mini-cicada

csharksteganography

This challenge threw me off until the author gave out a hint. The challenge gives us a short description and a .ps1 file. The files preview and open like an image.

Acest fisier nu e ceea ce pare. Ce Puzzle Se ascunde 1n spatele fisierului?

This file is not what it seems. What Puzzle Is Hiding Behind The File?

For this challenge we got 2 hints:

tool folosit pentru a ascunde fisiere ps1 in imagini

tool used to hide ps1 files in images

Extract-PSImage

Searching for Extract-PSImage gives us this software. Using the software to extract data.

PS C:\Users\Cshark\Desktop\Extract-PSImage-master\Extract-PSImage-master> Extract-Invoke-PSImage -Image .\cicada.ps1 -out da.ps1
[Oneliner to extract embedded payload]
sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g=a System.Drawing.Bitmap("C:\Users\Cshark\Desktop\Extract-PSImage-master\Extract-PSImage-master\cicada.ps1");$o=a Byte[] 1382400;(0..719)|%{foreach($x in(0..1279)){$p=$g.GetPixel($x,$_);$o[$_*1280+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();[System.Text.Encoding]::ASCII.GetString($o[0..1382399])|Out-File $Out
[First 50 characters of extracted payload]
[Byte[]] $encrypted = 0x46,0x11,0x40,0xc,0x5f,0x47
PS C:\Users\Cshark\Desktop\Extract-PSImage-master\Extract-PSImage-master>

Opening the resulting file we see a PowerShell script followed by a lot of random data. The random data is just padding as the GitHub page tells us so the script is the following:

[Byte[]] $encrypted = 0x46,0x11,0x40,0xc,0x5f,0x47,0x11,0x10,0x5b,0x18,0x16,0x3,0x1a,0x7,0x6c,0x50,0x4,0x0,0x1a,0x2c,0x47,0x11,0xb,0x6c,0x0,0x43,0x6c,0xb,0x43,0x57,0x11,0x5e,0x2,0x17,0x6,0x4e;
[Byte[]] $key = 0x27,0x73,0x33,0x63,0x72,0x33,0x74,0x73,0x33,0x63,0x72,0x33,0x74,0x73,0x33,0x63,0x72,0x33,0x74,0x73,0x33,0x63,0x72,0x33,0x74,0x73,0x33,0x63,0x72,0x33,0x74,0x73,0x33,0x63,0x72,0x33,0x74,0x27;

for($i=0;$i -lt $encrypted.count;$i++){
    $encrypted[$i] = $encrypted[$i] -bxor $key[$i];
}
[Byte[]] $decrypted = $encrypted;

After running the script and printing the result we get the flag written in decimal.

Which translated from decimal to ASCII using CyberChef gives us the flag: abso-tech{d0nt_3v3n_try_t0_h1de-1tt}.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.