To start we unzip the file and see that we get two new files:
BAND.zip and m3ss@g#_f0r_pAul
once we cat the message we can see that John has used a cipher.
We can use a handy site called https://www.dcode.fr/caesar-cipher
After running the Brute force, it looks like it’s ROT13.
Once we select shift 13, we get the message.
As per instructions, we use Fcrackzip with the common word list ‘rockyou.txt’.
We can now extract the file from BAND.zip. Once we have done that, we get a nice JPG. Now personally I was stuck on this for at least 20 minutes thinking what it could be. TYCN, or the name of a song, the stances mean something….
After giving up, I generated a custom word list and brute forced the thing using stegcracker: apt-get install Stegcracker
How to generate a custom wordlist:
We now have an .out file. Here we can cat the file and see whats inside
We can see there is a clear text message with an encoded message.
Looks to be Base64. We could use the native tools but I simply go to: https://www.base64decode.org/
Once decoded, we get the flag.