The folks at Cyber Security Challenge, the FCO, PWC and GCHQ set a series of challenges last year, this was one devised by Senad Zukic a winner from a previous challenge to coincide with the London Conference on Cyberspace.

The challenge was to find the hidden message in an image.

This image top be precise, can you spot it?

Start the clock!

Obvious cipher in the middle of the flag – Binary to ascii

01101000011101000111010001110000001110100010111100101111011001110110111101101111001011100110011101101100001011110111000001

100001011011110100001101000011

Converted this gives you the link http://goo.gl/paoCC which redirects too http://www.theglider.org/about/c1ph3r

Too easy! Message at the bottom even says so! 1st rule of forensics (mine anyway!), never view something in the manner it should viewed! I look at the source code for the blog page and spot the commented text: BletchleyParkStationX. No idea what it is for but it’s there for a reason, so make a note! The rest of the page looks fine – back to the image.

So what’s in the image?

A quick exifinfo -b cipher-image didn’t show anything suspicious, neither did exifinfo cipher-image. So I leave the steg toolkit alone and look for an embedded message.

It’s a .png, so there should be no loss in the colours unless they are deliberate or it has been converted. Open up GIMP and flood the colours of the flag to a different colour, they should all be solid but they are not.

Hidden bits in image

My first approach (which consumed a few hours) was to analyse the dots in the top part of the flag, so I grouped them and got: 13,22,15,27,18,13,15. Ran them through a few ciphers and variations but came up with nothing. I even tried aligning the dots horizontally and vertically, converting to binary, making it into morse code but couldn’t see anything. Perhaps there is a message there, but I couldn’t see it, perhaps it was just a decoy. So I moved onto the rest of the image and noticed that the one’s and zero’s at the end of the original binary URL hadn’t been caught by the flood. The URI part had changed, so it must be hiding a new URL. So I clicked on each of the surrounding pixels of the characters with a different colour and revealed that some of the 1’s and 0’s had vertical bars next to them (in blue below).

I first tried just converting the one’s but that work.

01110000 00100001 00100000 01000001 01000001

That gave me: p! AA which isn’t a valid tiny URL. I then tried converting the zero’s as well and got:

01110110 00110111 00110000 01110101 01101101

and converted that to get v70um – bingo, a valid URL www.goo.gl/v70um which redirected to http://paste2.org/p/1747336

And produced another cipher

  1.                                      .,'
  2.                                    .''.'
  3.                                   .' .'
  4.                        .    ' . ~,'  `.~ . `    .
  5.                   . '  .  '   .`:_. . _:'.   `  .  ` .
  6.                 .'   .'     ,     .' '.    .     `.   `.
  7.                .    .       .Z.  .     . .Z.       .    .
  8.                           .YACCP.      .GPPCB.
  9.               '    '    .OVMHXZSNI.  .DTTAGYNSL.    `    `
  10.               .    .      .      . VR  .     .      .    .
  11.                                   RDME
  12.                `    `AMQ.  `     `     '    '  .CAP'    '
  13.                  .    `QWI   TULPQ.  .YXLTY   VXB' .   .
  14.                   ` .   `KQHNKOT EMQTPH GPAKMQU' .' . '
  15.                         . EKASP   RSTX   REOLP. .
  16.                            JTNX    OV    HTHZ
  17.                             UQ     LU     FO
  18.                                         
  19.                                                         
  20.                   In order to win, you must first lose.

The comment at the bottom on line 20 then fell into place, that was the BletchleyParkStationX comment in the source code from the first URL, so I knew I had a key to a code and because there are no numbers in the code I knew it would be a fairly simple cipher and probably a message. I stripped out all the punctuation and was left with:
ZZYAC CPGPP CBOVM HXZSN IDTTA GYNSL VRRDM EAMQC APQWI TULPQ YXLTY VXBKQ HNKOT EMQTP HGPAK MQUEK ASPRS TXREO LPJTN XOVHT HZUQL UFO

From looking at the scrambled text I could see some strange repetition (i.e. two Z’s at the start) so knew the cipher must have used a key in rotation through the code, so I made a quick visit to http://www.cryptool-online.org (a great online cipher tools site). My first try was the Vigenère although Autokey would also have worked as I knew they could use a variable length keys. The revealed text:
YOU HAVE CRACKED THE REAL CIPHER CONGRATULATIONS PLEASE EMAIL CODEBRITANNIA TO MEDIA AT CYBERSECURITYCHALLENGE DOT ORG DOT UK

Stop the clock!

 

(5446)

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *