Juniors CTF 2016 :: Clone Attack

Key Takeaways

hey what's up guys john here bringing you another youtube video for the junior CTF in this case i want to show off the clone attack challenge which was supposedly the trivial like easy beginner level one for forensics so we're 300 points now because of the fluctuation and since gravity falls is under clones attack find the real dipper and save the town and there's a bunch of stuff here so this is believe it or not a link this image is a link i don't know if you would have have seen but regardless um it's a seventh mark up you can go ahead and download that and i'll open it with archive manager and there's a bunch of images here which are a bunch of base64 stuff so i want to go ahead and extract this stuff i'll put it two juniors and i'll create a new folder for it clone attack so extract them all there show the files okay so now we have a bunch of images of dipper who I guess is the character in gravity falls the CTF is based off of that so let's get back to it let's check out the clone attack challenge and there is all of our stuff so these are all JPEG files they all our actual JPEG files they're all clones though so like you can see the file name changing but they're literally just duplicates of themselves however yet all of them are the same like if you select one of them and try to dip it with some other things what I did was I actually I think I did like LS I did like wow read line I guess I could yeah all the while read line if this like one of one random one with another one it I shouldn't put in do here it does tell me that every single of them differs in some way so okay what is the real what is the actual original image whatever some other thing I was interested in was the base64 stuff so what I did was I again read through everything I would base64 actually okay so what echo the line so I get the filename for everything and I do some bash string substitution so I removed a jpg extension with nothing and then I displayed that and I piped it into the base64 code but it is garbage there's nothing really there so that didn't help me next because I'm curious that all these things are I actually ran through with exit tool on one of them and I get this information here's a file name jpg image obviously I don't know what this current IPTC digest is it looked like a hash so I googled that for a little bit and the comment here was interesting it's a de flag is the md5 sum of this file it's true I don't I thought okay immediately sweet I got the flag then I just take the md5 sum of like that file and I submitted that and you know whatever the case did that didn't work that's that is incorrect so um when I do this I actually I actually try to run an active tool on all of the JPEG images and you'll notice that it has the exact same comment for every single file so interesting whenever next to to on the old one though I'm sorry another thing that I should have noticed or was looking at is this object name because this object name is another thing that changes with everything 2:30 currently but this is this is Russian text right so I don't know what this actually is what I did is I googled it initially like Google Translate I think I just whatever just get me to a translator no photocopies I don't know what that means I know I should be Russian yeah photocopy room or whatever or regardless I thought it was very curious because that also changed with everything I tried to see if active tool wasn't giving me all the information that I needed so I actually ran like identify verbose on all these files and that would fluctuate really quick this must be like seizure-inducing but I notice again the comment changes and the photocopy room changes with every single file it still says though and I'm still caught up on the fact that the the signature is the same I thought that was interesting for every single file I'm still cut up on the fact that the exit tool says the file name is the nd the fight of the flag is a md5 of this file so so what I did for one thing is I tried to see oh is the md5 sum equivalent to this current IPTC digest because I had googled that IPTC digest and apparently an exit tool if you do a little bit of research on it it says oh sure it's just the md5 digest of existing IPTC data like Google like okay what is IPC data etc etc so md5 it must be md5 so I compared I really took the md5 sum of every single release files and then compared it with this did their IPTC just to see what may be one of those matches up again I was just like a gross disgusting like bash wild loop but that wasn't right so what I ended up doing was grabbing through more of them and because I use identity I saw that this photocopy room changes so I took because it changes I was wondering like I wonder if any of these have an odd thing to them so I looked through all the JPEGs again all the images and I kept for in active fields called object names object name and I got whoa I don't know if you saw it breeze by but one of them looked different than all the others you can see it real quick it just like flies by I was too quick I was too quick that time oh you can see it this guy right here again Russian text so I'm not Russian I don't know what this says or what it does so just to like display more easily I can grip out all the other stuff and there's this guy so I'm curious what is this again Russian text so I go to my google translator translate good English it says oh the original dipper okay so I know it must be this one I know this must be it so what I ended up doing just to like track it down I again took all this like the exit tool and I put this in like a all log thing and I tried to like search for I just can open it up in sublime and search for that string so I know okay it's this guy it must be this file it looks at the same as all the other ones because it's just a duplicate it's a clone but when I take out exit tool on that guy the original dipper and that is what I want to take the actual interpretation the flag is the md5 sum of this file the original dipper so I ended up taking the md5 sum of that guy and that is the flag so you submit that being the md5 sum of the original dipper and you get points so I I struggle with this one for a while because like I don't know how do I determine what all of these are different because they all look different and which is the original one how do is there like I tried googling is there a real picture already-established JPEG image of this character and gravity falls that's the exact same size and everything that they can tamper with but eventually I saw this object name and how it was differing and how there's a unique one so that again the Russian translation let me define this is the original dipper take the md5 sum of the file and this is the flag so crazy crazy challenge and again a lot of guessing but whatever that's okay I still got a flag so a flag is the flag thanks for watching guys hope you enjoyed this one we'll check out some of the other challenges dirty repo and some other ones coming in a future video so see y'all soon