Post

TAMUctf 2024 - Writeups

Posted Updated
Preview Image
By warlocksmurf 1 min read

This is a writeup for some forensics challenges from TAMUctf 2024. Since TAMUctf released with four other CTFs on the same day, I only solved a few challenges. However, I will attempt the other challenges later myself, especially the Minecraft ones.

Deleted [Forensics]

Question: We found this file and was told that it contains a flag within it. Can you find the flag?

Flag: gigem{f0und_d3l3t3d_f1l3}

We are given an E01 image to investigate. Using either FTK Imager or Autopsy, the deleted file content can be obtained.

del1

Fuzzy [Forensics]

Question: The image.jpg file has a similar image file but not the same somewhere out of many jpg images. Can you find the similar image? Images: https://tamuctf.com/5d6b407ee061e8696136d4dfd25f24b0/static/fuzzy-images.zip

Note: The flag is not the file name, nor is the flag embedded in the image using metadata or any steg technique.

Flag: gigem{P3rC3P7U41_H45H1N6_M4NY_1M4635_94721}

We are given an image of a dog in a river to investigate.

dog

Reading the description, it seems that I should be looking for any similarities between this dog image and the rest of the images in the given folder. One simple way I found out was to use hamming distance. So by creating a script, the hamming distance for every image can be compared.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

from PIL import Image
import imagehash
import os

def find_similar_image(target_image_path, folder_path, threshold=5):
    target_hash = imagehash.average_hash(Image.open(target_image_path))

    similar_images = []

    for filename in os.listdir(folder_path):
        if filename.endswith(('.png', '.jpg', '.jpeg')):
            image_path = os.path.join(folder_path, filename)
            try:
                hash_value = imagehash.average_hash(Image.open(image_path))
                hamming_distance = target_hash - hash_value
                if hamming_distance <= threshold:
                    similar_images.append((image_path, hamming_distance))
            except Exception as e:
                print(f"Error processing {filename}: {e}")

    similar_images.sort(key=lambda x: x[1])  # Sort by hamming distance
    return similar_images

target_image_path = "image.jpg"
folder_path = "flickr30k_images"
similar_images = find_similar_image(target_image_path, folder_path)

if similar_images:
    print("Similar images found:")
    for image_path, hamming_distance in similar_images:
        print(f"- {image_path} (Hamming distance: {hamming_distance})")
else:
    print("No similar images found.")

1
2
3

└─$ python3 file.py   
Similar images found:
- flickr30k_images/WicL6IMHf0xg1H3E.jpg (Hamming distance: 3)

The suspicious image can then be obtained (brightness increased for better visibility).

sus

ctf
forensics tamu
This post is licensed under CC BY 4.0 by the author.