CTFlearn-Writeups/Forensics/The Keymaker/README.md

## The Keymaker
The main idea finding the flag using some forensics and Crypto concepts.


#### Step-1:
After we download `The-Keymaker.jpg`, we try to open and see the flag and check if we find any.

<img src="The-Keymaker.jpg">

#### Step-2:
I tried simple techniques and easily found answer when we send the command:

`strings PikesPeak.jpg`

I and got this as output:

```
JFIF
CTFlearn{TheKeymakerIsK00l}
b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg
LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n
dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==
CmmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY
 , #&')*)
-0-(0%()(
((((((((((((((((((((((((((((((((((((((((((((((((((
RR=,Q
)n}}
ZY&H
1(m{iR
!AE3
J/>E	
]m4us
/fuY
*0W[
YDkR&
-(ah!
X*EY#
}up07%
FPvV
[T);
uZD 
[vK4
O>a\U
L.dY[
KK$h
Xn6<|
_@[O
+$KIQ;
A7~B.A]B
l-nvQ
i+2n
+K0x
{b:W
h4Yf7s;
1RTI
ZR^C
[Yf#r
U]+U4
{5}n
%SAL
IJ4\7
>_@M=<b
F*%J
X\lp
f=+kn9
e+^@
S`=+
JZ$D
W,C;
Se=I
!I7$/
?\UIn
Jjm.
Kn/ql>#'o
F\z>y
npU7
{D[i
-:*C
-;5r
%Ciw
V],Is
,I ~
hE#Q
2jz/(
itO,
	er.](
sj9d
biF:
o~19F.-
m.uX,rzB.
PI8xc
MR,(_T`
|;jOoS$
jJ7e
'Y$]
znRK
C$+8
,!~th}
7nS*
~pE=
dMh&
KsHw
QTHZ
S-~u=
:RB9uFr
ER	#
A-.kx%
/qm_,FZN
j#2*
@,T[{
Ksri
6kYB
1u23
e%I/Q
%fJm
tM:v
M+I<M
)!U5
@e%H
tHrw
U_G_
^m4B
ue:E
gR/.
6b	!v
*-40E-S
;`)FN
MU.KN
JN%F
+%MD3E*M*K
`W)'
Q$04
:IpKI^2
5ev$o
CRb4
fS|<`S
iMD1RT
`bX>
yU^[K
NAP_r
WFZN
iU_=B
 jwX
R=:F
2g4m
Vu=9
&jHj
Q,h6>
$j`7
xTGP
Y]MZ
KQ--
CH:T
8hGt{
%)tG
'*Z`
BQZ1
aQY&^
pl}(N
K[_MBFZ
IM!Q
TZiQ
<h5!I
NNAwM
`JQ%$ut
"Uid1
U59m8S
4;Lup
PD4GO
r*TU
po~7
o},}
yQe!_
&3:E
!+E,
#9g |
E=_e*h
9A"O
:4P_2
(:k,
9id$I
05An
YfqT
IW]CQOB
RW^&
$)<0
8QoQ[
-l/|
l,nB
~xx)(
@Art
h+s\
d9>aUQqU
M9S\
3eA,
S\q0
A6;x
bU4u
LoIR
%)5&
w#X 
5B7Q
AEO*UH
~IN{
P56c]B:
&PdR
Uw[s}
&&#{
{q|,t
_[WV%
(Bm,
/jDh
U$t.
%aUX
8}WSSf
TRg4b
bUbs
-9J1Q
2*et
GSJL&	
nHym
JQ9mE
SWQ+
T}6_
U)SB|K
*j`i+
YuFqS
]GMm
T#>_C
M$4u'
qwWK
OVnF
.HBm~
SFw$
pRrT
	$iY@0
 T%X
Hg%!`
HUtz
 ^Pw'
Qtm2U
9_LW
&WHh
^?l_
DUPv
e-%Q
T$NA
#3Lf
LqV-
|uY%j
\Xsl
Wmz}B
P0se
:^u.
-[-,3
 iceW
IuvC
A`.	
K$YlO
plqx
!hAq
;[H$
VIA$
uacp
K?/ht
Qi%@\
C"V4OK
[QY#
gRKCRY
/b6+
7$JI
M^eQ
9k"c"@
`} l
-Q42
F6ui*E
#Tj(
%%Na
;Q9\
1@_},C
+=E=B
6zzy"
h{!"
olNj
Wc$TY}fT
STjfD
/#gNC
uV_C[)
n,Bj
?dy[
LT}T
jcHB
T7QV
*(N\
GVi9NV
)i"U
DZ_H
-;'Q
P,ZA
m~|b5r@
()*^
,B^7
u'wI
M=k"
1OQv6
iNSJ
M9c&
_QM]
WGlll-r
s4	4
\o|w
WSM)e
Pwhj
jzw.
u4tU9
&YL	K1S
?BlF:c
Qmt@*
iY]9
#m#"6
PEP@
mrpV
```

#### Step-4:
Try the flag and it is incorrect. Now the following part looks like Base64 encryption:
```
b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg
LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n
dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==
```

When we decode it online, we get the following:
```
openssl enc -d -aes-256-cbc -iv SOF0 -K SOS -in flag.enc -out flag -base64

iv does not include the marker or length of SOF0

key does not include the S0S marker
```


#### Step-5:

This is a hint, the flag is encoded with AES-256-CBC, then we need to find 128 bits of _iv_ and 256 bits of _key_ to decode and find the flag.

#### Step-6:

Open the image with hex editor, we find SOF0 with `0xff` `0xc0`, the length of SOF0 is `0x00` `0x11`.

If you don't have idea of mark identifiers of an image, refer below:

http://vip.sugovica.hu/Sardi/kepnezo/JPEG%20File%20Layout%20and%20Format.htm

Then, the _iv_ is: `0800be00c803011100021101031101ff`

#### Step-7:

We find S0S with `0xff` `0xda`, the _key_ is:

`000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952`

#### Step-8:

We have a comment left, this is the encoded flag:

`mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`

#### Step-9:

According to the command, input we need to create a `flag.enc` which includes the above comment.

So, finally the contents of flag.enc become : `mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`

#### Step-10:
According to previous given Base64 decryption, we have put the following command:

`openssl enc -d -aes-256-cbc -iv 0800be00c803011100021101031101ff -K 000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952 -in flag.enc -out flag -base64`

#### Step-11:

This will create a file `flag` in the same directory and then we can read the contents by just `cat flag`

#### Step-12:
Finally the flag becomes:
`CTFlearn{Ne0.TheMatrix}`
Added CTFlearn writeups 2020-07-31 18:48:25 +05:30			`## The Keymaker`
			`The main idea finding the flag using some forensics and Crypto concepts.`


			`#### Step-1:`
			After we download `The-Keymaker.jpg`, we try to open and see the flag and check if we find any.

			`<img src="The-Keymaker.jpg">`

			`#### Step-2:`
			`I tried simple techniques and easily found answer when we send the command:`

			`strings PikesPeak.jpg`

			`I and got this as output:`

			```
			`JFIF`
			`CTFlearn{TheKeymakerIsK00l}`
			`b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg`
			`LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n`
			`dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==`
			`CmmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`
			`, #&')*)`
			`-0-(0%()(`
			`((((((((((((((((((((((((((((((((((((((((((((((((((`
			`RR=,Q`
			`)n}}`
			`ZY&H`
			`1(m{iR`
			`!AE3`
			`J/>E`
			`]m4us`
			`/fuY`
			`*0W[`
			`YDkR&`
			`-(ah!`
			`X*EY#`
			`}up07%`
			`FPvV`
			`[T);`
			`uZD`
			`[vK4`
			`O>a\U`
			`L.dY[`
			`KK$h`
			`Xn6<\|`
			`_@[O`
			`+$KIQ;`
			`A7~B.A]B`
			`l-nvQ`
			`i+2n`
			`+K0x`
			`{b:W`
			`h4Yf7s;`
			`1RTI`
			`ZR^C`
			`[Yf#r`
			`U]+U4`
			`{5}n`
			`%SAL`
			`IJ4\7`
			`>_@M=<b`
			`F*%J`
			`X\lp`
			`f=+kn9`
			`e+^@`
			S`=+
			`JZ$D`
			`W,C;`
			`Se=I`
			`!I7$/`
			`?\UIn`
			`Jjm.`
			`Kn/ql>#'o`
			`F\z>y`
			`npU7`
			`{D[i`
			`-:*C`
			`-;5r`
			`%Ciw`
			`V],Is`
			`,I ~`
			`hE#Q`
			`2jz/(`
			`itO,`
			`er.](`
			`sj9d`
			`biF:`
			`o~19F.-`
			`m.uX,rzB.`
			`PI8xc`
			MR,(_T`
			`\|;jOoS$`
			`jJ7e`
			`'Y$]`
			`znRK`
			`C$+8`
			`,!~th}`
			`7nS*`
			`~pE=`
			`dMh&`
			`KsHw`
			`QTHZ`
			`S-~u=`
			`:RB9uFr`
			`ER #`
			`A-.kx%`
			`/qm_,FZN`
			`j#2*`
			`@,T[{`
			`Ksri`
			`6kYB`
			`1u23`
			`e%I/Q`
			`%fJm`
			`tM:v`
			`M+I<M`
			`)!U5`
			`@e%H`
			`tHrw`
			`U_G_`
			`^m4B`
			`ue:E`
			`gR/.`
			`6b !v`
			`*-40E-S`
			;`)FN
			`MU.KN`
			`JN%F`
			`+%MD3EMK`
			`W)'
			`Q$04`
			`:IpKI^2`
			`5ev$o`
			`CRb4`
			fS\|<`S
			`iMD1RT`
			`bX>
			`yU^[K`
			`NAP_r`
			`WFZN`
			`iU_=B`
			`jwX`
			`R=:F`
			`2g4m`
			`Vu=9`
			`&jHj`
			`Q,h6>`
			$j`7
			`xTGP`
			`Y]MZ`
			`KQ--`
			`CH:T`
			`8hGt{`
			`%)tG`
			'*Z`
			`BQZ1`
			`aQY&^`
			`pl}(N`
			`K[_MBFZ`
			`IM!Q`
			`TZiQ`
			`<h5!I`
			`NNAwM`
			`JQ%$ut
			`"Uid1`
			`U59m8S`
			`4;Lup`
			`PD4GO`
			`r*TU`
			`po~7`
			`o},}`
			`yQe!_`
			`&3:E`
			`!+E,`
			`#9g \|`
			`E=_e*h`
			`9A"O`
			`:4P_2`
			`(:k,`
			`9id$I`
			`05An`
			`YfqT`
			`IW]CQOB`
			`RW^&`
			`$)<0`
			`8QoQ[`
			`-l/\|`
			`l,nB`
			`~xx)(`
			`@Art`
			`h+s\`
			`d9>aUQqU`
			`M9S\`
			`3eA,`
			`S\q0`
			`A6;x`
			`bU4u`
			`LoIR`
			`%)5&`
			`w#X`
			`5B7Q`
			`AEO*UH`
			`~IN{`
			`P56c]B:`
			`&PdR`
			`Uw[s}`
			`&&#{`
			`{q\|,t`
			`_[WV%`
			`(Bm,`
			`/jDh`
			`U$t.`
			`%aUX`
			`8}WSSf`
			`TRg4b`
			`bUbs`
			`-9J1Q`
			`2*et`
			`GSJL&`
			`nHym`
			`JQ9mE`
			`SWQ+`
			`T}6_`
			`U)SB\|K`
			*j`i+
			`YuFqS`
			`]GMm`
			`T#>_C`
			`M$4u'`
			`qwWK`
			`OVnF`
			`.HBm~`
			`SFw$`
			`pRrT`
			`$iY@0`
			`T%X`
			Hg%!`
			`HUtz`
			`^Pw'`
			`Qtm2U`
			`9_LW`
			`&WHh`
			`^?l_`
			`DUPv`
			`e-%Q`
			`T$NA`
			`#3Lf`
			`LqV-`
			`\|uY%j`
			`\Xsl`
			`Wmz}B`
			`P0se`
			`:^u.`
			`-[-,3`
			`iceW`
			`IuvC`
			A`.
			`K$YlO`
			`plqx`
			`!hAq`
			`;[H$`
			`VIA$`
			`uacp`
			`K?/ht`
			`Qi%@\`
			`C"V4OK`
			`[QY#`
			`gRKCRY`
			`/b6+`
			`7$JI`
			`M^eQ`
			`9k"c"@`
			`} l
			`-Q42`
			`F6ui*E`
			`#Tj(`
			`%%Na`
			`;Q9\`
			`1@_},C`
			`+=E=B`
			`6zzy"`
			`h{!"`
			`olNj`
			`Wc$TY}fT`
			`STjfD`
			`/#gNC`
			`uV_C[)`
			`n,Bj`
			`?dy[`
			`LT}T`
			`jcHB`
			`T7QV`
			`*(N\`
			`GVi9NV`
			`)i"U`
			`DZ_H`
			`-;'Q`
			`P,ZA`
			`m~\|b5r@`
			`()*^`
			`,B^7`
			`u'wI`
			`M=k"`
			`1OQv6`
			`iNSJ`
			`M9c&`
			`_QM]`
			`WGlll-r`
			`s4 4`
			`\o\|w`
			`WSM)e`
			`Pwhj`
			`jzw.`
			`u4tU9`
			`&YL K1S`
			`?BlF:c`
			`Qmt@*`
			`iY]9`
			`#m#"6`
			`PEP@`
			`mrpV`
			```

			`#### Step-4:`
			`Try the flag and it is incorrect. Now the following part looks like Base64 encryption:`
			```
			`b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg`
			`LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n`
			`dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==`
			```

			`When we decode it online, we get the following:`
			```
			`openssl enc -d -aes-256-cbc -iv SOF0 -K SOS -in flag.enc -out flag -base64`

			`iv does not include the marker or length of SOF0`

			`key does not include the S0S marker`
			```


			`#### Step-5:`

			`This is a hint, the flag is encoded with AES-256-CBC, then we need to find 128 bits of _iv_ and 256 bits of _key_ to decode and find the flag.`

			`#### Step-6:`

			Open the image with hex editor, we find SOF0 with `0xff` `0xc0`, the length of SOF0 is `0x00` `0x11`.

			`If you don't have idea of mark identifiers of an image, refer below:`

			`http://vip.sugovica.hu/Sardi/kepnezo/JPEG%20File%20Layout%20and%20Format.htm`

			Then, the _iv_ is: `0800be00c803011100021101031101ff`

			`#### Step-7:`

			We find S0S with `0xff` `0xda`, the _key_ is:

			`000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952`

			`#### Step-8:`

			`We have a comment left, this is the encoded flag:`

			`mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`

			`#### Step-9:`

			According to the command, input we need to create a `flag.enc` which includes the above comment.

			So, finally the contents of flag.enc become : `mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`

			`#### Step-10:`
			`According to previous given Base64 decryption, we have put the following command:`

			`openssl enc -d -aes-256-cbc -iv 0800be00c803011100021101031101ff -K 000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952 -in flag.enc -out flag -base64`

			`#### Step-11:`

			This will create a file `flag` in the same directory and then we can read the contents by just `cat flag`

			`#### Step-12:`
			`Finally the flag becomes:`
			`CTFlearn{Ne0.TheMatrix}`