CTF Tidbits: Part 1 — Steganography

I have been asked by a few folks what tools I use for CTF’s. What I use all depends on what the CTF is. There are all sorts of CTFs for all facets of infosec, Forensics, Steganography, Boot2Root, Reversing, Incident response, Web, Crypto, and some can have multiple components involving the things mentioned above and require numerous flags to move forward in the CTF. All of these components need different sets of tools to get the flag. This is part one of the CTF tidbits series and I will more than likely add additional stuff to this in the next few days.

You will probably see things in here and think “That’s stupid, x idea is way easier.” Good, show me and everyone else. If you have an addition that you would like to make I will gladly add it and reference that it’s your recommendation or link to your blog or post. This post is an accumulation of random things that have worked for me and that I have found through reading and tinkering.
This article is a high-level overview of maybe where to start or other things you can try if you are stuck on a challenge.

There is going to be a considerable amount of small failures on the horizon if you decide to start doing CTF’s or anything really. That’s okay. You can get a lot out of those failures. Yea “X” may not have worked on “Y”, but maybe it will work elsewhere and now that you used it you’re more proficient with it and know that it’s an option later on. As @highmeh says “fail upward” failures don’t have to be bad, and you can learn a lot from them.

Steganography

Steganography is the practice of concealing messages or information within other non-secret text or data. There is a wide range of file types and methods of hiding files/data. I am briefly going to go over multiple tools that I use.
Where to start is dependant on the file type. There are a few things I will do to every file type just to be sure it isn’t super a simple solution. We are going to use generic portions of various CTFs for these examples.

There are a few steps I take with stego challenges.
- Verify the file extension is right. I have spends more time than I care to mention working on a file only to realize the file extension was intentionally changed.
- Do the basics first, go for low hanging fruit. Hit the file with ‘file’, ‘strings’, ‘exiftool’, pngcheck, and look at it in a hex editor and then move into tools geared toward the specific file type that I am dealing with.
- A lot of the tools I use are dependent on file type. Google: “filetype ctf tools”

There are a dozens of tools that I am not going to cover in this guide. If you feel I should have mentioned one, let me know. This guide should give you a pretty okay starting point for finding more tools and methods of approaching steganography.

Getting the flag is highly dependant on your persistence and your googlefoo a lot of the time.

Tools

• Strings: finds and prints text strings embedded in all files strings filename
  - Hexeditor: A hex editor, also called a binary file editor or byteeditor, is a type of program that allows a user to view and edit the raw and exact contents of files, that is, at the byte level
  - binwalk: Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images. Binwalk is a great tool for extracting hidden files from other files as well.
  - File: The file command determines the file type of a file. It reports the file type in human readable format (e.g. ‘ASCII text’) or MIME type (e.g. ‘text/plain; charset=us-ascii’). As filenames in UNIX can be entirely independent of file type file can be a useful command to determine how to view or work with a file.
  - xxd: is a Linux command that creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form. Like uuencode(1) and uudecode(1) it allows the transmission of binary data in a “mail-safe” ASCII representation, but has the advantage of decoding to standard output.
  - stegsolv: A great GUI tool that covers a wide range of analysis, some of which is covered by the other tools mentioned above and a lot more including color profiles, planes, Color maps, strings.
  - Sonic visualizer: Sonic Visualizer is a great tool to find hidden messages in audio files and a great way to work with audio files in general.

The tools mentioned above are not the only tools. This is just to get a good starting point so that it will be easier for you to find resources that will help you along your way. It’s hard tofind something if you don’t know what to look for.

Tools Use Examples below.

File:

#file <filename> 

File with misleading extension revealed by the file command

Another gif extension that is not a gif.

Sonic visualizer:
Sonic Visualizer is a great tool to find hidden messages in audio files.

Example of a spectrogram with something neat in it.

Remember that just because it’s a mp3 does not mean it’s going to have an answer in the spectrogram. Example below.

CTF example without any cool spectrogram stuffs

The flag for the file mentioned above was hidden between mp3 frames. Strings was the tool that was used to find the flag on this one. Image below.

I blurred out the filename and base64 string which was the flag for this this is still an active CTF

I am going to show you one more Spectrogram with a flag in it.

Flag hid due to being a live CTF

Hex editor: Hex editors are a fantastic tool for a wide range of things. The basis of a hex editor is that they display the raw contents of the file.

This is the text file in a text editor. The weird chars” � � � � ��” you see are called replacement characters they are replacing the undecipherable data. A lot of the time data is lost when you copy and paste these replacement chars into one of the hundreds of available online text decoders.

This is the same file in a hex editor. As you can see there is more than met the eye initially.

Fortunately, all the data is intact for us. Copy and pasting the replacement chars into an online decoder gives us the flag. Image below.

Strings: is a great for printing the strings of printable characters in files.

# strings filename | awk 'length($0)>15' | sort -u
                                     /\
                      Setting the minimum length
                      for a string can help clean
                      out a lot of the garbage.
                      this will only print strings
                      with 15 or more chars.
# strings -a -n 15 filename

“String -a” scans the whole file instead of the data section.

binwalk: is great for checking out if other files are embedded or appended to a file.

“binwalk -e” Automatically extracts all files. For this specific file this did not do us any good.

pngcheck: check for any corruption or anomalous sections pngcheck -v PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.

A corrupted PNG

The example above is a great example for an intentionally corrupted image that requires you to fix to get the flag. There is a enough information in the error for you to google how to fix the issue which requires quite a bit of work.

exiftool: Check out metadata of media files

stegsolv: A great GUI tool that covers a wide range of analysis, some of which is covered by the other tools mentioned above and a lot more including color profiles, planes, Color maps, strings.

Online Tools:
Universal decoders
https://2cyr.com/decode/
https://ftfy.now.sh/

These two tools are great fro strange unicode issues and decoding strings.

Example of what the two tools above do.

Examples From CTF’s

I said this was going to be mostly about tools but It’s hard to provide context and order of operations without providing examples.

Fake File Extensions:

This specific file had the GIF file extension but running the ‘file’ command shows us that this is not a gif.

This is what an actual GIF looks like

After seeing that the file was not a gif and was a text file I catted it

The same file in a hex editor

The same file with strings.

The file in a text editor

My point in showing you the same things multiple times with various tools is that there are multiple ways to get the same answer.

Files in a file:

We can see that this an ICO file.

Interesting strings for an ICO file

The same file in a hexeditor

PK could be in indicator that there is a ZIP hidden in this file. Possibly the PK header of a ZIP. File Signature list.

I am going to show you two ways that I know of handling this. Easiest first and hardest second.

Method 1: binkwalk the file.

We use binwalk -e to extract any potential files. This worked and we have a password protected ZIP file. As you can see below.

Method 2: Extracting and saving hex.

As you can see in the image below I have everything highlighted from 50 4b which is the PK file header on.

Pasting and saving the RAW hex from the PK header on into a GUI hexeditor.

I saved the file from the hex editor above as ‘test.zip’

The Zip file is password protected

We can see in this image that the two methods of extracting the file provide the same results.

There were no other indicators as to what the password might be so we are going to beat the file down with ‘fcrackzip’.

THE PASSWORD WAS a

I spent a lot longer on this than I care to say do to setting the minimum chars to 4 with the args “-l4”. I assumed no one would use anything less than 4 chars, I was wrong. Now we have the txt file extracted from the zip.

The text file from the password protected zip.

Simply hidden

Image provided

Let’s hit the file with a few tools mentioned above.

The file is actually a JPEG file.

We can see a Binary string that was dumped from the image

Same as the results as above but in a Hexeditor

Opening the file in notepad also reveals the same thing.

The binary string converted to ASCII gives us the flag to move on.

Hidden in plane Sight

This one is probably as simple as it will get. I am hiding the image portion due to this still being an active CTF.

We can see a huge amount of blank space around the image. None of the normal tools I usually use with an image provided any results to get me closer to a flag.

Opening the image in Stegsolve and clicking through the planes gives us a flag. Image below.

Image in StegSolve which reveals the flag.

Nice Colors

I have seen this type of thing several times. It was annoying initially. The first time I did one of these it took me an unreasonable amount of time to finish, well beyond scoring time.

I did the same thing with this photo that I do with the other files. hit it with file, strings, and all the others. Even if you don’t find the answer sometimes the CTF creator will toss a hint somewhere.

This is the image they provide

The file opened in GIMP

We have the file open in GIMP. If we use the eyedropper on each of the colors we get
1: 8b8b61 2: 8b8b61 3: 8B8B70 4: 8B8B6A 5: 8B8B65 6: 8B8B73 which is a hex representation. We want the last two digits of each of the color values. this leaves us with 61 61 70 6A 65 73. converted into ascii gives us the password to move to the next flag.

Random Resources.

• Modifying IHDR chunk to change the width or height of an image to reveal hidden portions of the photo where a flag might be hidden. https://www.w3.org/TR/PNG/#11IHDR
• File signatures
• A large set of tools specifically for Steganography
  https://github.com/DominicBreuker/stego-toolkit
• stegosound-visualizerAudio file visualization
  stegosteganabaraAnother image steganography solver
  stegostegdetectSteganography detection/breaking tool
  stegostegsolveImage steganography solver
  stegozstegdetect stegano-hidden data in PNG & BMP.
• OpenStego
• Gimp
• ffmpeg

TODO:
I have 4 more CTF snippets to add to this.
I need to add more resources to the footer
A few more tools need to be added.