DEF CON: Red Team Village Mayhem: Rabbit Hole – Stego [300pt]

Event Overview

Put on by DEF CON Red Team Village, Virtual, this CTF was relatively beginner but had a fair number of interesting challenges. Aside from the RE sections, the stego work was in my opinion, the most interesting. I played this with a private group I’m fairly active in (Hackers n’ Hops), and we placed reasonably well.

CTFtime: not listed, Official Site: https://redteamvillage.io/mayhem.html

Challenge Summary

Total of only three solves, likely due to familiarity. 300 point problem, which is in the quarter-ish upper percentile for this CTF.

Level Author: @pwneip on Twitter

This was designed to teach that data can be passed in obscure ways. Specifically, when I started it we had the hints “follow the white rabbit,” and once we had the system totally extracted we had a note in the file that said, “iThis was designed to teach that data can be passed in obscure ways. Specifically, when I started it we had the hints “follow the white rabbit,” and once we had the system totally extracted we had a note in the file that said, “its journey, not the final desination.” It also said that there was, “no stego in the file,” but this is often misleading in CTFs. We also found that there was no hidden headers or other information hidden in the file. Ultimately this, along with the fact that we only had two types of acrhival (bzip and gzip), a binary system, lead me to believe that the manner in which the compression was setup was the actual data. This was true. The only part I missed, which kept me from submitting a flag, was that the bit stream was actually reversed… as in 12345 was actually supposed to be 54321.

Associated Files

File: rabbithole (SHA1:1F43E42C7452BC3D2864D832C52BE464385E46CD) https://filebin.net/kbm51aqq96qyda56

Steps to Solve

1. Write a script that identifies the file type and uncompressess it respectively, noting (to STDOUT) a gzip as a 1 and a bzip2 as a 0. I think this was 1 and 0 respectively, if not just go ahead and flip them, or invert the bits post runtime. I wrote the following for my use case.

#!/bin/bash
x=$(file rabbithole)
result=${x}

if [[ $result == *"gzip"* ]]; then
  mv rabbithole rabbithole.gz
  gunzip rabbithole.gz
  echo 1
fi
*
if [[ $result == *"bzip2"* ]]; then
  mv rabbithole rabbithole.bz2
  bzip2 -d rabbithole.bz2
  echo 0
fi

2. Run this script in a for loop and tee the output of bits so we can confirm that the app is running. Looks something like the following.

for i in {0..1000}; do ./unzipper; done | tee bits

3. (CyberChef) Take the bits and REVERSE them. Not invert, reverse. As in 12345 -> 54321. We then have the following:

0100011001101111011011000110110001101111011101110010000001110100011010000110010100100000011101110110100001101001011101000110010100100000011100100110000101100010011000100110100101110100001000000111010001101111001000000110011001101001011011100110010000100000011101000110100001100101001000000110011001101100011000010110011100111010001000000010001001011001011011110111010100100000011000010111001001100101001000000111010001101000011001010010000001001111011011100110010100101100001000000100111001100101011011110010111000100010

4. (CyberChef) Take that output and decode to ASCII.

5. Profit: ‘Follow the white rabbit to find the flag: “You are the One, Neo.”