CTFlearn-Writeups/Forensics/Snowboard/README.md

## Snowboard
The main idea finding the flag using multiple forensics techniques.


#### Step-1:
After we download `Snowboard.jpg`, we try to open and see the flag and check if we find any.

<img src="Snowboard.jpg">

#### Step-2:
I tried simple techniques and easily found answer when we send the command:

`strings Snowboard.jpg | grep {`

We get a false flag `CTFlearn{CTFIsEasy!!!}` which is not the correct flag.

So we try harder.

#### Step-3:
We use the following command to extract all the enclosed zipped images.
`binwalk -D='.*' Snowboard.jpg`

We get a new directory `_Snowboard.jpg.extracted`

In that directory, we get some files like `0`, `3A4`, `5A`, `393B` & `395B`.

#### Step-4:
We try different commands `strings <file_name> | grep {`.

But after some tries, I tried command `strings -n 8 0` and got this as output:

```
CTFlearn{CTFIsEasy!!!}
Q1RGbGVhcm57U2tpQmFuZmZ9Cg==
Canon EOS 6D Mark II
GIMP 2.10.6
2019:05:07 14:37:21
2018:08:23 12:52:08
2018:08:23 12:52:08
082051002328
EF24-105mm f/4L IS USM
0000502af2
 $.' ",#
(7),01444
'9=82<.342
!22222222222222222222222222222222222222222222222222
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
Jps]7"rT
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:iptcExt="http://iptc.org/std/Iptc4xmpExt/2008-02-29/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:plus="http://ns.useplus.org/ldf/xmp/1.0/" xmlns:GIMP="http://www.gimp.org/xmp/" xmlns:aux="http://ns.adobe.com/exif/1.0/aux/" xmlns:crs="http://ns.adobe.com/camera-raw-settings/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:5745BC0FB0ABE811B17E9DE2D509CE38" xmpMM:InstanceID="xmp.iid:2a75c26f-74d2-4550-bdf1-6260a95890e8" xmpMM:OriginalDocumentID="EE719D915149C0C012BA4285EC4D4875" GIMP:API="2.0" GIMP:Platform="Windows" GIMP:TimeStamp="1557232658413988" GIMP:Version="2.10.6" aux:ApproximateFocusDistance="119/10" aux:Firmware="1.0.3" aux:FlashCompensation="0/1" aux:ImageNumber="0" aux:Lens="EF24-105mm f/4L IS USM" aux:LensID="237" aux:LensInfo="24/1 105/1 0/0 0/0" aux:LensSerialNumber="0000502af2" aux:SerialNumber="082051002328" crs:AlreadyApplied="True" crs:AutoLateralCA="0" crs:Blacks2012="-10" crs:BlueHue="0" crs:BlueSaturation="0" crs:Brightness="0" crs:CameraProfile="Embedded" crs:Clarity="0" crs:Clarity2012="+21" crs:ColorNoiseReduction="0" crs:Contrast="0" crs:Contrast2012="+5" crs:ConvertToGrayscale="False" crs:CropAngle="0" crs:CropBottom="1" crs:CropConstrainToWarp="0" crs:CropHeight="3872" crs:CropLeft="0.069159" crs:CropRight="1" crs:CropTop="0.069159" crs:CropUnit="0" crs:CropWidth="5808" crs:Defringe="0" crs:Exposure="0.00" crs:Exposure2012="+0.10" crs:FillLight="0" crs:GrainAmount="0" crs:GreenHue="0" crs:GreenSaturation="0" crs:HasCrop="True" crs:HasSettings="True" crs:HighlightRecovery="0" crs:Highlights2012="-21" crs:HueAdjustmentAqua="0" crs:HueAdjustmentBlue="0" crs:HueAdjustmentGreen="0" crs:HueAdjustmentMagenta="0" crs:HueAdjustmentOrange="0" crs:HueAdjustmentPurple="0" crs:HueAdjustmentRed="0" crs:HueAdjustmentYellow="0" crs:IncrementalTemperature="0" crs:IncrementalTint="0" crs:LensManualDistortionAmount="0" crs:LensProfileEnable="0" crs:LensProfileSetup="LensDefaults" crs:LuminanceAdjustmentAqua="0" crs:LuminanceAdjustmentBlue="0" crs:LuminanceAdjustmentGreen="0" crs:LuminanceAdjustmentMagenta="0" crs:LuminanceAdjustmentOrange="0" crs:LuminanceAdjustmentPurple="0" crs:LuminanceAdjustmentRed="0" crs:LuminanceAdjustmentYellow="0" crs:LuminanceSmoothing="0" crs:ParametricDarks="0" crs:ParametricHighlightSplit="75" crs:ParametricHighlights="0" crs:ParametricLights="0" crs:ParametricMidtoneSplit="50" crs:ParametricShadowSplit="25" crs:ParametricShadows="0" crs:PerspectiveHorizontal="0" crs:PerspectiveRotate="0.0" crs:PerspectiveScale="100" crs:PerspectiveVertical="0" crs:PostCropVignetteAmount="0" crs:ProcessVersion="6.7" crs:RedHue="0" crs:RedSaturation="0" crs:Saturation="+5" crs:SaturationAdjustmentAqua="0" crs:SaturationAdjustmentBlue="0" crs:SaturationAdjustmentGreen="0" crs:SaturationAdjustmentMagenta="0" crs:SaturationAdjustmentOrange="0" crs:SaturationAdjustmentPurple="0" crs:SaturationAdjustmentRed="0" crs:SaturationAdjustmentYellow="0" crs:ShadowTint="0" crs:Shadows="0" crs:Shadows2012="+66" crs:SharpenDetail="25" crs:SharpenEdgeMasking="0" crs:SharpenRadius="+1.0" crs:Sharpness="0" crs:SplitToningBalance="0" crs:SplitToningHighlightHue="0" crs:SplitToningHighlightSaturation="0" crs:SplitToningShadowHue="0" crs:SplitToningShadowSaturation="0" crs:ToneCurve="0, 0, 255, 255" crs:ToneCurveBlue="0, 0, 255, 255" crs:ToneCurveGreen="0, 0, 255, 255" crs:ToneCurveName="Linear" crs:ToneCurveName2012="Linear" crs:ToneCurvePV2012="0, 0, 255, 255" crs:ToneCurvePV2012Blue="0, 0, 255, 255" crs:ToneCurvePV2012Green="0, 0, 255, 255" crs:ToneCurvePV2012Red="0, 0, 255, 255" crs:ToneCurveRed="0, 0, 255, 255" crs:Version="7.0" crs:Vibrance="+15" crs:VignetteAmount="0"
fPhotoshop 3.0
20190507
20180823
125208+0000
143721-1437
)$+*($''-2@7-0=0''8L9=CEHIH+6OUNFT@GHE
!E.'.EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
xj.kPDm^d
w~0@	+	 
)$R-RV-]
&6364-XE
05.jlhI$
 "02A#3@P`
A<@n]K&.M
rJ50)'J+
AQ"pa#3q
qS]=aEA(
k7f6I]G.
MS&No!F)
.ED'e8c\
CLRz?0NIQ
+4YVY6D*
'>aWL'lN
CvtB;'Ef8'q
K#	1Ok	+KN
!?[?M?U	
 !01@APQ`apq
! 10AQa@Pq`p
"""""""5
.&.qP8|Q0
R@m+O1ut
cN`VBPjTO
*1>Iors-ls
E3\@f_i^
}*T:,%t#
GHwW^YB\
```

#### Step-4:

Now we get this small Base64 encrypted message below the false flag 
`Q1RGbGVhcm57U2tpQmFuZmZ9Cg==`

When we decrypt it, we get the flag.

#### Step-5:
Finally the flag becomes:
`CTFlearn{SkiBanff}`
Added CTFlearn writeups 2020-07-31 18:48:25 +05:30			`## Snowboard`
			`The main idea finding the flag using multiple forensics techniques.`


			`#### Step-1:`
			After we download `Snowboard.jpg`, we try to open and see the flag and check if we find any.

			`<img src="Snowboard.jpg">`

			`#### Step-2:`
			`I tried simple techniques and easily found answer when we send the command:`

			`strings Snowboard.jpg \| grep {`

			We get a false flag `CTFlearn{CTFIsEasy!!!}` which is not the correct flag.

			`So we try harder.`

			`#### Step-3:`
			`We use the following command to extract all the enclosed zipped images.`
			`binwalk -D='.*' Snowboard.jpg`

			We get a new directory `_Snowboard.jpg.extracted`

			In that directory, we get some files like `0`, `3A4`, `5A`, `393B` & `395B`.

			`#### Step-4:`
			We try different commands `strings <file_name> \| grep {`.

			But after some tries, I tried command `strings -n 8 0` and got this as output:

			```
			`CTFlearn{CTFIsEasy!!!}`
			`Q1RGbGVhcm57U2tpQmFuZmZ9Cg==`
			`Canon EOS 6D Mark II`
			`GIMP 2.10.6`
			`2019:05:07 14:37:21`
			`2018:08:23 12:52:08`
			`2018:08:23 12:52:08`
			`082051002328`
			`EF24-105mm f/4L IS USM`
			`0000502af2`
			`$.' ",#`
			`(7),01444`
			`'9=82<.342`
			`!22222222222222222222222222222222222222222222222222`
			`%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz`
			`&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz`
			`Jps]7"rT`
			`http://ns.adobe.com/xap/1.0/`
			`<?xpacket begin="`
			" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:iptcExt="http://iptc.org/std/Iptc4xmpExt/2008-02-29/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:plus="http://ns.useplus.org/ldf/xmp/1.0/" xmlns:GIMP="http://www.gimp.org/xmp/" xmlns:aux="http://ns.adobe.com/exif/1.0/aux/" xmlns:crs="http://ns.adobe.com/camera-raw-settings/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:5745BC0FB0ABE811B17E9DE2D509CE38" xmpMM:InstanceID="xmp.iid:2a75c26f-74d2-4550-bdf1-6260a95890e8" xmpMM:OriginalDocumentID="EE719D915149C0C012BA4285EC4D4875" GIMP:API="2.0" GIMP:Platform="Windows" GIMP:TimeStamp="1557232658413988" GIMP:Version="2.10.6" aux:ApproximateFocusDistance="119/10" aux:Firmware="1.0.3" aux:FlashCompensation="0/1" aux:ImageNumber="0" aux:Lens="EF24-105mm f/4L IS USM" aux:LensID="237" aux:LensInfo="24/1 105/1 0/0 0/0" aux:LensSerialNumber="0000502af2" aux:SerialNumber="082051002328" crs:AlreadyApplied="True" crs:AutoLateralCA="0" crs:Blacks2012="-10" crs:BlueHue="0" crs:BlueSaturation="0" crs:Brightness="0" crs:CameraProfile="Embedded" crs:Clarity="0" crs:Clarity2012="+21" crs:ColorNoiseReduction="0" crs:Contrast="0" crs:Contrast2012="+5" crs:ConvertToGrayscale="False" crs:CropAngle="0" crs:CropBottom="1" crs:CropConstrainToWarp="0" crs:CropHeight="3872" crs:CropLeft="0.069159" crs:CropRight="1" crs:CropTop="0.069159" crs:CropUnit="0" crs:CropWidth="5808" crs:Defringe="0" crs:Exposure="0.00" crs:Exposure2012="+0.10" crs:FillLight="0" crs:GrainAmount="0" crs:GreenHue="0" crs:GreenSaturation="0" crs:HasCrop="True" crs:HasSettings="True" crs:HighlightRecovery="0" crs:Highlights2012="-21" crs:HueAdjustmentAqua="0" crs:HueAdjustmentBlue="0" crs:HueAdjustmentGreen="0" crs:HueAdjustmentMagenta="0" crs:HueAdjustmentOrange="0" crs:HueAdjustmentPurple="0" crs:HueAdjustmentRed="0" crs:HueAdjustmentYellow="0" crs:IncrementalTemperature="0" crs:IncrementalTint="0" crs:LensManualDistortionAmount="0" crs:LensProfileEnable="0" crs:LensProfileSetup="LensDefaults" crs:LuminanceAdjustmentAqua="0" crs:LuminanceAdjustmentBlue="0" crs:LuminanceAdjustmentGreen="0" crs:LuminanceAdjustmentMagenta="0" crs:LuminanceAdjustmentOrange="0" crs:LuminanceAdjustmentPurple="0" crs:LuminanceAdjustmentRed="0" crs:LuminanceAdjustmentYellow="0" crs:LuminanceSmoothing="0" crs:ParametricDarks="0" crs:ParametricHighlightSplit="75" crs:ParametricHighlights="0" crs:ParametricLights="0" crs:ParametricMidtoneSplit="50" crs:ParametricShadowSplit="25" crs:ParametricShadows="0" crs:PerspectiveHorizontal="0" crs:PerspectiveRotate="0.0" crs:PerspectiveScale="100" crs:PerspectiveVertical="0" crs:PostCropVignetteAmount="0" crs:ProcessVersion="6.7" crs:RedHue="0" crs:RedSaturation="0" crs:Saturation="+5" crs:SaturationAdjustmentAqua="0" crs:SaturationAdjustmentBlue="0" crs:SaturationAdjustmentGreen="0" crs:SaturationAdjustmentMagenta="0" crs:SaturationAdjustmentOrange="0" crs:SaturationAdjustmentPurple="0" crs:SaturationAdjustmentRed="0" crs:SaturationAdjustmentYellow="0" crs:ShadowTint="0" crs:Shadows="0" crs:Shadows2012="+66" crs:SharpenDetail="25" crs:SharpenEdgeMasking="0" crs:SharpenRadius="+1.0" crs:Sharpness="0" crs:SplitToningBalance="0" crs:SplitToningHighlightHue="0" crs:SplitToningHighlightSaturation="0" crs:SplitToningShadowHue="0" crs:SplitToningShadowSaturation="0" crs:ToneCurve="0, 0, 255, 255" crs:ToneCurveBlue="0, 0, 255, 255" crs:ToneCurveGreen="0, 0, 255, 255" crs:ToneCurveName="Linear" crs:ToneCurveName2012="Linear" crs:ToneCurvePV2012="0, 0, 255, 255" crs:ToneCurvePV2012Blue="0, 0, 255, 255" crs:ToneCurvePV2012Green="0, 0, 255, 255" crs:ToneCurvePV2012Red="0, 0, 255, 255" crs:ToneCurveRed="0, 0, 255, 255" crs:Version="7.0" crs:Vibrance="+15" crs:VignetteAmount="0"
			`fPhotoshop 3.0`
			`20190507`
			`20180823`
			`125208+0000`
			`143721-1437`
			`)$+*($''-2@7-0=0''8L9=CEHIH+6OUNFT@GHE`
			`!E.'.EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE`
			`xj.kPDm^d`
			`w~0@ +`
			`)$R-RV-]`
			`&6364-XE`
			`05.jlhI$`
			"02A#3@P`
			`A<@n]K&.M`
			`rJ50)'J+`
			`AQ"pa#3q`
			`qS]=aEA(`
			`k7f6I]G.`
			`MS&No!F)`
			`.ED'e8c\`
			`CLRz?0NIQ`
			`+4YVY6D*`
			`'>aWL'lN`
			`CvtB;'Ef8'q`
			`K# 1Ok +KN`
			`!?[?M?U`
			!01@APQ`apq
			! 10AQa@Pq`p
			`"""""""5`
			`.&.qP8\|Q0`
			`R@m+O1ut`
			cN`VBPjTO
			`*1>Iors-ls`
			`E3\@f_i^`
			`}*T:,%t#`
			`GHwW^YB\`
			```

			`#### Step-4:`

			`Now we get this small Base64 encrypted message below the false flag`
			`Q1RGbGVhcm57U2tpQmFuZmZ9Cg==`

			`When we decrypt it, we get the flag.`

			`#### Step-5:`
			`Finally the flag becomes:`
			`CTFlearn{SkiBanff}`