Prompt: There’s nothing I love more than oreos, lions, and winning. https://mega.nz/#!DC5F2KgR!P8UotyST_6n2iW5BS1yYnum8KnU0-2Amw2nq3UoMq0Y Have Fun 🙂

All we are provided in this challenge is a single jpg. There are no obvious clues in the title or prompt (at least not that I noticed.)

To start, I ran down some common commands to look for clues. Starting with strings.

strings ./oreo.jpg

Contained in plain text we see, “This is not the flag you are looking for.” To me this strongly implied that data is hidden somewhere in the file. After some trial and error, I got my first break through using foremost. From the man page, foremost – Recover files using their headers, footers and data structures.

foremost -v oreo.jpg

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Wed Sep 28 17:00:39 2022
Invocation: foremost -v oreo.jpg 
Output directory: /home/ctf/Downloads/output
Configuration file: /etc/foremost.conf
Processing: oreo.jpg
|------------------------------------------------------------------
File: oreo.jpg
Start: Wed Sep 28 17:00:39 2022
Length: 15 KB (16327 bytes)

Num      Name (bs=512)         Size      File Offset     Comment 

0:      00000000.jpg           9 KB               0      
1:      00000018.rar           6 KB            9515      
*|
Finish: Wed Sep 28 17:00:39 2022

2 FILES EXTRACTED

jpg:= 1
rar:= 1
------------------------------------------------------------------

Foremost finished at Wed Sep 28 17:00:39 2022

This exposed a hidden rar file inside the jpg file. From there I used binwalk to extract the files.

binwalk -e ./oreo.jpg

Within the extracted archive was another image file name b.jpg. Running strings on that file reveals the flag.

strings b.jpg

Flag: flag{eat_more_oreos}

Key Takeaway: Strings is very good at finding text in files that are not text files. Foremost can be used to identify files inside of files.

Word Count: 280