Search for a command to run...
A mysterious ZIP archive has slipped down the chimney, straight from Santa’s computer. You would like to take a glimpse at the files inside, in case they look... _elf-incriminating_.
Can you crack the archive and uncover the secret Santa hoped to keep under wraps?
A password protected ZIP archive containing 7 JPG images. The challenge hints at "elf-incriminating" content that Santa wants to keep secret.
The ZIP contains 7 encrypted JPG files:
portrait.jpg is stored (uncompressed)Stored files are easier to exploit with known plaintext attacks.
Since portrait.jpg is stored and uncompressed, we can use a known plaintext attack. All JPEG files start with the magic bytes FF D8 FF.
Command:
bkcrack -C santa-secret-memes.zip -c portrait.jpg -p portrait_plaintext.bin
Where portrait_plaintext.bin contains the JPEG header: FF D8 FF E0 00 10 4A 46 49 46 00 01
bkcrack successfully recovered the encryption keys: 4c0a34dd 9f68579b 9fd87f2f
Using the recovered keys we create an unlocked ZIP:
bkcrack -C santa-secret-memes.zip -k 4c0a34dd 9f68579b 9fd87f2f -U santa-unlocked.zip password
unzip -P password santa-unlocked.zip
All the 7 images are now extracted.
Examining the EXIF metadata of just_a_dream.jpg reveals:
ImageDescription: b64(passphrase)=bWFnaWNfa2V5UserComment: Well you find a tool and a key, time to find the good image 🥸Comment: tool: steghide | passphrase=magic_keyDecoding the base64 bWFnaWNfa2V5 gives magic_key
The clue indicates we need to use steghide with passphrase magic_key on one of the images:
steghide extract -sf green_bench.jpg -p magic_key
This extracts a flag.txt file, which is actually a 7z archive.
The extracted flag.txt 7z archive contains the flag in its header/metadata. The flag can be read directly without full decompression:
RM{s4nt4_l0v3s_st3g4n0}