The White Boxes

Briefing: Over the weekend one of our agents was trying to sell some used items on a site. On this site, in order to sell an item, you must upload a picture of the item(s). When the agent went to upload the individual pictures of the two items they were trying to sell the picture upload boxes were different. Find out why the picture upload boxes were different and use it to figure out if anything suspicious is going on with the website. Hint: The difference in the picture upload boxes is the key to solving this mystery.

How to solve it:

We are given two blank images. We might be tempted to try out the bucket fill tool, but this time we’ll have to look into the hexdump.

The strings command reveals nothing interesting, except this:

The third string seems slightly strange. There might be something fishy going on in the hexdump.

We’ll dump the file into an online hex editor, which gives us an unreasonably long hexdump. We could only show parts of it here:

We see repetitive patterns, because it only contains white pixels, or rgb(255, 255, 255), but wait... is that a “flag:”? That’s right, there’s a flag scattered around the hexdump! No wonder why the strings command didn’t work. (Unless you use the -n argument...)

We can scroll through the ASCII texts and put the pieces together manually, but that would take forever. That’s when the diff command comes in. You can find a detailed explanation of the diff trick here.

Two compare the two images, first, we have to get the hexdump. Instead of doing it with an online hex editor, we’ll use the terminal.

1. Open your terminal.

2. Move to the folder containing the images with the cd command.

3. Type xxd image2.jpg and press enter.

The xxd command should work in both Mac and Linux; this GGCS virtual portal and this online terminal should also work.

The xxd command gives us the same unreasonably long hexdump:

First, we’ll take the nonsensically long hexdump of image1, and export it into a text file called image1.txt:

xxd image1.jpg > image1.txt

(Be careful: if the image1.txt already exists, this command will overwrite everything in it!)

Now image1.txt contains the outrageously long hexdump. We can confirm what’s in the text file this with the cat command:

Next, we’ll do the same for image2.jpg:

xxd image2.jpg > image2.txt

Now we have two text files: image1.txt and image2.txt, respectively containing the

hexdump of image1.jpg and image2.jpg.

Finally, let’s compare the text files with the diff command:

diff image1.txt image2.txt

This gives us a text which, as you might notice, is only reasonably long. It compares the two text files and prints out the different parts, which saves our precious, fleeting time:

697c697

< 00002b80: 4924 9249 2492 4924 9249 2492 4924 9249 I$.I$.I$.I$.I$.I

---

> 00002b80: 4924 9294 666c 6194 9249 2492 4924 9249 I$..fla..I$.I$.I

708c708

< 00002c30: 9249 2492 4924 9249 2492 4924 9249 2492 .I$.I$.I$.I$.I$.

---

> 00002c30: 9249 2492 673a 2094 2492 4924 9249 2492 .I$.g: .$.I$.I$.

719c719

< 00002ce0: 2492 4924 9249 2492 4924 9249 2492 4924 $.I$.I$.I$.I$.I$

---

> 00002ce0: 9248 6964 9299 2492 4924 9249 2492 4924 .Hid..$.I$.I$.I$

820c820

< 00003330: 4924 9249 2492 4924 9249 2492 4924 9249 I$.I$.I$.I$.I$.I

---

> 00003330: 4924 9249 9264 656e 9249 2492 4924 9249 I$.I.den.I$.I$.I

887c887

< 00003760: 2492 4924 9249 2492 4924 9249 2492 4924 $.I$.I$.I$.I$.I$

---

> 00003760: 2492 4992 5f69 6e92 4924 9249 2492 4924 $.I._in.I$.I$.I$

968c968

< 00003c70: 2492 4924 9249 2492 4924 9249 2492 4924 $.I$.I$.I$.I$.I$

---

> 00003c70: 2492 925f 7468 6599 4924 9249 2492 4924 $.._the.I$.I$.I$

1020c1020

< 00003fb0: 9249 2492 4924 9249 2492 4924 9249 2492 .I$.I$.I$.I$.I$.

---

> 00003fb0: 9249 2492 925f 6865 9292 4924 9249 2492 .I$.._he..I$.I$.

1032c1032

< 00004070: 9249 2492 4924 9249 2492 4924 9249 2492 .I$.I$.I$.I$.I$.

---

> 00004070: 9249 2492 4924 9249 8278 6492 9249 2492 .I$.I$.I.xd..I$.

1037c1037

< 000040c0: 2492 4924 9249 2492 4924 9249 2492 4924 $.I$.I$.I$.I$.I$

---

> 000040c0: 2492 4924 9299 9275 6d70 9292 2492 4924 $.I$...ump..$.I$

Putting the pieces together, we’ll get:

flag: Hidden_in_the_hexdump

Alternative solution:

Remember when we talked about the -n argument? We can modify it to print shorter strings:

strings image2.jpg -n 3

JFIF

Created with GIMP

?!\

fla

g:

Hid

den

_in

_the

_he

ump

Now it prints out all strings with 3 or more characters, but one thing is off: we get “hexump” instead of “hexdump”. Because the “xd” piece only has two characters, it’s not printed out.

How do we also print out strings with 2 characters? That’s right, we can simply change the argument to 2. However, there’s another issue...

Now it also prints out all the gibberish with two characters. Luckly, they are repetitive, so we can simply solve this by grepping exclusively:

strings -n 2 image2.jpg | grep -v “I”

The | symbol (the pipe) means redirection. This command takes the output of the strings command and prints out anything that doesn’t contain the character “I”. Afterall, there’s no “I” in “flag”:

Recap / TL;DR:

Solution 1:

xxd image1.jpg > image1.txt

xxd image2.jpg > image2.txt

diff image1.txt image2.txt

Solution 2:

strings -n 2 image2.jpg | grep -v "I"

These are by no means the only solutions. There are no “wrong” ways to do it, as long as you get the flag yourself. If you have other creative solutions, feel free to let us know!