Google Ctf-a cute stegosaurus(Steg)

This was one of the Interesting and definitely the most time consuming Ctf challenge that I have played .We are given a pcap file named stego.pcap .We opened the pcap file in Wireshark packet Analyser.

Screenshot-2

In packet number four we can find that there is an HTTP object called message.png

Hence this image could be obtained by exporting the HTTP objects from wireshark.

After exporting the objects  we will get a png image of a stegosaurus.

message

Since our challenge is a steganographic challenge and also this image is that of a stegosaurus we believed that this image surely contained the flag.Our belief was again strengthened by a timely clue by the admin saying that the clue is inside the image name itself.”A cute stegosaurus” we tried  many hours to get any kind of flag from the image  but all our efforts were in vain.Finally we understood that the image does not contain anything hence we resumed staring at the  pcap file.

When we asked this query to the admin they again responded by saying  “The clue is in the image” we now understood that the clue was not stegosaurus hence this will be “A cute” but we did not know how to find anything based on cute in wireshark.After sometime we  came up with the answer that it was not “A-cute ” but it is Acute.So Acute had something to do with the plan. We tried searching the wireshark for any fields relating to acute but there was no fields in wireshark that had a name acute.

After some time the admins released another clue saying to look on TCP flags. That’s when everything changed.

Screenshot-3

On looking at the tcp flags we can find various bit fields Reserved ,Congestion Window Reduced   and other bits, but still there was nothing related to acute.Actually  there was,If one look closely we can find that the “urgent” is actually a synonym of acute so the flag was related to the urgent bit.So we checked the values in the corresponding urgent pointer .If we parce through the pcap file we can find that for the packets of length we find that the value of the urgent pointer is not zero.Hence we started from the first looking at the ASCII values of the urgent pointer and fortunately while parcing through the first few packets we got the flag :

CTF{And_You_Thought_It_was_In_ The_Picture}

Yes for hours we thought It was in the pictures:)

All our team mates enjoyed a lot playing the ctf. A good ctf and thank you all the admins for providing good hints without it we would not be able to solve the problem

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: