Cyber Hacktics group in support of NCSAM (National Cyber Security Awareness Month) hosted a CTF on 16–17 of October. The event challenges ranged from many topics , such as traffic analysis, forensics, stegnography and so on.
This post is focused on some of the Stegnography challenges.
Ghost Hunter
“We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide information in this image.”
First things I do when dealing with steganography challenge, is to run the basic some commands to check for simple stuff , like strings, steghide (see if anything is embedded), binwalk, exiftool, and so on…
There wasn’t really info from them, so next, I used specific tools for specific types of files. This challenge, was a .png file, so we have some tools for it.
My first choice was to use zsteg to see if any information was hidden in the data of the image.
Nothing really interesting here. So my next step (because I am lazy) is to run with the -a flag , which is will try every known methods through every bit in the image and see if any data is there:
Sure enough, while running I saw the flag:
flag{8862a805a3140996343da91bdcbda79e}
Do You Believe In Ghosts?
“Check out this image Donnell Aulner posted on Ghost Town. There’s probably something hidden in this image. Can you find it?”
Sure enough, another .png file. I tried all the steps from above and nothing came back. Zsteg didn’t return anything as expected. They wouldn’t put the same “procedure” in two challenges.
One thing that brought my attention is the tittle itself : “ You believe in ghosts?” I have to see it with my own eyes (classic). What better tool to see if we can “see” ghosts than stegsolve ?
Simply enough, you can open the file in stegsolve and as you go through the different channels:
There you go, you found the ghosts alongside the flag. This was actually a funny challenge .
flag{ghosts_everywhere}
Blasphemy
“We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide a file in this image.”
This one was surprisingly easy. I just did my routine checks as I start any steganography challenge, when I stepped into this :
Oh hello there! We got out secret:
There is the flag. Pretty straight forward. I always tells people who are starting on CTFs : “ Have a procedure, try everything basic first before start ‘overthinking’ about everything else.”
flag{950634ccc97ca3ef03e22c759a356973}
Start Digging
“There’s a secret buried here, but we need help finding it. Supposedly, there’s a flag hidden deep within this image. But how far down do we need to dig?”
I solved this one fast based on the challenge tittle itself. As soon as I read “start digging,” inside I only thought about one thing “ BINWALK!.” From a couple years ago, during my Pentesting class, my professor ALWAYS used binwalk for some parts of the challenge, and he always left a little hint saying “ keep digging all the files you get.”
Sure enough:
We got new files to work with! A little trick that always work, a “better” way to extract file from binwalk is with the follow command:
binwalk — dd=”.*”
Sometimes, binwalk -e will fail for whatever reason, so — d=”.*” is an alternative to extract every file from it.
We see that in the extracted directory, there are other pictures, files and so on. Best way to check them at this point is to simply opening them and see what they are:
There is our flag !
flag{buried_s3cr3ts}
Boney Boi Breakdance
“We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other, easier images that used steganography, this one appears to require a passphrase. I bet it’s somehow related to the image used to hide the file.”
This challenge was specially frustrating to my team and I and it was simpler that we thought. This will be a short write-up, but I will explain the struggle and hopefully you can learn not to make the same mistakes.
We quickly learned that this file contains a secret with steghide :
Now, how in the world would we find this password? The hint in the description of the challenge says it must have something to do with the picture.
Now , here is our mistake : OVERTHINKING!
I lost a couple hours in this challenge because I was overthinking it. First step was to find who created the picture. Easy enough, search “Dance of Death “ (name of the file), and you will find that Michael Wolgemut is the painter of that image. There you have it ! However, we decided the scrape the WHOLE Wikipedia website about Michael Wolgemut and use every word to brute force the steghide, which in theory would have work, but it didn’t for one reason : lowercase .
The brute force failed, and we though the challenge was broken or we were just going in the wrong direction. I talked to another player who have solved , and said that we were in the right direction, but we were overthinking it too much.
Simple enough, I tried his first and last name , and his last name was the password. Now I thought : How the in the hell the brute force failed if his name was in the wordlist? IT WASN’T LOWERCASE .
Interesting enough, even with the password, we still cannot extract the secret file because it does not have a name. So, we can just extract with an output name and retrieve the flag :
flag{d4n53_m4c4b3_nuremberg}
Cheers and Happy Hacking :)
