ch1se
  • Home
  • CERTIFICATES AND PARTICIPATIONS
    • HackTheBox - Cyber Apocalypse CTF 2025: Tales from Eldoria
    • The SecOps Group
  • bitsctf-2025-writeups
    • HotPause
  • BRONCOCTF-2025-WRITEUPS
    • theflagishere!
  • ACECTF-2025-WRITEUPS
    • The Mysterious Building
    • Social Circles
    • Broken Secrets
    • Cryptic Pixels
    • Tabs&Spaces
  • PEARLCTF-2025-WRITEUPS
    • Hidden Marker
    • SentMail
    • Van Gogh's GARBAGE hunt
  • 1753CTF-2025-WRITEUPS
    • Dude where is my car
    • Happy New Year!
    • Somewhere in Space
  • CITCTF-2025-WRITEUPS
    • Timesink
    • Throwback to the Future
    • No Country for Old Keys
  • BYUCTF-2025
    • Universal-ty
  • OSINT-WRITEUPS
    • gralhix
Powered by GitBook
On this page
  • Introduction
  • Steps
  • Step 1: Extracting and Inspecting the ZIP File
  • Step 2: Identifying an Anomalous File
  • Step 3: Initial Steganography Checks
  • Step 4: Analyzing whitespace_flag.txt
  • Step 5: Converting Whitespace to Binary
  • Step 6: Converting Binary to Text
  • FLAG
  1. ACECTF-2025-WRITEUPS

Tabs&Spaces

CATEGORY - STEGANOGRAPHY

PreviousCryptic PixelsNextHidden Marker

Last updated 3 months ago

Introduction

This challenge provides a ZIP file containing multiple files. Our goal is to analyze them and extract a hidden flag, which appears to involve whitespace-based steganography.

Steps

Step 1: Extracting and Inspecting the ZIP File

The challenge provides a ZIP archive. After extracting it, we see the following files inside:

A Python script is present, which appears to be for checking file integrity and isn't immediately useful.

Step 2: Identifying an Anomalous File

Navigating into the files/ directory, I checked the contents of all files. One file stood out due to its different color and unusual file extension.

To make it easier to work with, I renamed the file to remove the extra . in its name.

Step 3: Initial Steganography Checks

Since the file was a JPG image, I performed basic steganography checks:

  • Exiftool → No interesting metadata found.

  • Steghide (without passphrase) → Extracted a hidden text file named whitespace_flag.txt.

steghide extract -sf 87.jpg

Step 4: Analyzing whitespace_flag.txt

Opening whitespace_flag.txt in Sublime Text, I noticed that the content wasn't regular text. Instead, it appeared to contain whitespace-based encoding.

Searching online for whitespace steganography, I found tools like stegsnow. However, stegsnow didn't reveal any meaningful text, suggesting that another encoding method was used.

Upon closer inspection, I saw patterns of tabs (^I) and spaces (␣), which indicated binary encoding, where:

  • Tab (^I) = 1

  • Space (␣) = 0

Step 5: Converting Whitespace to Binary

To decode the message, I used the following command:

cat whitespace_flag.txt | tr ' ' '0' | tr '\t' '1' | tr -d '\n'

This converted the hidden text into a binary string:

0100000101000011010001010100001101010100010001100111101101101110001100000101111100110011011110000111000000110001001100000011000100110111010111110110111000110000010111110110011100110100001100010110111001111101

Step 6: Converting Binary to Text

For the final step, I converted the binary data to readable text using Perl:

echo "0100000101000011010001010100001101010100010001100111101101101110001100000101111100110011011110000111000000110001001100000011000100110111010111110110111000110000010111110110011100110100001100010110111001111101" | perl -lpe '$_=pack"B*",$_'

FLAG

ACECTF{n0_3xp1017_n0_g41n}