Published on

Impasta

Authors
  • Name
    Twitter

Challenge description

Name: Impasta
Category: Steganography

Everyone remembers this guy, right? I remember them saying something along the lines of... the impostor is sus.
Flag format: CTF{}
Hint: The keys are right here. There might be more than one though.

We are given an image of a red crewmate from Among Us.

The flavour text (the impostor is sus) and the hint about keys strongly suggest that this sentence itself will be used later as cryptographic keys.

1. Extracting data from the image

The challenge tells us to use a specific stego tool:

On the site:

  1. Go to the Decode tab.
  2. Upload the provided crewmate image.
  3. Press Decode.

Instead of human-readable text, we get a very long dash-separated hex string, starting like:

41-0b-48-44-0e-48-41-0c-48-41-0a-48-40-5a-48-41-51-48-41-0a-48-40-5e-...

So the PNG hide payload is not the flag yet, but an encoded byte sequence.

2. Interpreting the hint (“the impostor is sus”)

The hint says:

The keys are right here. There might be more than one though.

The only obvious sentence in the statement is:

the impostor is sus

If we split it into words, we get four potential keys:

  • the
  • impostor
  • is
  • sus

The data we got from the PNG looks like hex bytes, which is a common representation for XOR-encrypted data.
This suggests the following structure:

  1. Plaintext (probably the flag or something close).
  2. Base64-encoded.
  3. XORed multiple times with different keys.
  4. Hex-encoded (with dashes between bytes).

To undo this, we can use CyberChef.

3. Decrypting with multiple XOR keys in CyberChef

Open:

Paste the entire hex blob into the Input window.

Then build the following recipe, in this exact order:

  1. From Hex
  2. XOR with key the (encoding: UTF-8, scheme: Standard)
  3. From Hex
  4. XOR with key impostor
  5. From Hex
  6. XOR with key is
  7. From Hex
  8. XOR with key sus
  9. From Base64

In CyberChef it looks like a repeating pattern:

From Hex
XOR (key = "the")
From Hex
XOR (key = "impostor")
From Hex
XOR (key = "is")
From Hex
XOR (key = "sus")
From Base64

Why this works

  • The hidden message in the PNG is hex-encoded bytes.
  • After the first From Hex, we XOR with the first key (the).
  • The result of that XOR is again hex-encoded, so we convert from hex once more.
  • We repeat this pattern for each word in the sentence: impostor, is, sus.
  • After the fourth XOR, the data is no longer hex but Base64, so the final step is From Base64.

This exactly reverses the sequence of operations used to hide the flag.

4. Recovering the flag

After running the full recipe, the output in CyberChef is:

CTF{v3ry_5Us_oF_y0U_mY_fr3n_23rjt0}
Discuss on TwitterView on GitHub