# Aww Cuter Cat

| Difficulty | Points | Solves |
| ---------- | ------ | ------ |
| Easy       | 150    | 1      |

## Description

> This cat is cuter than the rest \
> With fur so soft and eyes so bright \
> She loves to play and loves to cuddle \
> And brings joy to every single night
>
> Her purrs are soothing to the soul \
> And her meows are music to the ear \
> With each and every playful leap \
> She brings laughter and good cheer
>
> This cat is cuter than the rest \
> A true treasure and a dear friend \
> She brings us joy with every breath \
> And we are blessed to have her till the end.\
> \
> Poem by ChatGPT

## Solve

Downloading the files and running the `file` command shows that its a zip file.

<figure><img src="/files/6MXvAermns6vSygbcmqi" alt=""><figcaption></figcaption></figure>

Attempting to unzip it shows that it is password protected.

<figure><img src="/files/AuN5Xz4cAzxqBcyiIgfk" alt=""><figcaption></figcaption></figure>

Using `zip2john` we are able to convert the password protected zip file into hash and crack it with john

```bash
zip2john evidence.zip > forjohn
john --wordlist=/usr/share/wordlists/rockyou.txt forjohn
```

<figure><img src="/files/X4U9pyJ3mVUGhR0war2I" alt=""><figcaption></figcaption></figure>

Now, we are able to successfully extract the `evidence.img` file. Running `file` on `evidence.img` shows that it is a linux file system image.

<figure><img src="/files/bIb9xMc95b3x8SNAdLoe" alt=""><figcaption></figcaption></figure>

After mounting the evidence, we saw a `cat.jpg` file with no other files.

`cat.jpg` shows a photo of a cute cat, however, the file size is very big, which might be suspicious.

<figure><img src="/files/FgklEz6BNYP0HlG8V4YX" alt=""><figcaption></figcaption></figure>

Using [tinyeye](https://tineye.com/search/5721bcde4ff15b69385a589895fbecd76207c6ee?sort=score\&order=desc\&page=1), I performed reverse image search and compared the file size.

Referring from the similar challenge called `Aww Cute Cat` , we can guess that it is image steganography with steghide.

Using `FTK Imager`, I mounted the `evidence.img` and it shows a wordlist in the `unallocated space.`

{% hint style="info" %}
When you delete a file, the operating system marks the space on the hard drive that the file occupied as available for use, but it does not actually erase the file's data from the hard drive.<br>

Instead, it simply removes the reference to the file from the file system, which is a database that the operating system uses to keep track of all the files on the computer.<br>

As a result, the data that made up the file is still present on the hard drive, but it is no longer accessible through the file system.
{% endhint %}

Therefore, we are able to extract the wordlist using a forensics investigation tool like `FTK Imager`.

Running `strings` on `evidence.img` also similarly shows the wordlists.

Now, with the wordlist, we are able to use the tool `[stegseek`]\(<https://github.com/RickdeJager/stegseek>) to perform a password attack on `cat.img` to extract the flag.

```bash
stegseek -sf cat.jpg -wl wordlist.txt
```

<figure><img src="/files/fLKbAoskXKOPAlMtKES5" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/authored/nyp-infosec-december-ctf-2022/aww-cuter-cat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.