Skip to main content

Are_ya_winning_son

Challenge

Imported from local notes.md.

Solution

Original Notes

Are_ya_winning_son

Challenge Summary

  • Given: a single JPEG file named challenge.jpg and a prompt hinting that the solve is "breaking the fourth wall", plus the SHA1 hash of the attachment.
  • Goal: recover the hidden flag in the format CIT{...}.
  • Constraints: normal image triage does not reveal metadata or appended files, and the image intentionally lies about its dimensions to hide the bottom portion of the render.

Initial Recon / Triage

  • Observations: file and exiftool report a normal baseline JFIF image at 800x800, but steghide and jpegtran both warn Corrupt JPEG data: 8462 extraneous bytes before marker 0xd9.
  • File identification: baseline JPEG, no useful EXIF/comments, no trailing bytes after the final FFD9, and no passphrase hit from targeted steghide guesses or stegseek against rockyou.
  • Entry points: inspect the JPEG structure directly, identify where decoding stops, and test whether the SOF0 dimension fields are intentionally undersized.

Hypotheses & Approach

  • Hypothesis 1: the file contains a conventional steghide payload guarded by a passphrase derived from the visible meme text.
  • Hypothesis 2: the file is malformed on purpose, and the 800x800 SOF0 dimensions cause decoders to stop early while valid image data remains in the scan.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/cit2026CTF/Are_ya_winning_son
sha1sum starting_files/challenge.jpg
file starting_files/challenge.jpg
exiftool starting_files/challenge.jpg
steghide info starting_files/challenge.jpg
python3 - <<'PY'
from pathlib import Path

p = Path('starting_files/challenge.jpg').read_bytes()
pos = p.rfind(b'\xff\xd9')
print('len', len(p), 'eoi', pos)
print('extra_start', pos - 8462)
PY

Results:

  • The SHA1 matched the prompt exactly: 1a9accb2f56d4cf2594128aa55875dc7bde5774b.
  • Metadata triage found no embedded comments, metadata, or trailing file appended after FFD9.
  • The stable clue was the JPEG decoder warning about 8462 extraneous bytes before marker 0xd9, which means the scan data continues beyond what the declared image dimensions consume.

Stage 2

Commands:

cd /root/cit2026CTF/Are_ya_winning_son
python3 artifacts/solve_are_ya_winning_son.py

Results:

  • The helper script patches the SOF0 height field and tests candidate heights in 16-pixel steps with djpeg.
  • 1008 is the first height that decodes cleanly, so the script writes artifacts/patched_h_1008.jpg and renders artifacts/patched_h_1008.png.
  • The recovered bottom portion of the image contains the hidden flag: CIT{pls_d0nt_b3_l1k3_th1s_guy}.

Artifacts Produced

  • artifacts/solve_are_ya_winning_son.py: reproducible solver that patches the declared JPEG height and renders the recovered full image.
  • artifacts/patched_h_1008.jpg: the corrected JPEG header variant that exposes the hidden content.
  • artifacts/patched_h_1008.png: rendered output showing the recovered flag.
  • artifacts/extraneous.bin: carved byte range corresponding to the data libjpeg described as extraneous before FFD9.

Flag

CIT{pls_d0nt_b3_l1k3_th1s_guy}