Write-up on CTFlearn’s challenge 888 - MountainMan. Don’t be fooled by two 0xffd9 markers… Challenge author: kcbowhunter.


Forensics, 60 points

Don’t be fooled by two 0xffd9 markers. xor is your friend.

Attached file: MountainMan.JPEG


For this challenge, we are given a JPEG file. By searching a bit in it with a hex editor (I am using HxD Hex Editor), we can’t really find any interesting string. So this must be specific to JPEG.

Let’s dive into the JPEG file structure.

“Don’t be fooled by two 0xffd9 markers.”

Here is an absolutely awesome resource about that. Shout out to the creator of this webpage, I use it all the time in that type of challenge!

For this challenge, we are going to research about only one thing of the whole JPEG file structure: the 0xffd9 marker. This marker is mentioned in the challenge description, so it is probably a lead to the solution.

Let’s look at the resource suggested earlier to find the meaning of this hexadecimal value inside a JPEG image. It is important to know that every marker in a JPEG file starts by a 0xff, meaning we are searching for 0xd9.

0xffd9 meaning

As you can see, the 0xffd9 marker represents the end of the image. The challenge description states that there are maybe two, which seems illogical a file usually has only one end marker… Let’s see what this is about in a hex editor.

By looking at the end of the file, we can validate there are actually two EOI (End of Image) markers.

End of the File

The actual true end of the JPEG file is the first one. The second one is only there to fool us into thinking that this one is the actual end, which it isn’t. Notice there is data between those markers, let’s extract it and pass into the second part of this challenge.

“xor is your friend.”

We have found data that doesn’t seem to decode in any readable way. It is stated in the challenge description that “xor is our friend”. Let’s trust that call to and try to brute-force the XOR key used. For this part, I’m going to do exactly what is mentioned as the second method part of my BruXOR writeup. Go read that part if you want to understand more about brute-forcing XOR using CyberChef’s Magic operation.

The CyberChef recipe I am using for this challenge looks like that. (link to it right here)

CyberChef Solution

This has worked, we have now got the flag!

That’s all we got to do to solve this challenge. If you have any questions, feel free to contact me via Twitter or using any of the methods listed here.