TCS Hackquest Season 6 -Forensics Writeup

5 min readMar 23, 2022

Let’s Take a look at some forensic and steganography #5 challenges from TCS Hackquest season 6 ( 26/02/2022)

1.Metaverse

Given:Metaverse.zip

[p4ul@j0ker Metaverse]$ lsElephant.jpg  getMeToReachTheHeight.zip

So Here We have zip file and JPEG , when unzipping zip file it contains 300+ directorys and JPEG may contains some stegy information

Elephant.jpg

At The End of The Pic You can Notice The line `rot 18` something

[p4ul@j0ker Metaverse]$ exiftool Elephant.jpg |grep CommentComment                         : The Elephant stuffed the 'banana' into its mouth as if he was hiding from us

Banana ,The password for steghide coz its jpg

[p4ul@j0ker Metaverse]$ steghide --extract -sf Elephant.jpg Enter passphrase: (banana)
wrote extracted data to "elephant_key.txt".[p4ul@j0ker Metaverse]$ cat elephant_key.txt 
6ryrcunagfgrcngngvzr

if You Don’t Know The password , try Stegseek!

2. getMeToReachTheHeight.zip

$ unzip getMeToReachTheHeight

Are We going to the final directory Manually? no

[p4ul@j0ker Metaverse]$ seq 400|while read line;do cd  getMeToReachTheHeight;done  (Even With huge Output)[p4ul@j0ker Metaverse]$ cp Tusks.docx /tmp/Metaverse

Output:

Rot18 vs docx

$ file Tusks.docx                                                                                                          
Tusks.docx: CDFV2 EncryptedAll We need is,Just a password to Open This file

6ryrcunagfgrcngngvzr = rot18

ROT18 Encrypter / Decrypter, Encoder / Decoder, Solver, Translator Online - DenCode

ROT18 is one of the single transliteration ciphers that encrypts by replacing the characters in the text with other…

dencode.com

"1elephantstepatatime" , Give this  string as password for docx

Give This Flag as Input and retrieve The original Flag

That’s all!

2. Secure Shell

Here’s the Filesystem Archive Zip , they wanted the RSA of the administrator!

Navigate

cd Datacenter-Prodserver/home/sysadmin/.ssh

2. Convert openssh into Rsa Pem :

[p4ul@j0ker .ssh]$ ssh-keygen -p -N "" -m pem -f id_rsaYour identification has been saved with the new passphrase.[p4ul@j0ker .ssh]$ cat id_rsa|head-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEA5Qwf/+XGmVtO9OtjCyzE6/xtnywMFUY/MLZDCbItp06dtkXr
aRD3CYAj0vSsuNHlJwh6JK97ZaueTKqWy6MjZNHM1mAwsOjAOli/zGYqvfRJYN7+
mjeeZ7QAV7L0Tar3HX54KBLKH553rsPWhktF3hBdJsrtVhD+qgXETPP4yi1iJ/bt
QzccPBkd6IJF/T5xVrKozcUkWicT/Pq0+xY+w+6P3U7DJ7HAdKn5R8Dm9PY8c4tP
4bMt1h9GrgkGzWtlWiR3lxKcSE4q4D5x5lXiOc5wOnkM5A1RL1Fs41H9xEnZ0++9
/C11bpUM4TE/1Nuola5YZ9T4ZINkWXvv4sLaLzEWJOMazRDKvWSZRh/EfITho98z
2SSQhIIlKlGgajs/xhmq9bEQjxtbMb7LdmL67AWOC+RhFsT7l2A+jlWrAE/CDViv
Sxa5Zlw9ONraQCYiQbn3GbL0rhyGnfDloc9f2ySolfXV9hL9mjxnoJd5CIRX1LrY
u2t+uLHzgHzA4MODAgMBAAECggGAR65ZvV4NnyTiOugHoRGrtybSr8O7LFVFpVsE

3.Copy the Whole id_rsa file and paste it in a Challenge Site .

That’s All.

3. Into The abyss

Given File:

[p4ul@j0ker tmp]$ file iamasimplefile.mp3 iamasimplefile.mp3: MPEG ADTS, layer III, v1, 64 kbps, 44.1 kHz, Monaur

Analyzing the Morse code was waste of time! , just get into extract some deep hidden information

unzip, foremost, deepsound, binwalk : Use Any one of these tools to extract the hidden file :)

[p4ul@j0ker tmp]$ unzip iamasimplefile.mp3 Archive:  iamasimplefile.mp3warning [iamasimplefile.mp3]:  971963 extra bytes at beginning or within zipfile
inflating: millionmiles.txt        [p4ul@j0ker tmp]$ cat millionmiles.txt HQ6{Hidden_in_the_hex_million_miles_away}

Copy and Paste it in a site and retrieve The flag !

That’s all

4.office Magic

Given:

[p4ul@j0ker office-magic]$ file *TakeThatDreamTrip!.pst: Microsoft Outlook email folder (>=2003)
TastyTreats.mdb:        Microsoft Access Database

Just Extract the mails and files from pst file using libpst ( Lazy of Using Online tools! )
To Install

Arch = sudo pacman -Sy libpst libpst-docs
[p4ul@j0ker office-magic]$ readpst -S TakeThatDreamTrip\!.pst  
                                                                   
Opening PST file and indexes...
Processing Folder "Inbox"
"Inbox" - 2 items done, 0 items skipped. [p4ul@j0ker office-magic]$ ls Outlook\ Data\ File    
                                                                             
 Inbox

Check out the files in the Directory, file no 2 contains a flag or Do grep in the Directory

[p4ul@j0ker Inbox]$ grep -r HQ6 2:Visit Our Site to choose from a wide array of options. Hurry to get the coupon HQ6{Its_Couponing_Time} and avail additional benefits

That’s all!

5. Satellite Imagery

Given :

[p4ul@j0ker Satellite]$ file challenge challenge: data

Nice , Lets Correct some Magic Bytes!

[p4ul@j0ker Satellite]$ xxd challenge |head00000000: 5229 4646 2400 0000 5740 5633 666d 7420  R)FF$...W@V3fmt 
00000010: 1000 0000 0100 0200 80bb 0000 00ee 0200  ................
00000020: 0400 1000 6461 7461 c0a1 5a01 b007 0000  ....data..Z.....
00000030: e60e 0000 3315 0000 321a 0000 951d 0000  ....3...2.......

Changes to Made : R)FF$…W@V3fmt => RIFF$…WAVEfmt

Listen , Guess a bit
They were mentioned some words like satellite , Image , Audio obviously Its sqqtv Time! .

Qsstv is a utility for dealing with slow scan television signals.

deb = apt install qsstvarch = sudo pacman -Sy qsstv

Open qsstv => Menu=> Options => Go to Configurtion

Do Tick on “from File” , so that every time when we open qsstv ,it will ask for a file to open

Now Close and Reopen The qsstv .
Give That wave file as input and get the result

That’s all For Now .

Thanks for reading :)