Proof of obtaining flag? Metasploitable 3's Joker card

poof-msf3-joker.md

The live demo attempt method (FileInsight):

1. Use web developer tools or Burp to capture source of index page. (Ctrl-A, Ctrl-C)

2. Paste that HTML into a new buffer in FileInsight.

3. Trim away everything but the suspicious bitstream.

4. Select the bitstream (Ctrl-A) and use the Decode tools in the left pane to convert Hex to ASCII (no key).

1. Switch the view from Text to Hex to see the file clearly including PNG header bytes.

89 50 4E 47 0D ... ... .PNG.

1. Save to a file with .png extension. Observe image to see flag.

2. Hash that file, and get this result:

PS C:\malware> sigcheck64 -h .\poof-haha.png

Sigcheck v2.55 - File version and signature viewer
Copyright (C) 2004-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\malware\poof-haha.png:
        Verified:       Unsigned
        File date:      9:05 PM 3/21/2018
        Publisher:      n/a
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    n/a
        MD5:    242CEEE0E37CA4215A579FC66B700082
        SHA1:   52C8765687547EFE46C62CF41DD31894E39DF7B7
        PESHA1: 52C8765687547EFE46C62CF41DD31894E39DF7B7
        PE256:  8061672BD343518FB8C2CFB0D8ABCE2D774CFB051DDE0EBAB08C029D8F201D24
        SHA256: 8061672BD343518FB8C2CFB0D8ABCE2D774CFB051DDE0EBAB08C029D8F201D24
        IMP:    n/a

This should all work fine with Burp's Decoder, but Java was lagging in the workshop so we switched over to FileInsight. Reasonably clever hackers and cryptopals survivors should be able to script this out quickly in Python, etc.