Steganography challenges are often data which is hidden in images or audio files. However, this challenge is the most creative challenge I have ever seen. I had difficulty doing this as there is no available writeups for this challenge. However, after completing it, I can conclude that this is an easy challenge.
We are first presented with a README file which gives us a Vimeo link and the password to the video, @pUb0HZ0I9
.
Entering that password, will present us with a Vimeo video (duh), with the title “no the flag is not in the title”. Which tells us the flag is somewhere hidden around this video.
Looking at the description shows us the title, the uploader, the upload date and the tags of the video. However, the tag shows that the flag is not in the description.
The last place to look is the subtitles of the video, which revealed some kind of text! It is a kind of data format. However, at the time I didn’t know what was the data type.
At this point I was stuck, but with the help of a redditor he revealed that this resembles timestamps according to Oracle’s documentation.
With that in mind, I scraped throught the entire video and took down the timestamp formats into a file, and I also found another Vimeo link which is guarded by a password.
My guess at the time was that the two timestamps represents how long the subtitle appears. However, I didn’t know how to extract the subtitles from a Vimeo video. However, eventually I found a tool called yt-dlp
which is able to extract subtitles from a video.
As we can see, there are big x’s and small x’s. The big x’s could represent something. So I took down the numbers that have big x’s under them.
But this doesn’t look like any representation of ASCII numbers or hex. However, knowing that the “|” between the timestamps may represent something, I split the numbers accordingly.
This looks more like ASCII numbers. With that in mind, let’s decode the message.
Decoding it reveals the password for the next video.
Going into the next video we run through the steps with the first video.
Going into the description reveals the flag.
apuboh2019{wH0_n33D5_5uBT1Tl3s}