404Unfound

SpookyCTF'23: Shapeshifter

There's this figure in front of me, but I can't even figure out what it is! What is that thing??

Challenge File

This was an interesting misc challenge, mixed with a little bit of steganography in it.

The image

The image was a corrupted png file. I tried to fix the header but it didn’t work :O

I went on to check the strings of the file:

kairos@pop-os:~/Downloads$ strings distant-figure.png 
nBWT\
distant-figure/true-form.exe
tK4%dw
mn(a
m3L5sS
r9'1
{p87
yKO&
xV '(s
yZ>#
q~]t
Xg&h/
Gcg f
YvFW
jxXT
vXhE
jnRK
2_1Bx
GHaW
U,E/
g>LC#5
%86rs7jcD
PnmO
/n4R
PpJm
<'J:s
?~9s
w><K/
m5QRs
p.g&
p6<z
I:p%S
:e#}
*x";i
!Fa]
)<L"
8E!d
,j3x
A0#z
##Qy	
L8,r
(%\`K
x6	;
F@38
IQBP
U,u)6
#:BH
 D#*JdN
a+_u%
^,2 
$W*e
Gyf:
oQn,0 
;RoQ 
Hqi@,
qL~L(
kRb]
@r4S
:C4V
FQ)h
VhzKz
U-8H A
D/n(
5-T@a
eM42&
$%js
gJb+
4$B(
J?O:
i+]g
EJp )
H#ni
aiF7
LRyC
bf%eG
?:P94
26@	
rV;wRk^
Wu=w[Z
Rf0Wp
OfRTfA/
m2)M4`
`bS$
+289
Fxw+
]e/7#MJ
B']e
n;>3@
433@
Z'*w/
/Utz_
k,=i
WWb6
dOx1
IAkD5&(&
m}1)
c*sw>
h\v8h<.
ckBi
.uhn
ZIm)
`Sc	
7q86
9]4M'
I2)hS
O'mJ
}#=[Co
M(L;
Oh:8{
$yHS
_)L#k
nBWT\
distant-figure/true-form.exePK

From this, it seems like there is a hidden executable file (distant-figure/true-form.exe) within the image. To retrieve it, I used binwalk to extract the hidden files.

kairos@pop-os:~/Downloads$ binwalk -e distant-figure.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 8821, uncompressed size: 42727, name: distant-figure/true-form.exe
8953          0x22F9          End of Zip archive, footer length: 22

Analysing the Hidden Files

The extracted files contained a folder distant-figure, and within the folder was the true-form.exe.

Since I didn’t want to run a random .exe file, I used strings to take a look at some of its data. It was quite a bit of data, so I sent it to a file.

kairos@pop-os:~/Downloads$ strings binwalk/distant-figure/true-form.exe > output.txt

Looking for the flag format NICC, I got a lead :D

\hich\af31506\dbch\af31505\loch\f31506 NICC}{\rtlch\fcs1 \af0\afs16 \ltrch\fcs0 \fs16\cf20\insrsid9635513\charrsid14358698 \{\hich\af31506\dbch\af31505\loch\f31506 Y0U_F0UND_M
}{\rtlch\fcs1 \af0\afs16 \ltrch\fcs0 \fs16\cf20\insrsid1073285\charrsid14358698 \hich\af31506\dbch\af31505\loch\f31506 Y_\hich\af31506\dbch\af31505\loch\f31506 TRU\hich\af31506\dbch\af31505\loch\f31506 3_F0RM}{\rtlch\fcs1 \af0\afs16 \ltrch\fcs0

There are fragments of the flag scattered all over:

  • NICC
  • Y0U_F0UND_M
  • Y_
  • TRU
  • 3_F0RM

Getting the Flag

Piecing together all the fragments, we get the flag! NICC{Y0U_F0UND_MY_TRU3_F0RM}