DefendTheWeb.net, previously called HackThis.co.uk, is a very famous and well-known interactive security platform where you can learn and challenge your skills.. It contains challenges from several different cybersecurity fields.
I’ve decided to have a bit of fun and try to solve every single challenge presented, from the easiest to the hardest. (although easy and hard will be different depending on your skillset and field of expertise).
As I do with any challenge website, I WILL NEVER post the flag in cleartext, as it kills the fun and thrill of finding it, however I will post my way (or ways) of getting there. This is done in respect of the website’s security and non-disclosure policy, even when it doesn’t have one ;).
Challenge Squashed Image
This challenge is also rated as Bronze difficulty, which should be easy to solve. This time all we have is a picture called “b5.jpg” followed by a Username and Password input field and “[ Log in ]” button. The challenge is obviously a Stego challenge judging by the title, so we won’t find anything usefull with our beloved Google Chrome Dev Tools.
I’ve tried downloading and inspecting the picture in “exiftool” but it showed me nothing interesting, so maybe there is something hidden in the image. Let’s try check if there is some hidden content by extracting it with binwalk.
$ binwalk -e b5.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02
30 0x1E TIFF image data, big-endian, offset of first image directory: 8
332 0x14C JPEG image data, JFIF standard 1.02
6095 0x17CF JPEG image data, JFIF standard 1.02
15314 0x3BD2 Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
43563 0xAA2B Zip archive data, at least v1.0 to extract, compressed size: 23, uncompressed size: 23, name: secret.txt
43682 0xAAA2 End of Zip archive, footer length: 22
It looks like we have now a directory called “_b5.jpg.extracted”. Inspecting it’s contents we find this:
$ ls -lha
total 16K
drwxrwxr-x 2 kali kali 4.0K Jun 4 23:19 .
drwxrwxr-x 3 kali kali 4.0K Jun 4 23:19 ..
-rw-rw-r-- 1 kali kali 141 Jun 4 23:19 AA2B.zip
-rw-rw-r-- 1 kali kali 23 Aug 29 2010 secret.txt
And there we have the username and password inside secret.txt. I hope you liked this challenge. See you on the next one!