The Challenge

Visiting level 2 brings us to the page that you see below. It has a broken/unrenderable image file and some text asking us to take a look at it.

Sure enough, if you try to navigate directly to the image in your browser, it will fail to load. Some browsers, such as Chrome, will simply show a blank screen. Other browsers, such as Firefox, may present an error:

The image "http://ctf.infosecinstitute.com/img/leveltwo.jpeg" cannot be displayed because it contains errors.

I downloaded the image file to my Linux machine to start examining it closer. A quick method is to copy the URL and pass it to wget.

$ wget http://ctf.infosecinstitute.com/img/leveltwo.jpeg

I figured I would start by making sure that this really is an image file like they said it was. To do this, you can use the Linux command “file” to get a report of what kind of file it is.

$ file leveltwo.jpeg
leveltwo.jpeg: ASCII text

This says that it is an ASCII text file, which sure isn’t an image file. Seeing as it is just a text file, we should be able to open it up with a simple text editor (e.g., notepad on Windows, vi or nano on Linux). You could also just use the Linux “cat” command to display the contents directly to your terminal instead of opening up an editor.

$ cat leveltwo.jpeg
aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

It definitely doesn’t look like the flag, so what is it? In this case, we can tell that this is probably Base64-encoded data. How can you tell? The fact that we are seeing a lot of uppercase and lowercase characters mixed in with numbers is a good indication, first of all; secondly, there are no symbols except for the trailing = sign. Base64 strings are often found ending with = or == or no symbol at all. If you’re unsure, just try decoding it and see if you get back anything legible. There are plenty of websites that you can search for that will decode Base64 strings for you, but I would recommend learning the Linux way. Below are three different ways you could achieve the same goal.

$ base64 -d leveltwo.jpeg
infosec_flagis_wearejuststarting

$ cat leveltwo.jpeg | base64 -d
infosec_flagis_wearejuststarting

$ echo aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc= | base64 -d
infosec_flagis_wearejuststarting

Sure enough, there is our second flag: infosec_flagis_welcome

Lessons Learned

From a CTF challenge standpoint, the first lesson learned is that you should never trust what is provided to you. In this case, they gave you a file ending in .jpeg that was actually just a plain text file. Just because it has a certain extension doesn’t mean that’s what it really is.

You also learned how to tell what type of file something is if you weren’t sure to begin with or want some form of positive confirmation. Knowing the file type can save you a lot of time for more complex files in the future.

Lastly, you learned how to identify a Base64 string and how to decode it back into the original data. Base64 is found very commonly over the web, so this won’t be the last time that you see it. Knowing how to quickly identify it and decode it will be valuable.