Category: Forensics

After downloading the image, I ran strings on it. We see some suspicious data at the beginning.

The first strings seems like a base64 encoded message. So, we try to base64 decode it. The result it quite interesting.

This seems like a flag. So we submit it, but that does not seem to be the case. It’s not the flag. But we get a hint here. In the problem description it was written that you may need to write a quick script and here it tells us about xor. So, we get a idea that we may need to write a python code two do XOR. We see there are two more strings when we ran strings on the iamge. We also observe that these two strings are of the same length. So, we may need to xor these two strings. So we write a quick python script.

import base64

str1 = "xD6kfO2UrE5SnLQ6WgESK4kvD/Y/rDJPXNU45k/p"
str2 = "h2riEIj13iAp29VUPmB+TadtZppdw3AuO7JRiDyU"

assert (len(str1) == len(str2))

str1 = base64.b64decode(str1)
str2 = base64.b64decode(str2)

flag = ""
for i in range(0, len(str1)):
    xored = str1[i] ^ str2[i]
    flag += chr(xored)

print(flag)

At first we tried only xor-ing these two strings. But that gave us some garbage characters. Then we got the idea that the first string was base64 encoded. So, maybe these two are also base64 encoded. So, we need to base64 decode them first and then xor them. After doing that, we get the result below and that is the flag.