Zero Width Space Steganography (ZWSP)|CTF
Couple of months back , Our CTF team participated in CSAW CTF Quals 2020 . We where not eligible for the finals, But it was a really Awesome Experience to practice, learning, and fun!
This note is all about widthless, the challenge hosted in web category in the CTF contest. It was pretty easy and fun to do. Widthless is not about exploiting the server ,This is a steganography based challenge .
Recon
When the challenges loads a website looks like a personal portfolio.
I started enumerate all possible web directory and started the web server scanners for vulnerabilities, But that doesn’t help me. So, I fire up burp suite my favorite tool to enumerate all the requests. When i was enumerating using burb i fount something in that webpage.
On bottom of that page some characters where encoded. I suddenly looked the source code . Till that time i forget to look the source code, my mistake😢.
In that source code nothing is there , But i fount one comment in that source.
“zwsp is fun!” , I really don't know what this means. So, i started searching on Google about “ZWSP” . From there i fount one zwsp means Zero-Width-Space . Its a steganography method to encode text. One YouTube video from John Hammond help me a lot.
When i copied and view the last part of that webpage using python ,then i fount some characters is encoded.
So i want to decrypt the Unicode encoded characters of get the flag . From GitHub , I got the script to decrypt.
I got two scripts to decode the characters , zwsp-steg-py and zwsp-steg-js. One is Python and other is JavaScript . I am not go in java script so i go with Python . Then i tried to decode the text . Python threw some error.
“Type Error: Cannot decode Unicode” , i didn't rectify the error because we have the other option zwsp-steg-js. I told you i am not good in JavaScript. In that README.MD , The developers of that repo told us a demo is there.
So i Started working with the demo .
Exploitation
After decoding the encoded characters , We got one Base64 encoded string.
That can be easily decoded by my local machine . After decoded
So we got one string. I submitted the string to the input box of that CTF website .
Here i got one path. I didn't wait ,started navigate to that
In that directory i got another webpage. That also looks same. I started coping all the source code and try decoding the ZWSP using the demo website.
From there also i got another string. Its looks like MD5 hash . But not MD5 , Its Hex encoded 😂. Cool i used another website to decode the Hex.
Nice we got another string as previous , Inputted to that textbox then.
Another directory with the both passwords/String . When i navigate to the directory i got the FLAG
