CTF Writeups - Solving Retro Flag 4 the Wrong Way

Retro is a series of challenges centered upon a misleading Windows XP virtual machine made for VMWare. I'll be addressing flag 4 in particular (which is in close proximity to flag 3). For this portion of the challenge, I used the kernel-level nbd driver in conjunction with qemu-nbd to access the virtual disk without having to boot the machine. I'll talk about the Steganography approach to the problem, as well as my actual approach. To solve flag 4 using my approach in particular, you'll need the popular TestDisk data recovery program. I also recommend using the utility ripgrep since it makes recursive directory regex search extremely simple (and fast). Let's get started!

Opening the Virtual Disk without VMWare

Since we won't need to power on the VM, we'll need a way to mount the virtual disk directly. If you have nbd loaded (run sudo modprobe nbd), qemu-nbd can prepare the virtual disk for us. You'll need qemu installed first.

$ sudo qemu-nbd -c /dev/nbd0 /path/to/Ubuntu-20.04-x86_64.vmdk

There should now be a partition /dev/nbd0p1 available to mount. You will need ntfs drivers for this. Mount that to a location of your choice (sudo mount /dev/nbd0p1 /path/to/mount/point). If all goes according to plan, there should be a bunch of Windows files on the partition, from which you may extract the particular image we need.

The Steganography Approach

The only thing you'll need for this part of the challenge is this picture of the German flag, located at "/Program Files/Apache Group/Apache/htdocs/flag.PNG", where the root is your chosen mount point. If you instead booted the machine, this file is hidden. Starting Apache and navigating to the German translation of the index page will allow you to access it, or you can simply unhide the file.

Flag 3 is obvious; it's written at the bottom of the image. Flag 4, however, is hidden with steganography. Load the image into StegOnline and click "Browse Bit Planes". You should notice that the Red 0 bit plane contains a bunch of seemingly-random pixels strewn about. Note the cluster at the very top. The Green 0 and Blue 0 bit planes are similar, though the Green 0 bit plane does not have the same cluster. So, by navigating to "Extract Files / Data", checking both Red 0 and Blue 0, and pressing "Go", we get the flag.

The Wrong Way

That's not how I solved it during the competition, however. Unmount the partition but keep /dev/nbd0 available, because we're about to do some data recovery.

First things first, let's open TestDisk, a popular data recovery tool, on our first (and only) partition.

$ sudo testdisk /dev/nbd0p1

Select "Proceed", then "None" regarding the partition table, and finally "Undelete". This should present a ton of deleted files. Press "a" to select all files, shift+"c" ("C") to copy all selected files, and then choose a (preferably empty) directory by navigating with Enter and pressing "C" once again. TestDisk will get to work immediately. Once finished, exit TestDisk, navigate to the directory containing the files, and search for "ctf" in all of them. I used ripgrep as below.

$ sudo rg ctf
818e58.rbf
1:AwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","principalToInherit_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","triggeringPrincipal_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","docIdentifier":110,"structuredCloneState":"AgAAAAAA8f8AAAAACAD//wwAAIAEAP//bmF2aWdhdGlvbklkAAAAAAEAAAADAP//AAAAABMA//8=","structuredCloneVersion":8,"persist":true},{"url":"https://stegonline.georgeom.net/image","title":"StegOnline","charset":"UTF-8","ID":104,"docshellID":103,"triggeringPrincipal_b64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","principalToInherit_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","triggeringPrincipal_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","docIdentifier":110,"structuredCloneState":"AgAAAAAA8f8AAAAACAD//wwAAIAEAP//bmF2aWdhdGlvbklkAAAAAAIAAAADAP//AAAAABMA//8=","structuredCloneVersion":8,"persist":true},{"url":"https://stegonline.georgeom.net/embed","title":"StegOnline","charset":"UTF-8","ID":105,"docshellID":103,"triggeringPrincipal_b64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","principalToInherit_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","triggeringPrincipal_base64":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAIGh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAABAAAAHwAAAAEAAAAfAAAAAQAAACAAAAAAAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA==","docIdentifier":110,"structuredCloneState":"AgAAAAAA8f8AAAAACAD//wwAAIAEAP//bmF2aWdhdGlvbklkAAAAAAMAAAADAP//AAAAABMA//8=","structuredCloneVersion":8,"persist":true}],"lastAccessed":1637384562834,"hidden":false,"attributes":{},"userContextId":0,"index":7,"scroll":{"scroll":"0,90"},"formdata":{"id":{"r0":true,"b0":true},"xpath":{"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div/xhtml:select":{"selectedIndex":0,"value":"Row"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div[2]/xhtml:select":{"selectedIndex":0,"value":"MSB"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div[3]/xhtml:select":{"selectedIndex":0,"value":"r"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div[3]/xhtml:select[2]":{"selectedIndex":1,"value":"g"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div[3]/xhtml:select[3]":{"selectedIndex":2,"value":"b"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:*[local-name()='lsb-settings']/xhtml:div/xhtml:div[4]/xhtml:select":{"selectedIndex":1,"value":"No"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:div/xhtml:select":{"selectedIndex":0,"value":"Text"},"/xhtml:html/xhtml:body/xhtml:*[local-name()='app-root']/xhtml:div/xhtml:*[local-name()='app-embed-menu']/xhtml:div[2]/xhtml:div/xhtml:textarea":"ctf{ich bin auch die flagge!}"},"url":"https://stegonline.georgeom.net/embed"},"image":"https://stegonline.georgeom.net/favicon.ico","iconLoadingPrincipal":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAAJmh0dHBzOi8vc3RlZ29ubGluZS5nZW9yZ2VvbS5uZXQvdXBsb2FkAAAAAAAAAAUAAAAIAAAAFwAAAAj/////AAAACP////8AAAAIAAAAFwAAAB8AAAAHAAAAHwAAAAcAAAAfAAAAAQAAACAAAAAGAAAAIP////8AAAAA/////wAAAB//////AAAAH/////8BAAAAAAAAAAAAAQAAAAAAAA=="}],"selected":2,"_closedTabs":[],"width":1280,"height":945,"screenX":273,"screenY":45,"sizemode":"normal","cookies":[{"host":".youtube.com","value":"vUY7GL_YyWA","path":"/","name":"YSC","secure":true,"httponly":true,"originAttributes":{"addonId":"","appId":0,"firstPartyDomain":"","inIsolatedMozBrowser":false,"privateBrowsingId":0,"userContextId":0}}],"title":"StegOnline","closedAt":1637384562838,"closedId":6},{"tabs":[{"entries":[{"url":"about:home","title":"Mozilla Firefox Start Page","charset":"","ID":94,"docshellID":100,"triggeringPrincipal_base64":"SmIS26zLEdO3ZQBgsLbOywAAAAAAAAAAwAAAAAAAAEY=","docIdentifier":100,"persist":true}],"lastAccessed":1637382954206,"hidden":false,"attributes":{},"userContextId":0,"index":1,"image":"chrome://branding/content/icon32.png","iconLoadingPrincipal":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYBLyd8AA6vTdu5NkEya6SKrpIHOlRteE8wkTq4cYEyCMYAAAAABWFib3V0AAAABGhvbWUAAODaHXAvexHTjNAAYLD8FKOSBzpUbXhPMJE6uHGBMgjGAAAAAA5tb3otc2FmZS1hYm91dAAAAARob21lAAAAAAAAAAAA"}],"selected":1,"_closedTabs":[],"width":1280,"height":945,"screenX":516,"screenY":46,"sizemode":"normal","title":"Mozilla Firefox Start Page","closedAt":1637382954208,"closedId":5}],"session":{"lastUpdate":1637388880190,"startTime":1637381431468,"recentCrashes":0},"global":{},"lastSessionState":{"version":["sessionrestore",1],"windows":[{"tabs":[{"entries":[{"url":"https://www.mozilla.org/en-US/firefox/52.9.0/firstrun/","title":"Welcome to Firefox","charset":"UTF-8","ID":4,"docshellID":8,"originalURI":"https://www.mozilla.org/en-US/firefox/52.9.0/firstrun/","triggeringPrincipal_base64":"SmIS26zLEdO3ZQBgsLbOywAAAAAAAAAAwAAAAAAAAEY=","docIdentifier":4,"persist":true}],"lastAccessed":1637380725924,"hidden":false,"attributes":{},"userContextId":0,"index":1,"image":"https://www.mozilla.org/media/img/favicons/firefox/browser/favicon.f093404c0135.ico","iconLoadingPrincipal":"ZT4OTT7kRfqycpfCC8AeuAAAAAAAAAAAwAAAAAAAAEYB3pRy0IA0EdOTmQAQS6D9QJIHOlRteE8wkTq4cYEyCMYAAAAC/////wAAAbsBAAAANmh0dHBzOi8vd3d3Lm1vemlsbGEub3JnL2VuLVVTL2ZpcmVmb3gvNTIuOS4wL2ZpcnN0cnVuLwAAAAAAAAAFAAAACAAAAA8AAAAI/////wAAAAj/////AAAACAAAAA8AAAAXAAAAHwAAABcAAAAfAAAAFwAAAB8AAAA2AAAAAAAAADb/////AAAAAP////8AAAAX/////wAAABf/////AQAAAAAAAAAAAAEAAAAAAAEJ2e0a5dRABL/gJ865I9mss8TArr1eTK2H4I0hDbs/nwHelHLQgDQR05OZABBLoP1Akgc6VG14TzCROrhxgTIIxgAAAAL/////AAABuwEAAAA2aHR0cHM6Ly93d3cubW96aWxsYS5vcmcvZW4tVVMvZmlyZWZveC81Mi45LjAvZmlyc3RydW4vAAAAAAAAAAUAAAAIAAAADwAAAAj/////AAAACP////8AAAAIAAAADwAAABcAAAAfAAAAFwAAAB8AAAAXAAAAHwAAADYAAAAAAAAANv////8AAAAA/////wAAABf/////AAAAF/////8BAAAAAAAAAAAAAQAAAAEAAAifAGMAaABpAGwAZAAtAHMAcgBjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBvAHoAaQBsAGwAYQAuAG8AcgBnACAAaAB0AHQAcABzADoALwAvACoALgBtAG8AegBpAGwAbABhAC4AbgBlAHQAIABoAHQAdABwAHMAOgAvAC8AKgAuAG0AbwB6AGkAbABsAGEALgBvAHIAZwAgAGgAdAB0AHAAcwA6AC8ALwAqAC4AbQBvAHoAaQBsAGwAYQAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUAdABhAGcAbQBhAG4AYQBnAGUAcgAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUALQBhAG4AYQBsAHkAdABpAGMAcwAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AeQBvAHUAdAB1AGIAZQAtAG4AbwBjAG8AbwBrAGkAZQAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAHQAcgBhAGMAawBlAHIAdABlAHMAdAAuAG8AcgBnACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwB1AHIAdgBlAHkAZwBpAHoAbQBvAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AYQBjAGMAbwB1AG4AdABzAC4AZgBpAHIAZQBmAG8AeAAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAGEAYwBjAG8AdQBuAHQAcwAuAGYAaQByAGUAZgBvAHgALgBjAG8AbQAuAGMAbgAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHkAbwB1AHQAdQBiAGUALgBjAG8AbQA7ACAAZgByAGEAbQBlAC0AcwByAGMAIABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAG8AegBpAGwAbABhAC4AbwByAGcAIABoAHQAdABwAHMAOgAvAC8AKgAuAG0AbwB6AGkAbABsAGEALgBuAGUAdAAgAGgAdAB0AHAAcwA6AC8ALwAqAC4AbQBvAHoAaQBsAGwAYQAuAG8AcgBnACAAaAB0AHQAcABzADoALwAvACoALgBtAG8AegBpAGwAbABhAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBnAG8AbwBnAGwAZQB0AGEAZwBtAGEAbgBhAGcAZQByAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBnAG8AbwBnAGwAZQAtAGEAbgBhAGwAeQB0AGkAYwBzAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB5AG8AdQB0AHUAYgBlAC0AbgBvAGMAbwBvAGsAaQBlAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AdAByAGEAYwBrAGUAcgB0AGUAcwB0AC4AbwByAGcAIABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcgB2AGUAeQBnAGkAegBtAG8ALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwBhAGMAYwBvAHUAbgB0AHMALgBmAGkAcgBlAGYAbwB4AC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AYQBjAGMAbwB1AG4AdABzAC4AZgBpAHIAZQBmAG8AeAAuAGMAbwBtAC4AYwBuACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AeQBvAHUAdAB1AGIAZQAuAGMAbwBtADsAIABpAG0AZwAtAHMAcgBjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBvAHoAaQBsAGwAYQAuAG8AcgBnACAAaAB0AHQAcABzADoALwAvACoALgBtAG8AegBpAGwAbABhAC4AbgBlAHQAIABoAHQAdABwAHMAOgAvAC8AKgAuAG0AbwB6AGkAbABsAGEALgBvAHIAZwAgAGgAdAB0AHAAcwA6AC8ALwAqAC4AbQBvAHoAaQBsAGwAYQAuAGMAbwBtACAAZABhAHQAYQA6ACAAaAB0AHQAcABzADoALwAvAG0AbwB6AGkAbABsAGEALgBvAHIAZwAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAHQAYQBnAG0AYQBuAGEAZwBlAHIALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAC0AYQBuAGEAbAB5AHQAaQBjAHMALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwBhAGQAcwBlAHIAdgBpAGMAZQAuAGcAbwBvAGcAbABlAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AYQBkAHMAZQByAHYAaQBjAGUALgBnAG8AbwBnAGwAZQAuAGQAZQAgAGgAdAB0AHAAcwA6AC8ALwBhAGQAcwBlAHIAdgBpAGMAZQAuAGcAbwBvAGcAbABlAC4AZABrACAAaAB0AHQAcABzADoALwAvAGMAcgBlAGEAdABpAHYAZQBjAG8AbQBtAG8AbgBzAC4AbwByAGcAIABoAHQAdABwAHMAOgAvAC8AYwBkAG4ALQAzAC4AYwBvAG4AdgBlAHIAdABlAHgAcABlAHIAaQBtAGUAbgB0AHMALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwBsAG8AZwBzAC4AYwBvAG4AdgBlAHIAdABlAHgAcABlAHIAaQBtAGUAbgB0AHMALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBnAGUAcwAuAGMAdABmAGEAcwBzAGUAdABzAC4AbgBlAHQAIABoAHQAdABwAHMAOgAvAC8AYQBkAC4AZABvAHUAYgBsAGUAYwBsAGkAYwBrAC4AbgBlAHQAOwAgAGMAbwBuAG4AZQBjAHQALQBzAHIAYwAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AbwB6AGkAbABsAGEALgBvAHIAZwAgAGgAdAB0AHAAcwA6AC8ALwAqAC4AbQBvAHoAaQBsAGwAYQAuAG4AZQB0ACAAaAB0AHQAcABzADoALwAvACoALgBtAG8AegBpAGwAbABhAC4AbwByAGcAIABoAHQAdABwAHMAOgAvAC8AKgAuAG0AbwB6AGkAbABsAGEALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAHQAYQBnAG0AYQBuAGEAZwBlAHIALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAC0AYQBuAGEAbAB5AHQAaQBjAHMALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwBsAG8AZwBzAC4AYwBvAG4AdgBlAHIAdABlAHgAcABlAHIAaQBtAGUAbgB0AHMALgBjAG8AbQAgAGgAdAB0AHAAcwA6AC8ALwAxADAAMAAzADMANQAwAC4AbQBlAHQAcgBpAGMAcwAuAGMAbwBuAHYAZQByAHQAZQB4AHAAZQByAGkAbQBlAG4AdABzAC4AYwBvAG0AIABoAHQAdABwAHMAOgAvAC8AMQAwADAAMwAzADQAMwAuAG0AZQB0AHIAaQBjAHMALgBjAG8AbgB2AGUAcgB0AGUAeABwAGUAcgBpAG0AZQBuAHQAcwAuAGMAbwBtACAAaAB0AHQAcABzADoALwAvAHMAZQBuAHQAcgB5AC4AcAByAG8AZAAuAG0AbwB6AGEAdwBzAC4AbgBlAHQAIABoAHQAdABwAHMAOgAvAC8AYQBjAGMAbwB1AG4AdABzAC4AZgBpAHIAZQBmAG8AeAAuAGMAbwBtAC8AIABoAHQAdABwAHMAOgAvAC8AYQBjAGMAbwB1AG4AdABzAC4AZgBpAHIAZQBmAG8AeAAuAGMAbwBtAC4AYwBuAC8AOwAgAGQAZQBmAGEAdQBsAHQALQBzAHIAYwAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AbwB6AGkAbABsAGEALgBvAHIAZwAgAGgAdAB0AHAAcwA6AC8ALwAqAC4AbQBvAHoAaQBsAGwAYQAuAG4AZQB0ACAAaAB0AHQAcABzADoALwAvACoALgBtAG8AegBpAGwAbABhAC4AbwByAGcAIABoAHQAdABwAHMAOgAvAC8AKgAuAG0AbwB6AGkAbABsAGEALgBjAG8AbQA7ACAAcwB0AHkAbABlAC0AcwByAGMAIA

There it is, in the middle of this browser cache file. The creator of the challenge used Firefox within the VM to perform the steganography, and deleted the cache later. Since it wasn't written over, we have the flag in the data stored by Firefox.

Real-world Application

Steganography is a useful skill for exchanging information privately without drawing suspecion in the ways that cryptography does. By hiding in plain sight, such data avoids the more obvious appearances of encrypted information. More realistically, however, data recovery is often an essential skill. Drives fail at inopportune times, and a mistyped dd or rm command can be devastating. In fact, I learned how to use TestDisk following an accidental rm -rf /home, and it was thankfully able to salvage some of my personal data. Recovery tools are critical, especially if you run out of backups.

Thanks for reading!

Solving Retro Flag 4 the Wrong Way

Opening the Virtual Disk without VMWare

The Steganography Approach

The Wrong Way

Real-world Application

Search

Categories

Tags