Lucas Santoni

Deloitte CTF Quals 2019: Halloween Town

Published June 11, 2019 • 2 minutes read

Halloween Town 🎃 was a task labelled cryptography and worth 135 points. It was actually mostly steganography/guessing. The task remained unsolved for the most part of the competition, until the staff decided to release hints.

Task Description

Let's begin with an nmap scan:

$ nmap
Starting Nmap 7.80 ( ) at 2019-11-06 16:05 GMT
Nmap scan report for (
Host is up (0.0038s latency).
Not shown: 990 closed ports
22/tcp   open     ssh
25/tcp   filtered smtp
53/tcp   filtered domain
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
2000/tcp open     cisco-sccp
5060/tcp open     sip
8008/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

So we have access to this front:

The front

There really is nothing here... Then I downloaded the background image and found out that the timestamp is weird:

root@3853909ffedf:/macOS/halloween# exiftool background.jpg
Modify Date                     : 1993:10:31 08:02:04
Y Cb Cr Positioning             : Centered
Exif Version                    : 0231
Date/Time Original              : 1993:10:31 08:02:04
Create Date                     : 1993:10:31 08:02:04

I got stuck here and stoped working on this challenge. A few hours later, the staff recommended to use StegCracker. This is mostly a wrapper around steghide, with the ability to perform dictionnary attacks.

Let's try with rockyou.txt:

root@3853909ffedf:/macOS/halloween# stegcracker background.jpg ../rockyou.txt
StegCracker 2.0.7 - (
Copyright (c) 2019 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'background.jpg' with wordlist '../rockyou.txt'..
Successfully cracked file with password: halloween
Tried 3099 passwords
Your file has been written to: background.jpg.out
root@3853909ffedf:/macOS/halloween# cat background.jpg.out

Note: steghide really is a pain to install on macOS because of its dependencies. An Ubuntu docker is a nice alternative.

We now have a string. It looks like it's hexadecimal but the output is not readable. I suspected that the string was xored but xortool could not find anything so I got stuck again.

A few minutes before the end of the CTF, the staff released another hint: the timestamp of the image is the key. One of my teammates had the idea to convert the date into a UNIX timestamp. Because of the AM/PM thing, there are two possible keys: 752097724 and 752054524. The second is the right one.

We convert it to hexadecimal and xor it with the text we extracted using steghide. The output decodes as:

535646564e014502045c4c6d055600474b6b025e015c0603055c014a ^ 373532303534353234

Final flag: dctf{5p00ky_5c4ry_5k3l370n5}.