Saturday, August 12, 2017

CTF challenge - Qream writeup

This is again a continuation of the write ups for the CTF competition held within the company I work for. This was in the MISC category and worth 300 points.

Questions/Challenge:


There was one file attach to this challenge.

Step 1. Download the file.
User the Google drive link within the challenge to download the file:
The file details are:
 Name: qream.7z-6e530127545031e65f8d66a408fe72fc98c7297f3b161fe3c6397e513e06eada  
 Size: 819 bytes  
 SHA256: 6e530127545031e65f8d66a408fe72fc98c7297f3b161fe3c6397e513e06eada  

Step 2. Extract contents.
Inside the .7z file we have one folder:


And inside that folder, one file:


Step 3. Assess the png file:

 Name: qream.png  
 Size: 638 bytes  
 SHA256: fd170f31c761404634420c0a903d097723ec13d8110c0f7ada0fea48031d6d4b  

Let's if there is anything odd with this file. We will start with the file command to see if it is indeed a png.
 file qream.png  


We see that it does indeed have a .png magic number at the start of the file.

Now let us see if there are any other magic numbers for any other files hidden in it
binwalk qream.png  


We see that a Zlib compressed data was found but according to the PNG specification sheet, this is normal because this is how PNGs store image data: https://www.w3.org/TR/PNG-Compression.html

Well with no leads now, let us just open the image and see what we see.


The image is a QR code.
Scanning it with my phone reveals that it a URL to an imgur.com link:


And opening this link(https://i.imgur.com/NPwU4xM.png) takes us to another QR code. As the challenge states, this seems like it will be quite a rabbit hole to dig into with the flag at the end of it.

Step 4. Automate the solution.
Since we do not know how deep this rabbit hole goes, this is a perfect opportunity to automate this task! Off to python we go!

Below is the code I wrote to first fetch decode a QR code png, then fetch the data as if it were expecting a URL out of it.
The script uses the qrtools library to decode png images and extracts the data value.

The results of the script are below:

Yes, the script is not perfect and I could have spent more time catching the exception, but when you are trying to solve the problem as fast as possible the means do not matter as long as you reach the goal. You can see in the exception that it could not reach the url, well because it isn't a URL, it is the flag.

flag{QR_Rules_Everything_Around_Me_QREAM}