The Audacity of Some CTFs

2021 Update: This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up.

I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post.

Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram.

According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals.

I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago.

Equation by Aphex Twin


Many years later, I applied this knowledge to the SANS 2015 Shmoo Challenge.

During this event, I extracted shmooster.mp3 from svn_2015.dump and noticed some interesting beeps and boops at the end of the audio. At this point I installed sonic-visualiser, opened the file and adjusted the settings to zoom in and stretch the spectrogram until I was able to clearly obtain the flag by scanning the QR code.

Redacted QR Code Found in shmooster.mp3


More recently, EverSec CTF hosted an event at CarolinaCon14 where I was able to obtain files artifact.wav and artifact.mp4.

Let's get into a little more depth on how to use Audacity to view spectrograms and capture some flags.

Starting with the wav file, when I played it, I heard 32 seconds of silence. When I opened artifact.wav with audacity, I noticed that their was no sound at all according to the waveform.

 Flat Waveform


After zooming all the way in, I saw dots in the waveform but I couldn't do much with them.

Dots in the Waveform


I then thought the spectrogram might reveal something more interesting about these dots.

To view the spectrogram using Audacity, select the down arrow in the left hand side control panel that also has the L/R balancer, Mute, and Solo buttons; and select spectrogram.

Once in this view, I zoomed out a bit and could see something that looked a lot like morse code.

Interesting Spectrogram


At this point, I browsed to cyberchef and entered all of the dots and dashes which cyberchef was kind enough to translate for me in realtime and it revealed the flag when I was all done.

Cyberchef Reveals the Flag


Huzzah!

Now let's look at the mp4 file.
This file had a lot more flags associated it with, but let's stick to the topic of spectrograms.

After I loaded the mp4 in Audacity, I saw that the waveform was not very interesting and immediately switched to the spectrogram view.

Artifact.mp4 Spectrogram

I noticed that the spectrogram was cut off at 8k Hz so, using the Spectrogram Settings menu, I increased Maximum Frequency to 20000 Hz which I believe is the top end of what the human ear can perceive. 

After doing so, something much more interesting presented itself.

Interesting Spikes between 15k Hz and 20k Hz


After zooming in, I could tell there was something written there but I could not quite make it out. Using the Spectrogram Settings menu, I tightened up the frequencies to only display the spectrum that contained the characters (17k and 18k) and the flag became a little more clear. 

n0t3v3ryth1ng1$wh4tiTs33ms


Nice, two EverSec flags from spectrograms!

There are many other examples of files and songs with interesting spectrograms, Defcon XX track 14 comes to mind, but these are just a few of the examples that I still had evidence for from past CTFs. 

I hope you all enjoyed this quick post, it is the first of many more to come.

-strupo_

Popular posts from this blog

Code Name: Treehouse of Horror CTF

DEF CON 26 - IoT Village - SOHOpelessly Broken CTF