TCS Hackquest Season 6 -Forensics Writeup

P4ul Jeremi4h
5 min readMar 23, 2022
Lets Start

Let’s Take a look at some forensic and steganography #5 challenges from TCS Hackquest season 6 ( 26/02/2022)


[p4ul@j0ker Metaverse]$ lsElephant.jpg

So Here We have zip file and JPEG , when unzipping zip file it contains 300+ directorys and JPEG may contains some stegy information

  1. Elephant.jpg
At The End of The Pic You can Notice The line `rot 18` something
[p4ul@j0ker Metaverse]$ exiftool Elephant.jpg |grep CommentComment                         : The Elephant stuffed the 'banana' into its mouth as if he was hiding from us

Banana ,The password for steghide coz its jpg

[p4ul@j0ker Metaverse]$ steghide --extract -sf Elephant.jpg Enter passphrase: (banana)
wrote extracted data to "elephant_key.txt".
[p4ul@j0ker Metaverse]$ cat elephant_key.txt

if You Don’t Know The password , try Stegseek!


$ unzip getMeToReachTheHeight

Are We going to the final directory Manually? no

[p4ul@j0ker Metaverse]$ seq 400|while read line;do cd  getMeToReachTheHeight;done  (Even With huge Output)[p4ul@j0ker Metaverse]$ cp Tusks.docx /tmp/Metaverse


  • Rot18 vs docx
$ file Tusks.docx                                                                                                          
Tusks.docx: CDFV2 Encrypted
All We need is,Just a password to Open This file

6ryrcunagfgrcngngvzr = rot18

"1elephantstepatatime" , Give this  string as password for docx
Give This Flag as Input and retrieve The original Flag

That’s all!

2. Secure Shell

Here’s the Filesystem Archive Zip , they wanted the RSA of the administrator!

  1. Navigate
cd Datacenter-Prodserver/home/sysadmin/.ssh

2. Convert openssh into Rsa Pem :

[p4ul@j0ker .ssh]$ ssh-keygen -p -N "" -m pem -f id_rsaYour identification has been saved with the new passphrase.[p4ul@j0ker .ssh]$ cat id_rsa|head-----BEGIN RSA PRIVATE KEY-----

3.Copy the Whole id_rsa file and paste it in a Challenge Site .

That’s All.

3. Into The abyss

Given File:

[p4ul@j0ker tmp]$ file iamasimplefile.mp3 iamasimplefile.mp3: MPEG ADTS, layer III, v1, 64 kbps, 44.1 kHz, Monaur

Analyzing the Morse code was waste of time! , just get into extract some deep hidden information

  1. unzip, foremost, deepsound, binwalk : Use Any one of these tools to extract the hidden file :)
[p4ul@j0ker tmp]$ unzip iamasimplefile.mp3 Archive:  iamasimplefile.mp3warning [iamasimplefile.mp3]:  971963 extra bytes at beginning or within zipfile
inflating: millionmiles.txt
[p4ul@j0ker tmp]$ cat millionmiles.txt HQ6{Hidden_in_the_hex_million_miles_away}

Copy and Paste it in a site and retrieve The flag !

That’s all Magic


[p4ul@j0ker office-magic]$ file *TakeThatDreamTrip!.pst: Microsoft Outlook email folder (>=2003)
TastyTreats.mdb: Microsoft Access Database
  1. Just Extract the mails and files from pst file using libpst ( Lazy of Using Online tools! )
  2. To Install
Arch = sudo pacman -Sy libpst libpst-docs
[p4ul@j0ker office-magic]$ readpst -S TakeThatDreamTrip\!.pst

Opening PST file and indexes...
Processing Folder "Inbox"
"Inbox" - 2 items done, 0 items skipped.
[p4ul@j0ker office-magic]$ ls Outlook\ Data\ File


Check out the files in the Directory, file no 2 contains a flag or Do grep in the Directory

[p4ul@j0ker Inbox]$ grep -r HQ6 2:Visit Our Site to choose from a wide array of options. Hurry to get the coupon HQ6{Its_Couponing_Time} and avail additional benefits

That’s all!

5. Satellite Imagery

Given :

[p4ul@j0ker Satellite]$ file challenge challenge: data
  • Nice , Lets Correct some Magic Bytes!
[p4ul@j0ker Satellite]$ xxd challenge |head00000000: 5229 4646 2400 0000 5740 5633 666d 7420  R)FF$...W@V3fmt 
00000010: 1000 0000 0100 0200 80bb 0000 00ee 0200 ................
00000020: 0400 1000 6461 7461 c0a1 5a01 b007 0000
00000030: e60e 0000 3315 0000 321a 0000 951d 0000 ....3...2.......
  • Changes to Made : R)FF$…W@V3fmt => RIFF$…WAVEfmt
Let The Game begins
  1. Listen , Guess a bit
  2. They were mentioned some words like satellite , Image , Audio obviously Its sqqtv Time! .

Qsstv is a utility for dealing with slow scan television signals.

deb = apt install qsstvarch = sudo pacman -Sy qsstv
  1. Open qsstv => Menu=> Options => Go to Configurtion

Do Tick on “from File” , so that every time when we open qsstv ,it will ask for a file to open

  • Now Close and Reopen The qsstv .
  • Give That wave file as input and get the result
Here We Go

That’s all For Now .

Thanks for reading :)