CSAW CTF Quals 2015: Forensics 200 – writeup

I participated in the CSAW quals 2015 CTF with the team PolyHack in september.

The challenge Forensics 200 didn’t provide any description. We were only handed a zip file named airport_26321e6eac7a7490e527cbe27ceb68c1.zip. It was a standard zip file that did not contain anything other than the challenge. After unzipping it, we have two directories named for_release and __MACOSX. The former directory contains images files and the latter directory is a hidden folder created by Mac OS when a zip file is created.


Before looking at those images, I already had webpages open about Apple Airport wireless products because of the __MACOSX directory, and the name of the challenge. Wrong direction, obviously, I should have taken my time by looking at every given file before going for a research.

The hidden directory is not uninteresting since we rarely have files that are not useful in such challenges, but we will look at the images directory first.

1.png1.png 2.png2.png
3.png3.png 4.png4.png

With the content of those files, we have a good idea what the challenge is: we have pictures of airports (the challenge name) and a hint about steghide, a popular steganography tool use to hide data in images. I started using steghide to uncover the hidden flag on every file and I discovered that it did not worked on png files. When I ran it on the steghide.jpg file, I got prompted for a passphrase. This was good start, but I didn’t have anything to input, so I changed a bit my focus on the four images. Obviously, those were involved in the challenge so they could not be anything else than related to the passphrase.

Someone on my team had already reverse image search on Google the four files to find the name of the airports on the picture. We found that they were the airpots in respectively, Havana, Hong Kong, Los Angeles and Toronto. Given those, I thought about airports IATA code which are unique and most important non-ambiguous way to name airports. We also had the order of those codes for the concatenation with each file names so we got the passphrase “HAVNKGLAXYYZ” with each three letter representing an airport.

CSAW2015 Misc

Here we go, 200 points! A great small challenge typical of CTF.

Posted in