DEV Community

maz4l
maz4l

Posted on • Edited on

Official Write-Up for the Lucky Panther CTF TryHackMe Private Room

Task 1: Download the Image

Room link

Users can also join this room by going to their My Rooms page and entering luckypantherctf

Start by downloading the provided image file.

Task 2: Investigate the Image

Question 1: What Did You Find in the Picture?

To get started, you can try using online tools. Such as:aperisolve, stegano ... . But I'll skip this part and move on to the terminal.

Just now let's try commands:

file
strings
exiv2 <file.name>
binwalk -e <file.name>
Enter fullscreen mode Exit fullscreen mode

And now closer to the point, use the steghide tool to analyze the image:

steghide info luckypanther.jpg
Enter fullscreen mode Exit fullscreen mode

Output:

"luckypanther.jpg":
format: jpeg
capacity: 28.7 KB
Try to get information about embedded data? (y/n) y
Enter passphrase:
Enter fullscreen mode Exit fullscreen mode

Since a passphrase is required, we need to find it. Let’s try StegSeek with the rockyou.txt wordlist:

stegseek luckypanther.jpg /usr/share/wordlists/rockyou.txt -
Enter fullscreen mode Exit fullscreen mode

StegSeek successfully finds the passphrase:

StegSeek 0.6 
[i] Found passphrase: "$pxxxxxxxxxx"
Enter fullscreen mode Exit fullscreen mode

Next, extract the hidden file using steghide:

steghide extract -sf luckypanther.jpg
Enter fullscreen mode Exit fullscreen mode

Enter the passphrase "$pxxxxxxxxxx" to extract the embedded file, which is forest.zip.

Answer: forest.zip

Question 2: What is Your Second Find?

Let’s unzip the forest.zip file:

unzip forest.zip
Enter fullscreen mode Exit fullscreen mode

Output:

Archive:  forest.zip
forest.zip: deepforest.pdf password:
Enter fullscreen mode Exit fullscreen mode

The forest.zip file is password-protected. To crack it, use fcrackzip:

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt forest.zip
Enter fullscreen mode Exit fullscreen mode

After running the command, we find the password:

PASSWORD FOUND!!!!: pw == dexxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Unzipping with the password dexxxxxxxx reveals the deepforest.pdf file.

Answer: deepforest.pdf

Question 3: What is Hiding in the Deep Forest?

Opening deepforest.pdf requires a password. To crack it, first extract the hash using pdf2john:

/usr/share/john/pdf2john.pl deepforest.pdf > deepforesthash
Enter fullscreen mode Exit fullscreen mode

Then, use John the Ripper to crack the hash:

john --format=PDF --wordlist=/usr/share/wordlists/rockyou.txt deepforesthash
Enter fullscreen mode Exit fullscreen mode

John successfully cracks the password:

good-luck (deepforest.pdf)
Enter fullscreen mode Exit fullscreen mode

Alternatively, you can use Hashcat. First, edit the hash file by removing deepforest.pdf: from the start, and save it as deepforesthash2.

To crack the hash with Hashcat:

hashcat -m 10500 deepforesthash2 -a 0 /usr/share/wordlists/rockyou.txt
Enter fullscreen mode Exit fullscreen mode

Hashcat confirms the password is good-luck.

Now, open deepforest.pdf with the password good-luck to reveal the first flag.

Answer: GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}

Task 3: What is the Flag?

Just a little more deciphering left.

Are you in the Deep Forest?

Question: What is the Flag?

We have a flag example from Task 2:

GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_xxxxxxxxx}
Enter fullscreen mode Exit fullscreen mode

Using the Cipher Identifier tool at dCode, we identify it as a ROT13 cipher.

click on ROT-13 Cipher and decrypt srting:

We can decode it directly using ROT13, or by using CyberChef with the ROT13 function.

Answer: THM{H!_H4ck3r!_xxx_xxx_xx_xxx_xxxx_xxxxxxx_C0ngr4t$!}

Great! Happy Hacking!

Top comments (0)