Halloween Stego!

Posted by

Hacktober’s steganography challenges were fun and intense! Here are a few of them.

Boney Boi Breakdance

This first challenge (the header image up there) can be downloaded here:

We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other easier images that used steganography, this one appears to require a passphrase. I bet it's somehow related to the image used to hide the file.

As always, I go through my stego checklist (file, strings, binwalk, steghide) and sure enough, steghide gets blocked by a required passphrase. That last sentence in the hint probably means that I need to research the picture. I quickly google “dance of death” and open up the Wikipedia page.

Fortunately, the image shows up at the top.

First I try “1493” as the passphrase but that fails. Then I try “michaelwolgemut”, no joy. I’m committed to try all the names that are in here before I need to read through the whole wikipedia page or use cewl to scrape all the words from the page and make it a wordlist to use stegcrack on. So I punch in “wolgemut” and hurray! Or almost!

silence@mayday:~/$ steghide extract -sf dance_of_death.jpg -p wolgemut
steghide: please specify a file name for the extracted data (there is no name embedded in the stego file).

First time I ever bump into this steghide error message! At first I panicked, I thought I would need to specify what the hidden file name was. But after reading the error message over and checking steghide’s options, I understand that steghide just needs me to enter the name of the file in which the results will be written.

silence@mayday:~/$ steghide extract -sf dance_of_death.jpg -p wolgemut -xf solve.txt
wrote extracted data to "solve.txt".
silence@mayday:~/$ more solve.txt 
flag{d4n53_m4c4br3_nuremberg}

Blasphemy

We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide a file in this image.

Download this file here so that you can try this yourself:

Sometimes you don’t even need to look at the image to solve it 🙂 It was pretty much the case here where the secret file could be extracted with a passphrase-less steghide command:

silence@mayday:~/$ steghide extract -sf witches.jpg 
Enter passphrase: 
wrote extracted data to "secret.txt.o".
silence@mayday:~/$ more secret.txt.o 
flag{950634ccc97ca3ef03e22c759a356973}

Start Digging

Not exactly the next gen console…
There's a secret buried here, but we need help finding it. Supposedly, there's a flag hidden deep within this image. But how far down do we need to dig?

This image can be downloaded here:

For this challenge, file tells us that there are 3 components in the image, binwalk also warns us that there’s something suspicious going on:

silence@mayday:~/$ file steg06.jpg
steg06.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 481x750, components 3 

silence@mayday:~/$ binwalk steg06.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, little-endian offset of first image directory: 8
117819        0x1CC3B         JPEG image data, EXIF standard
117831        0x1CC47         TIFF image data, big-endian, offset of first image directory: 8
118003        0x1CCF3         JPEG image data, EXIF standard
118015        0x1CCFF         TIFF image data, big-endian, offset of first image directory: 8

I think it’s time to use my secret weapon: foremost. This great tool is actually used in forensics for data recovery. Fun fact, It was written by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations.

After simply running foremost steg06.jpg, an output/jpg directory is created which contains this:

There’s our flag!

There’s our flag, flag{buried_s3cr3ts}

An alternative way of extracting it would have been with binwalk, using this command:

silence@mayday:~/$ binwalk --dd='.*' steg06.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, little-endian offset of first image directory: 8
117819        0x1CC3B         JPEG image data, EXIF standard
117831        0x1CC47         TIFF image data, big-endian, offset of first image directory: 8
118003        0x1CCF3         JPEG image data, EXIF standard
118015        0x1CCFF         TIFF image data, big-endian, offset of first image directory: 8

So next time you get stuck with a passphrase you don’t have, try using binwalk --dd and foremost before attempting to use something like stegcrack.


That’s it for the steganography challenges I was able to solve during Hacktober CTF. Hope you learned something! If you have any better solutions to solve the above, please let me know in the comments below. Also, as a reminder, I try as much as possible to include the original material here so that you can analyse the images yourself. I need to zip them though because otherwise they will be processed by WordPress and might lose the embedded stego. Boo!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s