CTF Tidbits: Part 1 — Steganography

Steganography

Tools

#file <filename> 
File with misleading extension revealed by the file command
Another gif extension that is not a gif.
Example of a spectrogram with something neat in it.
CTF example without any cool spectrogram stuffs
I blurred out the filename and base64 string which was the flag for this this is still an active CTF
Flag hid due to being a live CTF
This is the text file in a text editor. The weird chars” � � � � ��” you see are called replacement characters they are replacing the undecipherable data. A lot of the time data is lost when you copy and paste these replacement chars into one of the hundreds of available online text decoders.
This is the same file in a hex editor. As you can see there is more than met the eye initially.
# strings filename | awk 'length($0)>15' | sort -u
/\
Setting the minimum length
for a string can help clean
out a lot of the garbage.
this will only print strings
with 15 or more chars.
# strings -a -n 15 filename
“String -a” scans the whole file instead of the data section.
“binwalk -e” Automatically extracts all files. For this specific file this did not do us any good.
A corrupted PNG
Example of what the two tools above do.

Examples From CTF’s

This specific file had the GIF file extension but running the ‘file’ command shows us that this is not a gif.
This is what an actual GIF looks like
After seeing that the file was not a gif and was a text file I catted it
The same file in a hex editor
The same file with strings.
The file in a text editor
We can see that this an ICO file.
Interesting strings for an ICO file
The same file in a hexeditor
Pasting and saving the RAW hex from the PK header on into a GUI hexeditor.
The Zip file is password protected
We can see in this image that the two methods of extracting the file provide the same results.
THE PASSWORD WAS a
The text file from the password protected zip.
Image provided
The file is actually a JPEG file.
We can see a Binary string that was dumped from the image
Same as the results as above but in a Hexeditor
Opening the file in notepad also reveals the same thing.
Image in StegSolve which reveals the flag.
This is the image they provide
The file opened in GIMP

Random Resources.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store