Swamp CTF 2025 - Misc Walkthrough
- Akshay Jain
- 20 hours ago
- 5 min read
Swamp CTF Misc Challenge 1: Pretty Picture: Double Exposure
Description:
Hidden in the bits below, an image wait's to be shown.
Walkthrough:
The picture which we are given is the following:
The challenge presents us with an image that, at first glance, appears simple and harmless - a basic drawing with little detail. However, the description hints that there's something more hidden within this image, awaiting discovery. This hints us that it has something to do with steganography.
Revising the concept
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning “covered or concealed”, and -graphia meaning “writing”.
In the context of digital images, steganography allows us to hide data (like messages or other images) inside an image file without altering its visible appearance. The challenge here focuses on extracting a hidden image embedded within another, which points to a well-known technique in image steganography - Least Significant Bit (LSB) Steganography.
How LSB works
To better understand how LSB steganography works, it's important to first grasp how digital images are structured.
Each pixel in an image is made up of three color channels: Red, Green, and Blue (RGB). These three channels define the color of the pixel, with each channel being represented by 8 bits (or 1 byte). Each byte can have a value between 0 and 255, which determines the intensity of the color.
Now, here's where LSB Steganography comes into play:
LSB Steganography hides data by altering the least significant bit (LSB) of each color channel.
The LSB is the rightmost bit of the byte, and changing this bit has minimal effect on the color of the pixel, making the alteration imperceptible to the human eye.
By modifying these LSBs across many pixels, we can encode hidden messages or even entire images within the original image.
Capturing the Flag
Now that we know how the image was hidden and how we can extract it, it is time to capture the flag!
There are multiple ways to do this, there are bunch of tools online that will help you with this. There are some amazing tools in Debian Linux to help you achieve this goal. Since time is of importance during a CTF competition, I decide to use an online tool to get quick results. Upon decoding the image the result I got was:
And thus we get the flag swampCTF{m3ss4g3s_0rc0dec4n_b3_h1dd3n_1n_1m4g3s}
Swamp CTF Misc Challenge 2: Lost In Translation
Description:
We found this program which we know has a flag somewhere, but nothing we've tried has been able to extract it. Can you figure it out?
To run the program, you can use NodeJS (recommended version 18.17.1 or higher).
Walkthrough:
In this challenge we were given a zip file containing 3 files - challenge.js, package.json and package-lock.json
After unpacking the zip, I started by inspecting the JSON files to identify any hidden clues. Sometimes flags can be tucked away within metadata or comments in JSON files. The package.json and package-lock.json files listed the dependencies and versions, but they didn’t reveal anything that could help capture the flag.
The content of the js file is:
import fetch from 'node-fetch';
import readlineSync from 'readline-sync';
async function translateText(text, targetLanguage) {
const params = new URLSearchParams(
{
q:text,
langpair:`en|${targetLanguage}`
}
);
try {
const response=await fetch(`https://api.mymemory.translated.net/get?${params}`);
const data = await response.json();
return data.responseData.translatedText;
} catch(error){console.error("Translation error:", error);}
return null;
}
async function main() {
const text=readlineSync.question(`
Enter the text to translate:
`);
const targetLanguage=readlineSync.question(`
Enter target language ('en'-English, 'fr'-French, etc.)
`);
const translatedText=await translateText(text, targetLanguage);
if (translatedText) {
console.log(`Translation: ${translatedText}`);
} else {
console.log('Translation Lost!');
}
}
main();
Here are all the code files for reference.
Without finding much in the JSON files, I ran the JavaScript program to observe its behavior. The program used an API that translated user input into different languages based on user selection. My first instinct was to apply common API hacking techniques, such as endpoint enumeration and parameter injection, in search of vulnerabilities. But, after spending hours on this approach, I found nothing.
Revisiting the Code:
Frustrated and at a dead end, I decided to take a break and revisit the challenge with fresh eyes. This time, I noticed something odd - the strange spacing in the lines of code. Initially, I thought it might just be a formatting issue, but the clue in the challenge description ("We found this program which we know has a flag somewhere") started to make sense. Maybe the flag wasn’t hidden in plain text but was instead concealed in the whitespace.
The Power of Whitespace Programming:
Whitespace programming is a unique concept in which a program is written using only spaces, tabs, and newlines. Yes, you read that right: Whitespace is a full-fledged programming language composed entirely of whitespace characters.
To reveal these hidden characters, I decided to use the 'cat' command on the challenge.js file:
cat -A challenge.js
This will display:
Tabs as ^I
End of lines as $
Non-printable characters explicitly
What caught my attention was the presence of these special characters, which seemed to form the core of the flag. This immediately led me to believe that the Whitespace programming language could be the key.
Now that I was focused on the whitespace characters, it was time to extract them. I quickly wrote a Python script that would read through the challenge.js file, extract only the whitespace characters (space, tab, newline), and save them to a new file. I am pretty sure there are other ways to this as well. Put your thoughts or methodologies in the comments below!
def extract_whitespace(input_file, output_file):
with open(input_file, 'r', encoding='utf-8') as file:
content = file.read()
# Extract only whitespace characters (spaces, tabs, newlines)
whitespace_only = "".join(c for c in content if c in " \t\n")
# Save only the extracted whitespace to the output file
with open(output_file, 'w', encoding='utf-8') as output:
output.write(whitespace_only)
if __name__ == "__main__":
input_path = "challenge.js"
output_path = "whitespace_ctf_flag.ws"
extract_whitespace(input_path, output_path)This code will read the challenge.js file, read only the (Space)(Tab)(Newline) whitespaces and write to a new file.
Decoding the Flag:
Once I had the file containing only the whitespace characters, I uploaded it to an online Whitespace decoder, such as https://www.dcode.fr/whitespace-language
After decoding, the result was clear: swampCTF{Whit30ut_W0rk5_W0nd3r5}
Flag Captured!
This challenge served as a perfect introduction to image steganography and LSB techniques. Through the use of simple tools and a basic understanding of how data can be hidden in plain sight, we were able to extract a hidden image and uncover the CTF flag.
The Lost in Translation challenge was an excellent demonstration of Whitespace programming and how small, seemingly insignificant details, like whitespace characters can hold the key to solving complex CTF puzzles. It required patience, persistence, and thinking outside the box.
If you enjoyed this walkthrough or have your own experiences to share, feel free to leave a comment below! Would you like to see more CTF challenges like this one?
Join the community forum to connect with fellow cybersecurity enthusiasts, form teams, and participate in upcoming CTF events!
-AJ
Comentários