Problem: Figure out how they moved the flag.
File: THE_FILE
Solution:
Using wireshark check the objects TFTP files
instructions.txt picture1.bmp picture2.bmp picture3.bmp plan program.deb
instructions.txt
GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA
Decode Caesar cipher key 13. Getting: tftp doesnt encrypt our traffic so we must disguise our flag transfer figure out away to hide the flag and i will check back for the plan
reading plan
VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF
i used the program and hid it with due diligence check out the photos
Unpack the program alien -r program.deb
Looks like its steghide which I already have.
run steghide using the password given in plan. DUEDILIGENCE
with the caps and spacing back like the original.
steghide --extract -sf picture1.bmp -f -p DUEDILIGENCE
Nothing
steghide --extract -sf picture2.bmp -f -p DUEDILIGENCE
Nothing
steghide --extract -sf picture3.bmp -f -p DUEDILIGENCE
wrote extracted data to “flag.txt”.
cat flag.txt
picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}
Flag: picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}