The Journey of #100DaysOfSecurity (@webchick)

About the Community The Treehouse
3

#Day02 of #100DaysOfSecurity

Today’s challenge is information. This is a forensics challenge (with some bonus crypto too; there’s a clue ;)).

Digital Forensics is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices.

This challenge will be some of that on a smaller scale: trying to look at a single picture and find the flag that’s somehow hidden within.

You’re given the following ADORABLE :heart_eyes_cat: image: cat.jpg

This image clearly has both fur and tech, but WHERE is the flag…? :thinking:

Hint

EXIF ( Exchangeable image file format) is a standard for storing metadata about an image. It’s commonly used to document things like the date and time of its creation, what camera settings were used, and specified copyright information about any given photo.

Walkthrough

Interestingly, if you try and view the metadata with a standard EXIF viewer tool such as exif or macOS Finder, it chokes on invalid input. I found two ways around this:

  1. Open the jpg in a text editor such as vi, and it allows you can view the “raw” EXIF data in RDF format.
  2. Upload the image to an online EXIF viewer such as https://exif.tools/ which can extract it regardless.

In any event, you’ll see that the “license” property is set to an interesting-looking string:

<cc:license rdf:resource='cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9'/>

This is suspicious because you’d expect this to be a human-readable string; something like “Public domain” or “CC BY-NC.” This indicates the use of some kind of encoding.

A common type of encoding used on the web, especially for binary objects such as images, is Base64. It encodes binary data into text so it can more easily be sent around (for example, as an email attachment). If you’re ever doing a challenge that has a similar string of gobbledygook (alphanumeric characters, and the number of characters is divisible by 4), and especially if that gobbledygook ends in = or ==, it’s a good bet it’s Base64 encoding.

However, that which can be encoded can also be decoded. Once again, a PHP one-liner can solve this one:

<?php echo base64_decode('cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9'); ?>

Or, you can use a web-based tool such as https://www.base64decode.org/

2 Likes