RTCP - Chugalug's Footpads
Posted on sam. 25 janvier 2020 in CTF
solves : 174
Point : 150
Chugalug makes footpads that he can chug and lug. However, his left one is different from his right... I wonder why?
We have two images and need to find the flag from this two files without any other hint.
Let's begging with some checks:
$ file right.jpg
right.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x855, components 3
$ binwalk right.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
No other data embeded in the file. Now, check what is different between this two files:
diff right.jpg left.jpg
Binary files right.jpg and left.jpg differ
Ok, diff sees something different but not showing it. The concertion to hexadecimal format can help to show it:
$ xxd right.jpg > right.hex
$ xxd left.jpg > left.hex
$ diff right.hex left.hex
108c108
< 000006b0: a531 5505 7e28 a552 4d1c e080 c5f8 7e6a .1U.~(.RM.....~j
---
> 000006b0: a531 5505 7e28 a572 741c e080 c5f8 7e6a .1U.~(.rt.....~j
128c128
< 000007f0: e0e8 00f4 1920 74fe 4551 1771 e1f4 503a ..... t.EQ.q..P:
---
> 000007f0: e0e8 00f4 1920 74fe 6370 1771 e1f4 503a ..... t.cp.q..P:
146c146
< 00000910: 9202 8c10 3230 c070 7542 4006 cbe2 a029 ....20.puB@....)
---
> 00000910: 9202 8c10 3230 c07b 5468 4006 cbe2 a029 ....20.{Th@....)
179c179
< 00000b20: 931c 501c 79a0 336c 9014 cfc9 00f8 3040 ..P.y.3l......0@
---
> 00000b20: 931c 501c 7933 7a65 9014 cfc9 00f8 3040 ..P.y3ze......0@
189c189
< 00000bc0: 0220 9a64 81bf 9b64 8139 1428 1b06 0fc7 . .d...d.9.(....
---
> 00000bc0: 0220 9a64 81bf 9b5f 5e39 7228 1b06 0fc7 . .d..._^9r(....
195c195
< 00000c20: 0cb8 2065 c071 8668 165c 1022 dfc5 02c4 .. e.q.h.\."....
---
> 00000c20: 0cb8 2065 c033 8668 165c 1022 dfc5 02c4 .. e.3.h.\."....
209c209
< 00000d00: 75a1 540c 7234 409c b57c 9037 380a 200b u.T.r4@..|.78. .
---
> 00000d00: 75a1 545f 7234 409c b57c 9037 380a 200b u.T_r4@..|.78. .
227c227
< 00000e20: 7541 8170 73c5 0314 8f11 9a04 5c54 2031 uA.ps.......\T 1
---
> 00000e20: 7541 8170 73c5 0314 8f6e 3004 5c54 2031 uA.ps....n0.\T 1
264c264
< 00001070: 0004 0542 0301 4a7d 1030 4140 f03f 4010 ...B..J}.0A@.?@.
---
> 00001070: 0004 0542 0301 547d 1030 4140 f03f 4010 ...B..T}.0A@.?@.
276c276
< 00001130: 0ba0 0b79 200e 7c38 206e 7f8a 028c c500 ...y .|8 n......
---
> 00001130: 0ba0 0b79 630e 7c38 206e 7f8a 488c c500 ...yc.|8 n..H...
299c299
< 000012a0: f18a 047e 1920 32e7 9203 d4d8 5103 0e63 ...~. 2.....Q..c
---
> 000012a0: f18a 047e 1920 346e 9203 d4d8 5103 0e63 ...~. 4n....Q..c
321,322c321,322
< 00001400: dcd4 a0f0 2fe2 a844 97aa 07ea c8a0 0bb8 ..../..D........
< 00001410: e250 1973 e281 b9c0 d020 010f 4c4a 04f5 .P.s..... ..LJ..
---
> 00001400: dcd4 a0f0 43e2 a844 97aa 07ea c8a0 0bb8 ....C..D........
> 00001410: e250 1973 e281 b9c0 d020 010f 3161 04f5 .P.s..... ..1a..
338c338
< 00001510: 110f 135c 3240 aaf4 f240 176f aa00 3e54 ...\2@...@.o..>T
---
> 00001510: 110f 135c 3240 aa35 7d40 176f aa00 3e54 ...\2@.5}@.o..>T
OH! If we keep only the differences, we got with the two first lines rtcp. Let's doing for all the lines!
And finally, we got the entire falg: rtcp{Th3ze_^r3_n0TcH4nC1a5}.