CTF Tidbits: Part 1 — Steganography
I have been asked by a few folks what tools I use for CTF’s. What I use all depends on what the CTF is. There are all sorts of CTFs for all facets of infosec, Forensics, Steganography, Boot2Root, Reversing, Incident response, Web, Crypto, and some can have multiple components involving the things mentioned above and require numerous flags to move forward in the CTF. All of these components need different sets of tools to get the flag. This is part one of the CTF tidbits series and I will more than likely add additional stuff to this in the next few days.
You will probably see things in here and think “That’s stupid, x idea is way easier.” Good, show me and everyone else. If you have an addition that you would like to make I will gladly add it and reference that it’s your recommendation or link to your blog or post. This post is an accumulation of random things that have worked for me and that I have found through reading and tinkering.
This article is a high-level overview of maybe where to start or other things you can try if you are stuck on a challenge.
There is going to be a considerable amount of small failures on the horizon if you decide to start doing CTF’s or anything really. That’s okay. You can get a lot out of those failures. Yea “X” may not have worked on “Y”, but maybe it will work elsewhere and now that you used it you’re more proficient with it and know that it’s an option later on. As @highmeh says “fail upward” failures don’t have to be bad, and you can learn a lot from them.
Steganography is the practice of concealing messages or information within other non-secret text or data. There is a wide range of file types and methods of hiding files/data. I am briefly going to go over multiple tools that I use.
Where to start is dependant on the file type. There are a few things I will do to every file type just to be sure it isn’t super a simple solution. We are going to use generic portions of various CTFs for these examples.
There are a few steps I take with stego challenges.
- Verify the file extension is right. I have spends more time than I care to mention working on a file only to realize the file extension was intentionally changed.
- Do the basics first, go for low hanging fruit. Hit the file with ‘file’, ‘strings’, ‘exiftool’, pngcheck, and look at it in a hex editor and then move into tools geared toward the specific file type that I am dealing with.
- A lot of the tools I use are dependent on file type. Google: “filetype ctf tools”
There are a dozens of tools that I am not going to cover in this guide. If you feel I should have mentioned one, let me know. This guide should give you a pretty okay starting point for finding more tools and methods of approaching steganography.
Getting the flag is highly dependant on your persistence and your googlefoo a lot of the time.
- Strings: finds and prints text strings embedded in all files
- Hexeditor: A hex editor, also called a binary file editor or byteeditor, is a type of program that allows a user to view and edit the raw and exact contents of files, that is, at the byte level
- binwalk: Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images. Binwalk is a great tool for extracting hidden files from other files as well.
- File: The
filecommand determines the file type of a file. It reports the file type in human readable format (e.g. ‘ASCII text’) or MIME type (e.g. ‘text/plain; charset=us-ascii’). As filenames in UNIX can be entirely independent of file type
filecan be a useful command to determine how to view or work with a file.
- xxd: is a Linux command that creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form. Like uuencode(1) and uudecode(1) it allows the transmission of binary data in a “mail-safe” ASCII representation, but has the advantage of decoding to standard output.
- stegsolv: A great GUI tool that covers a wide range of analysis, some of which is covered by the other tools mentioned above and a lot more including color profiles, planes, Color maps, strings.
- Sonic visualizer: Sonic Visualizer is a great tool to find hidden messages in audio files and a great way to work with audio files in general.
The tools mentioned above are not the only tools. This is just to get a good starting point so that it will be easier for you to find resources that will help you along your way. It’s hard tofind something if you don’t know what to look for.
Tools Use Examples below.
Sonic Visualizer is a great tool to find hidden messages in audio files.
Remember that just because it’s a mp3 does not mean it’s going to have an answer in the spectrogram. Example below.
The flag for the file mentioned above was hidden between mp3 frames. Strings was the tool that was used to find the flag on this one. Image below.
I am going to show you one more Spectrogram with a flag in it.
Hex editor: Hex editors are a fantastic tool for a wide range of things. The basis of a hex editor is that they display the raw contents of the file.
Fortunately, all the data is intact for us. Copy and pasting the replacement chars into an online decoder gives us the flag. Image below.
Strings: is a great for printing the strings of printable characters in files.
# strings filename | awk 'length($0)>15' | sort -u
Setting the minimum length
for a string can help clean
out a lot of the garbage.
this will only print strings
with 15 or more chars.
# strings -a -n 15 filename
binwalk: is great for checking out if other files are embedded or appended to a file.
pngcheck: check for any corruption or anomalous sections
pngcheck -v PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.
The example above is a great example for an intentionally corrupted image that requires you to fix to get the flag. There is a enough information in the error for you to google how to fix the issue which requires quite a bit of work.
exiftool: Check out metadata of media files
stegsolv: A great GUI tool that covers a wide range of analysis, some of which is covered by the other tools mentioned above and a lot more including color profiles, planes, Color maps, strings.
These two tools are great fro strange unicode issues and decoding strings.
Examples From CTF’s
I said this was going to be mostly about tools but It’s hard to provide context and order of operations without providing examples.
Fake File Extensions:
My point in showing you the same things multiple times with various tools is that there are multiple ways to get the same answer.
Files in a file:
PK could be in indicator that there is a ZIP hidden in this file. Possibly the PK header of a ZIP. File Signature list.
I am going to show you two ways that I know of handling this. Easiest first and hardest second.
Method 1: binkwalk the file.
We use binwalk -e to extract any potential files. This worked and we have a password protected ZIP file. As you can see below.
Method 2: Extracting and saving hex.
As you can see in the image below I have everything highlighted from 50 4b which is the PK file header on.
I saved the file from the hex editor above as ‘test.zip’
There were no other indicators as to what the password might be so we are going to beat the file down with ‘fcrackzip’.
I spent a lot longer on this than I care to say do to setting the minimum chars to 4 with the args “-l4”. I assumed no one would use anything less than 4 chars, I was wrong. Now we have the txt file extracted from the zip.
Let’s hit the file with a few tools mentioned above.
The binary string converted to ASCII gives us the flag to move on.
Hidden in plane Sight
This one is probably as simple as it will get. I am hiding the image portion due to this still being an active CTF.
We can see a huge amount of blank space around the image. None of the normal tools I usually use with an image provided any results to get me closer to a flag.
Opening the image in Stegsolve and clicking through the planes gives us a flag. Image below.
I have seen this type of thing several times. It was annoying initially. The first time I did one of these it took me an unreasonable amount of time to finish, well beyond scoring time.
I did the same thing with this photo that I do with the other files. hit it with file, strings, and all the others. Even if you don’t find the answer sometimes the CTF creator will toss a hint somewhere.
We have the file open in GIMP. If we use the eyedropper on each of the colors we get
1: 8b8b61 2: 8b8b61 3: 8B8B70 4: 8B8B6A 5: 8B8B65 6: 8B8B73 which is a hex representation. We want the last two digits of each of the color values. this leaves us with 61 61 70 6A 65 73. converted into ascii gives us the password to move to the next flag.
- Modifying IHDR chunk to change the width or height of an image to reveal hidden portions of the photo where a flag might be hidden. https://www.w3.org/TR/PNG/#11IHDR
- File signatures
- A large set of tools specifically for Steganography
- stegosound-visualizerAudio file visualization
stegosteganabaraAnother image steganography solver
stegostegdetectSteganography detection/breaking tool
stegostegsolveImage steganography solver
stegozstegdetect stegano-hidden data in PNG & BMP.
I have 4 more CTF snippets to add to this.
I need to add more resources to the footer
A few more tools need to be added.