Fashing Victim

This challenge brings us to another page that contains an old macintosh pc with a gif inside the monitor.

If we look at the code source the only thing interesting is the image.

		<div class="tv">
			<img src="/images/tv.gif" class="screen" />
		</div>

We’ll download the gif and take a look at it. We’ll open it in gimp and look at the different frames. The gif has 31 frames but a couple of them seem to be empty. While switching between frame i notice that there’s was something between the differences between two frames.

Gif in gimp

From there, we’ll extract all frames from the gif.

convert tv.gif frame.png

 ls -lha
total 708K
drwxrwxr-x  2 p0pp3t p0pp3t 4.0K Oct 28 09:17 .
drwxrwxr-x 31 p0pp3t p0pp3t 4.0K Oct 28 09:17 ..
-rw-rw-r--  1 p0pp3t p0pp3t  15K Oct 28 09:03 frame-0.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-10.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-11.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-12.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-13.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-14.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-15.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-16.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-17.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-18.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-19.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-1.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-20.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-21.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-22.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-23.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-24.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-25.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-26.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-27.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-28.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-29.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-2.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-30.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-3.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-4.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-5.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-6.png
-rw-rw-r--  1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-7.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-8.png
-rw-rw-r--  1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-9.png
-rw-rw-r--  1 p0pp3t p0pp3t 332K Oct 28 09:02 tv.gif

We got multiple frame that are “empty” (the ones that are 280 bytes), we’ll look for all the uniques frames in the gif by looking at the md5checksum.

 md5sum * | cut -d " " -f1 | sort | uniq | wc -l
11

md5sum * | sort
0180319472acbdf806000884605389ec  frame-15.png
0180319472acbdf806000884605389ec  frame-1.png
09e338566cc7aea27d8b8f991d04d585  frame-17.png
3a97fa66e8e3c7b03e3975981fa9aed9  tv.gif
4f94f06bd79c72559f6ce93ff8abc8ff  frame-13.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-14.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-16.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-19.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-22.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-24.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-27.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-29.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-4.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-6.png
4f94f06bd79c72559f6ce93ff8abc8ff  frame-7.png
5dd9363383256a592df3394814bc1fe5  frame-26.png
5dd9363383256a592df3394814bc1fe5  frame-2.png
8e30cc78b4384086b5cc134b2ccf9771  frame-0.png
90c3c984001409540738fc61bda39706  frame-11.png
90c3c984001409540738fc61bda39706  frame-20.png
90c3c984001409540738fc61bda39706  frame-30.png
b6f584e6bfb22cb3ace0e6a334121dab  frame-10.png
b6f584e6bfb22cb3ace0e6a334121dab  frame-23.png
b6f584e6bfb22cb3ace0e6a334121dab  frame-28.png
b6f584e6bfb22cb3ace0e6a334121dab  frame-8.png
c360c23e19e69a3628b0d4b350de1699  frame-12.png
c360c23e19e69a3628b0d4b350de1699  frame-21.png
c360c23e19e69a3628b0d4b350de1699  frame-5.png
c360c23e19e69a3628b0d4b350de1699  frame-9.png
f36088bda099d71e023c2e2357fa9e04  frame-18.png
f36088bda099d71e023c2e2357fa9e04  frame-3.png
f55ce527989f48e612682825fdeedb7c  frame-25.png

There’s 10, if we take out the tv.gif, different frames. We’ll put them in a different folder and compare all of them together.

We’ll take the first of each md5sum. We’ll end up with the following images.

 ls -lha
total 156K
drwxrwxr-x 2 p0pp3t p0pp3t 4.0K Oct 28 09:38 .
drwxrwxr-x 3 p0pp3t p0pp3t 4.0K Oct 28 09:38 ..
-rw-rw-r-- 1 p0pp3t p0pp3t  15K Oct 28 09:03 frame-0.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-10.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-11.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-12.png
-rw-rw-r-- 1 p0pp3t p0pp3t  280 Oct 28 09:03 frame-13.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-15.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-17.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-18.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-25.png
-rw-rw-r-- 1 p0pp3t p0pp3t  14K Oct 28 09:03 frame-26.png

We’ll delete the frame-13.png because there’s nothing on it. That leaves us with 9 frames. The only thing left is to compare them and look for the differences between them.

This time it’s a bash script that does the job for us. We’ll use the command compare to give us the difference between the two frames.

#!/bin/bash

# Converts the command into an array
files=($(ls *.png))

for i in $(seq 0 ${#files[@]})
do 
    x=$(expr ${#files[@]} - $i)
    for y in $(seq 1 $x)
    do
        echo "$y"
        compare ${files[$i]} ${files[$i+$y]} -compose src diff-${files[i]}_${files[$i+$y]}.png
    done
done

The output is pretty big, we end up with 36 images. If we look at the them, we’ll find the flag and a couple of of other interesting images.

The flag can be found when comparing the frame 17 and 25.

The flag is FLAG-AcsW3fK9NxJMn2