if char.isupper() else ord('a')
            decrypted = chr((ord(char) - base - shift) % 26 + base)
            result.append(decrypted)
        else:
            result.append(char)
    return ''.join(result)

obfuscated = "FP.G{.c3x.bs.3_!.u$._d0.n!o.h_.g0.s_v.}"
decrypted = caesar_decrypt(obfuscated, shift=1)
cleaned = decrypted.replace('.', '').replace(' ', '')
print(f"Final: {cleaned}")

Final Output:

EOF{b3war3_!t$_c0m!ng_f0r_u}

Step 12: Verify Flag Format

Leetspeak Translation: "Beware, it's coming for you"

  • b3war3 = beware
  • !t$ = it's
  • c0m!ng = coming
  • f0r_u = for you

✅ CONFIRMED: This is the REAL flag!

Summary of All Flags

Flag Location Type Method
EOF{this_is_not_a_real_flag} PNG strings ❌ Fake Plaintext decoy
EOF{F00l'$_3rr@nd} PNG strings + MP3 Comment ❌ Fake Double decoy
EOF{b3war3_!t$_c0m!ng_f0r_u} MP3 "Needle" metadata ✅ REAL Caesar cipher +1 shift

Key Insights & Techniques

Why This Challenge Was Clever:

1. Multiple Layers of Deception:

  • 2 obvious fake flags in PNG strings
  • 1 fake flag in MP3 Comment field
  • Real flag hidden in obscure "Needle" metadata field

2. Hint Analysis:

  • "hear see it already" → Audio + Visual = Metadata
  • "Needle in the Haystack" → Look for "Needle" field
  • "A lot of fake flags" → Don't trust obvious findings

3. Encoding Methods:

  • Steganography: Appending MP3 to PNG
  • Obfuscation: Dots as noise
  • Cryptography: Caesar cipher (+1)

Tools Used:

  • unzip - Extract ZIP
  • binwalk - Detect embedded files
  • dd - Extract binary data
  • exiftool - Critical: Read MP3 metadata
  • strings - Find text in binaries
  • Python - Caesar cipher decryption

Final Answer

The REAL flag is: EOF{b3war3_!t$_c0m!ng_f0r_u}

  • Found in: MP3 "Needle" metadata field (exiftool)
  • Encoding: Caesar cipher (+1 shift) with dot noise
  • Translation: "Beware, it's coming for you"

This challenge perfectly demonstrates why reading the hints carefully and not trusting obvious findings is crucial in CTF steganography challenges!