Lily FLAC Writeup (Boston Key Party CTF)

Challenge

Category: Misc Points: 2

Description: Its more than just a few bleebs 😉

This challenge gave us a Free Lossless Audio Codec (FLAC) file.

Solution

I played the file in a audio player and can hear a lot of static bursts  at the beginning and middle of the track. This static bleeps would generally refer to data. So I thought it could be audio steganography using LSB encoding. In order to retrieve the data chunks, first I converted the flac file in to .wav format.

Then wrote a ruby script to decode the LSB encoding:

require ‘rubygems’
require ‘wav-file’

wav = open(“Converted_file_658ef39d.wav”)

format = WavFile::readFormat(wav)

chunk = WavFile::readDataChunk(wav)

# format is 16 bit so using s* to unpack

wavs = chunk.data.unpack(‘s*’)

# Read lowest bit and put them all together

lsb = wavs.map{|sample| sample[1]}.join

# Find the first 1 in the lasb output and pack it back for output

flag = lsb[(lsb.index(‘1’))..-1]

puts [flag].pack(‘b*’)

wav.close

The output was quite unexpected, it essentially gave me a bunch of random data and mostly just zeroes. So its not LSB encoding. My next hunch was visualizing the frequency waveform and spectrogram for the flac and see if there is any data there.

Waveform

waveform

Spectrogram

Spectrogram

As can be seen from the images above, there wasn’t any sight of visible data and so another fruitless attempt. I went back to hearing the audio and since the static was irregularly spaced in time, opened it up in hex editor to have a look.

hex editor view

hexedit

Taking a closer look at the start of the hex file we see the letters “E. L. F” hinting us that its an executable and linkable format (ELF). I immediately converted the flac to its raw format file (should have been the first thing to do but better late than never) using the command:

sox 87582357ff1a7c3e8d11c749ac12ad819f8f7d4b.flac output.raw

Once I had the raw file I got an object dump for it and analyzed it using the command:

objdump -S output.raw

Looking at the assembly code it was apparent that the program runs and gathers bits of data from various parts within itself and displays a string as output. So just ran the executable as follows:

chmod +x output.raw

./output.raw

And Voila ! Result was the flag:

BKPCTF{hype for a Merzbow/FSF collab album??}

Advertisements