Hacktober’s steganography challenges were fun and intense! Here are a few of them.
Boney Boi Breakdance
This first challenge (the header image up there) can be downloaded here:
We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other easier images that used steganography, this one appears to require a passphrase. I bet it's somehow related to the image used to hide the file.
As always, I go through my stego checklist (file, strings, binwalk, steghide) and sure enough, steghide gets blocked by a required passphrase. That last sentence in the hint probably means that I need to research the picture. I quickly google “dance of death” and open up the Wikipedia page.
Fortunately, the image shows up at the top.
First I try “1493” as the passphrase but that fails. Then I try “michaelwolgemut”, no joy. I’m committed to try all the names that are in here before I need to read through the whole wikipedia page or use cewl to scrape all the words from the page and make it a wordlist to use stegcrack on. So I punch in “wolgemut” and hurray! Or almost!
silence@mayday:~/$ steghide extract -sf dance_of_death.jpg -p wolgemut
steghide: please specify a file name for the extracted data (there is no name embedded in the stego file).
First time I ever bump into this steghide error message! At first I panicked, I thought I would need to specify what the hidden file name was. But after reading the error message over and checking steghide’s options, I understand that steghide just needs me to enter the name of the file in which the results will be written.
silence@mayday:~/$ steghide extract -sf dance_of_death.jpg -p wolgemut -xf solve.txt
wrote extracted data to "solve.txt".
silence@mayday:~/$ more solve.txt
flag{d4n53_m4c4br3_nuremberg}
Blasphemy
We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide a file in this image.
Download this file here so that you can try this yourself:
Sometimes you don’t even need to look at the image to solve it 🙂 It was pretty much the case here where the secret file could be extracted with a passphrase-less steghide command:
silence@mayday:~/$ steghide extract -sf witches.jpg
Enter passphrase:
wrote extracted data to "secret.txt.o".
silence@mayday:~/$ more secret.txt.o
flag{950634ccc97ca3ef03e22c759a356973}
Start Digging
There's a secret buried here, but we need help finding it. Supposedly, there's a flag hidden deep within this image. But how far down do we need to dig?
This image can be downloaded here:
For this challenge, file tells us that there are 3 components in the image, binwalk also warns us that there’s something suspicious going on:
silence@mayday:~/$ file steg06.jpg
steg06.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 481x750, components 3
silence@mayday:~/$ binwalk steg06.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
117819 0x1CC3B JPEG image data, EXIF standard
117831 0x1CC47 TIFF image data, big-endian, offset of first image directory: 8
118003 0x1CCF3 JPEG image data, EXIF standard
118015 0x1CCFF TIFF image data, big-endian, offset of first image directory: 8
I think it’s time to use my secret weapon: foremost. This great tool is actually used in forensics for data recovery. Fun fact, It was written by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations.
After simply running foremost steg06.jpg, an output/jpg directory is created which contains this:
There’s our flag, flag{buried_s3cr3ts}
An alternative way of extracting it would have been with binwalk, using this command:
silence@mayday:~/$ binwalk --dd='.*' steg06.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
117819 0x1CC3B JPEG image data, EXIF standard
117831 0x1CC47 TIFF image data, big-endian, offset of first image directory: 8
118003 0x1CCF3 JPEG image data, EXIF standard
118015 0x1CCFF TIFF image data, big-endian, offset of first image directory: 8
So next time you get stuck with a passphrase you don’t have, try using binwalk --dd and foremost before attempting to use something like stegcrack.
That’s it for the steganography challenges I was able to solve during Hacktober CTF. Hope you learned something! If you have any better solutions to solve the above, please let me know in the comments below. Also, as a reminder, I try as much as possible to include the original material here so that you can analyse the images yourself. I need to zip them though because otherwise they will be processed by WordPress and might lose the embedded stego. Boo!
Silence Mayday 
