Post

Official Write-Up for the Lucky Panther CTF

Lucky Panther CTF TryHackMe Room

You can also join this room by going to My Rooms page and entering Code: luckypantherctf

Task 1: Download the Image

Start by downloading the provided image file.

Task 2: Investigate the Image

Question 1: What Did You Find in the Picture?

To get started, you can try using online tools. Such as: aperisolve , stegano … . But I’ll skip this part and move on to the terminal.

Just now let’s try commands:

1
2
3
4
file
strings
exiv2 <file.name>
binwalk -e <file.name>

And now closer to the point, use the steghide tool to analyze the image:

1
steghide info luckypanther.jpg

Output:

1
2
3
4
5
"luckypanther.jpg":
format: jpeg
capacity: 28.7 KB
Try to get information about embedded data? (y/n) y
Enter passphrase:

Since a passphrase is required, we need to find it. Let’s try StegSeek with the rockyou.txt wordlist:

1
stegseek luckypanther.jpg /usr/share/wordlists/rockyou.txt -

StegSeek successfully finds the passphrase:

1
2
StegSeek 0.6 
[i] Found passphrase: "$pinkpanther"

Next, extract the hidden file using steghide:

1
steghide extract -sf luckypanther.jpg

Enter the passphrase "$pinkpanther" to extract the embedded file, which is forest.zip.

Answer: forest.zip

Question 2: What is Your Second Find?

Let’s unzip the forest.zip file:

1
unzip forest.zip

Output:

1
2
Archive:  forest.zip
forest.zip: deepforest.pdf password:

The forest.zip file is password-protected. To crack it, use fcrackzip:

1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt forest.zip

After running the command, we find the password:

1
PASSWORD FOUND!!!!: pw == deepforest

Unzipping with the password deepforest reveals the deepforest.pdf file.

Answer: deepforest.pdf

Question 3: What is Hiding in the Deep Forest?

Opening deepforest.pdf requires a password. To crack it, first extract the hash using pdf2john:

1
/usr/share/john/pdf2john.pl deepforest.pdf > deepforesthash

Then, use John the Ripper to crack the hash:

1
john --format=PDF --wordlist=/usr/share/wordlists/rockyou.txt deepforesthash

John successfully cracks the password:

1
good-luck (deepforest.pdf)

Alternatively, you can use Hashcat. First, edit the hash file by removing deepforest.pdf: from the start, and save it as deepforesthash2.

To crack the hash with Hashcat:

1
hashcat -m 10500 deepforesthash2 -a 0 /usr/share/wordlists/rockyou.txt

Hashcat confirms the password is good-luck.

Now, open deepforest.pdf with the password good-luck to reveal the first flag.

Answer: GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_P0ate4g$!}

Task 3: What is the Flag?

Just a little more deciphering left.

Are you in the Deep Forest?

Question: What is the Flag?

We have a flag example from Task 2:

1
GUZ{U!_U4px3e!_l0h_4e3_va_4ur_Q33c_s0e3$g!_P0ate4g$!}

Using the Cipher Identifier tool at dCode, we identify it as a ROT13 cipher. image.png

click on ROT-13 Cipher and decrypt srting:

image.png

We can decode it directly using ROT13, or by using CyberChef with the ROT13 function.

image.png

Answer: THM{H!_H4ck3r!_y0u_4r3_in_4he_D33p_f0r3$t!_C0ngr4t$!}

Great! Happy Hacking!

THM Badge

This post is licensed under CC BY 4.0 by the author.