Challenge - Week 5

https://minside.bouvet.no/bouvet-alle/nyheter/ukas-sikkerhetspost-2

Klarer du finne det skjulte budskapet her? Kodeordet følger samme format som sist: BVT{}

Kommenter riktig svar på #bouvet-informerer og bli med i trekningen av en 🎁

Solution

Everyone was given a hint here, the image of the barcode was located at https://dont-scan-me.bouvet.no /img/qr.jpg.

Upon visiting the website, one was presented with a custom HTTP Error 406 - Not Acceptable page telling you to not scan random QR codes you find.

Anyway, the flag was hidden inside the Exif Metadata inside the image itself.

Many people forget, or don’t realize, that if you upload/post a photo to a service that doesn’t scrub the Exif Metadata, a lot of information about the photo is stored (location, camera type, ….) in the actual image, and it is visible to anyone who wants to see it.
As an example, Imgur is an image host that does remove Exif data, keeping your images (somewhat) anonymous.

Writing, removing or altering Exif Metadata can be done using ExifTool for example.
We can read the Exif data of an image using exiftool <filename>.

As another fun little easter egg that some people found, we had spoofed the coordinates of the image to the Bouvet Oslo office address, Sørkedalsveien 8.

The flag?

BVT{The devil is in the details}