CSAW'24 Quals — I like it RAW
Seems like medium rare just isn't my taste.
We're given 3 files: a raw camera image,
(the above image is actually the "Preview Image" due to file size; the actual image is 19 MB)
a file named secret.png,
and a message.txt.gpg encoded with gpg encryption.
We can stick secret.png into Aperi'Solve (an online steganography site) to find the phrase
Code:
1Wha's my numba, sixty watah?Because the given file is a raw image, we can find a lot of metadata in exiftool:
Code (bash):
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ exiftool DSCF3911.RAF
2ExifTool Version Number : 12.40
3File Name : DSCF3911.RAF
4Directory : .
5File Size : 19 MiB
6File Modification Date/Time : 2024:09:06 17:46:12-04:00
7File Access Date/Time : 2024:09:06 19:28:30-04:00
8File Inode Change Date/Time : 2024:09:06 17:46:21-04:00
9File Permissions : -rwxrwxrwx
10File Type : RAF
11File Type Extension : raf
12MIME Type : image/x-fujifilm-raf
13RAF Version : 0214
14Exif Byte Order : Little-endian (Intel, II)
15Make : FUJIFILM
16Camera Model Name : X-T5
17Orientation : Rotate 270 CW
18X Resolution : 72
19Y Resolution : 72
20Resolution Unit : inches
21Software : Digital Camera X-T5 Ver2.14
22Modify Date : 2024:08:07 19:07:16
23Y Cb Cr Positioning : Co-sited
24Copyright :
25Exposure Time : 1/1250
26F Number : 1.2
27Exposure Program : Aperture-priority AE
28ISO : 1600
29Sensitivity Type : Standard Output Sensitivity
30Exif Version : 0230
31Date/Time Original : 2024:08:07 19:07:16
32Create Date : 2024:08:07 19:07:16
33Components Configuration : Y, Cb, Cr, -
34Compressed Bits Per Pixel : 2.5
35Shutter Speed Value : 1/1226
36Aperture Value : 1.2
37Brightness Value : 2.4
38Exposure Compensation : 0
39Max Aperture Value : 1.2
40Metering Mode : Multi-segment
41Light Source : Unknown
42Flash : No Flash
43Focal Length : 75.0 mm
44Version : 0130
45Internal Serial Number : FFDT24456429 Y54142 2019:09:09 AA902021CAEE
46Quality : NORMAL
47White Balance : Auto
48Saturation : 0 (normal)
49White Balance Fine Tune : Red +0, Blue +0
50Noise Reduction : 0 (normal)
51Fuji Flash Mode : Manual
52Flash Exposure Comp : 0
53Focus Mode : Auto
54AF Mode : Single Point
55Focus Pixel : 961 708
56AF-S Priority : Release
57AF-C Priority : Release
58Focus Mode 2 : AF-S
59Pre AF : Off
60AF Area Mode : Single Point
61AF Area Point Size : 6
62AF Area Zone Size : n/a
63AF-C Setting : Set 2 (ignore obstacles)
64AF-C Tracking Sensitivity : 3
65AF-C Speed Tracking Sensitivity : 0
66AF-C Zone Area Switching : Center
67Slow Sync : Off
68Picture Mode : Aperture-priority AE
69Exposure Count : 1
70Shadow Tone : 0 (normal)
71Highlight Tone : 0 (normal)
72Lens Modulation Optimizer : On
73Grain Effect : Off
74Color Chrome Effect : Off
75Shutter Type : Mechanical
76Auto Bracketing : On
77Sequence Number : 1
78Drive Mode : Continuous Low
79Drive Speed : 5 fps
80Blur Warning : None
81Focus Warning : Good
82Exposure Warning : Good
83Dynamic Range : Standard
84Film Mode : Pro Neg. Hi
85Dynamic Range Setting : Manual
86Development Dynamic Range : 400
87Min Focal Length : 75
88Max Focal Length : 75
89Max Aperture At Min Focal : 1.2
90Max Aperture At Max Focal : 1.2
91Image Stabilization : Sensor-shift; On (mode 1, continuous); 0
92Rating : 0
93Image Generation : Original Image
94Image Count : 3085
95Flicker Reduction : Off (0x00f1)
96Faces Detected : 0
97Num Face Elements : 0
98User Comment :
99Flashpix Version : 0100
100Color Space : sRGB
101Exif Image Width : 1920
102Exif Image Height : 1280
103Interoperability Index : R98 - DCF basic file (sRGB)
104Interoperability Version : 0100
105Focal Plane X Resolution : 820
106Focal Plane Y Resolution : 820
107Focal Plane Resolution Unit : cm
108Sensing Method : One-chip color area
109File Source : Digital Camera
110Scene Type : Directly photographed
111Custom Rendered : Normal
112Exposure Mode : Auto
113Focal Length In 35mm Format : 113 mm
114Scene Capture Type : Standard
115Sharpness : Normal
116Subject Distance Range : Unknown
117Serial Number : 93A50950
118Lens Info : 75mm f/1.2
119Lens Make : Viltrox
120Lens Model : AF 75/1.2 XF
121Lens Serial Number : 00000500
122PrintIM Version : 0250
123Compression : JPEG (old-style)
124Artist :
125Thumbnail Offset : 3808
126Thumbnail Length : 5511
127XMP Toolkit : Image::ExifTool 12.87
128Location Shown Sublocation : 40.704384, -73.990265
129Image Width : 1920
130Image Height : 1280
131Encoding Process : Baseline DCT, Huffman coding
132Color Components : 3
133Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)
134Preview Image : (Binary data 415479 bytes, use -b option to extract)
135Raw Image Full Size : 6048x4038
136Raw Image Crop Top Left : 21 16
137Raw Image Cropped Size : 6000x4000
138Raw Image Aspect Ratio : 3:2
139Fuji Layout : 12 12 12 12
140X-Trans Layout : GRBGBR BGGRGG RGGBGG GBRGRB RGGBGG BGGRGG
141Raw Exposure Bias : -2.7
142Raw Image Width : 6032
143Raw Image Height : 4032
144Raw Image Full Width : 6048
145Raw Image Full Height : 4038
146Bits Per Sample : 14
147Strip Offsets : 439780
148Strip Byte Counts : 19844560
149Black Level : 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021 1021
150Geometric Distortion Params : 400.5555556 0.3535211268 0.5 0.6126760563 0.7070422535 0.7908450704 0.8661971831 0.9352112676 1 1.06056338 0 0 0 0 0 0 0 0 0
151WB GRB Levels Standard : 302 378 884 17 302 643 512 21
152WB GRB Levels Auto : 302 679 475
153WB GRB Levels : 302 679 475
154Chromatic Aberration Params : 400.5555556 0.3535211268 0.5 0.6126760563 0.7070422535 0.7908450704 0.8661971831 0.9352112676 1 1.06056338 0.0001831054688 0.0001831054688 0.0001831054688 0.0001525878906 0.0001525878906 0.0001525878906 0.0001525878906 0.0001220703125 0.0001220703125 -0.0001525878906 -0.0001220703125 -9.155273438e-05 -6.103515625e-05 -3.051757812e-05 0 3.051757812e-05 6.103515625e-05 6.103515625e-05 400.5555556
155Vignetting Params : 400.5555556 0.3535211268 0.5 0.6126760563 0.7070422535 0.7908450704 0.8661971831 0.9352112676 1 1.06056338 90.22021484 83.93408203 79.22607422 74.90820312 71.38330078 68.24365234 65.09814453 61.96630859 61.96630859
156Aperture : 1.2
157Blue Balance : 1.572848
158Image Size : 6000x4000
159Megapixels : 24.0
160Red Balance : 2.248344
161Scale Factor To 35 mm Equivalent: 1.5
162Shutter Speed : 1/1250
163Thumbnail Image : (Binary data 5511 bytes, use -b option to extract)
164Circle Of Confusion : 0.020 mm
165Field Of View : 18.1 deg
166Focal Length : 75.0 mm (35 mm equivalent: 113.0 mm)
167Hyperfocal Distance : 235.05 m
168Light Value : 6.8Notably, there are two chunks of binary data here:
- The "thumbnail image"
- The "preview image"
and we can extract them with
Code (bash):
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ exiftool DSCF3911.RAF -b -previewimage > out.jpg
2kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ exiftool DSCF3911.RAF -b -thumbnailimage > out2.jpgBesides some false positives, though, neither image has any more hidden data on Aperi'Solve.
Another item of note, however, is the geolocation of the raw image:
Code (bash):
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ exiftool DSCF3911.RAF | grep Location
2Location Shown Sublocation : 40.704384, -73.990265These given coordinates take us here, to a park next to Manhattan bridge:
At first glance, however, something looks off... looking at some street view photos near the patch of dirt in the middle of the park,
Manhattan bridge is in the wrong place and shape to be the bridge in the image (Brooklyn bridge, too, is too blocky to be the bridge either).
The bridge is too trapezoidal to be either the Brooklyn or Manhttan bridges.
So what are we looking at? Doing a bit of reverse image search, the bridge in question seems to be the Williamsburg bridge:
Still, none of the street views near the river had the correct angle on the bridge either. Finally, using the buildings in the background as landmarks, we can orient ourselves back to the original coordinates and get a perspective resembling something like this:
So it was correct in the first place! Oh well.
Still, what's this about "60 watah"? Halfway through reversing the photo perspective, I realized it may be an address, and indeed to the Southwest of the photo location we can find
Conveniently, there are apartments at this address with a Google Maps phone number!
Unfortunately, trying
Code:
1+16469562563(and
Code:
16469562563
2(646) 956-2563
3646-956-2563none of these are the aforementioned "numba".
Code (bash):
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ gpg --output message.txt --decrypt message.txt.gpg
2gpg: AES256.CFB encrypted data
3gpg: encrypted with 1 passphrase
4gpg: decryption failed: Bad session keyGoing to the apartment website,
we can find even more numbers! Still, trying all of these in various configurations and formats, none of these are the correct key either.
So what and where is this "numba" we're looking for? At this point we ran out of leads (not that there were very many to begin with) and started guessing random things: an apartment #627 is available, is that the number?
The challenge title, description, and secret.png are all puns about raw meat, so could it be related to restaurants nearby? There's plenty of restaurants across the street
but none of these restaurant numbers, reviews, addresses, or anything else proved very helpful either.
We can even find the apartment complex on Wikipedia
somehow giving us a new number:
Code:
1718.222.3300Of course, this number isn't in the right format either (not that we had anything to clue us in on that!). Finally, guessing that we needed to remove the periods from this number, we get the flag:
Code (bash):
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ gpg --output message.txt --decrypt message.txt.gpg
2gpg: AES256.CFB encrypted data
3gpg: encrypted with 1 passphraseCode:
1kevin@ky28059:/mnt/c/users/kevin/Downloads/RAW/RAW$ cat message.txt
2csawctf{1_kN0w_Y0U_l1k3_1T_R4W}