by Silence Mayday

Sand Castles

ShellCon – October 2020

Below are 3 steganography challenges involving images and a pdf.

Challenge 1/3

Welcome to stego! We'll start easy
This is the file that is provided to us.

Download the file so that you can try this challenge too:

castle.jpgDownload

When provided with an image that’s part of a challenge, here’s my first-minute checklist before I look for anything more complicated:

  • Run file on the image. The results on this command can be obfuscated by operators, but it’s always worth a try to understand what we’re dealing with.
  • Run strings on the image, with an optional grep on something related to the flag syntax (flag{ for instance)
  • Run binwalk on the image. This will give you precious information on how the file is structured, if it includes compressed data, other images, etc.
  • Run steghide on the image. If there is an embedded file that can steghide can extract, you will be asked for an optional passphrase (password).

In this case, since it’s the first stego challenge of the CTF, it should be pretty simple as the hint suggests. Let’s go ahead with my checklist, starting by file:

silence@mayday$ file castle.jpg 
castle.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1920x1080, components 3

Looks like a perfectly normal jpeg file. Moving on to strings:

silence@mayday$ strings castle.jpg
Exif
Ducky
,http://ns.adobe.com/xap/1.0/
<?xpacket begin="
### lots of lines removed here to shorten the post ###
"Cf(&
pe#,s+
fX5d
*F-#
andhajwdhafnllawiufiawfauwfyaumopkauwhdakwflflag{s1mpl3r_th4n_ud_th1nk}auwdyuawyduydauwiry7rq7rqryqgryqgryqgyrgyqgryqgurgqurgqugruqgruqgruqrgfdfiaufiuyoqwieuytrgfvbvjcnso8732965ythf012374

Do you see anything peculiar about the end of the output? It’s pretty unusual to have so much text at the end of a file when performing strings on an image. But there you have it, our flag in leetspeak: flag{s1mpl3r_th4n_ud_th1nk}

Hint

When using strings, try combining it with grep. If you know the flag syntax, try searching for it like this:

silence@mayday$ strings castle.jpg | grep flag{
andhajwdhafnllawiufiawfauwfyaumopkauwhdakwflflag{s1mpl3r_th4n_ud_th1nk}auwdyuawyduydauwiry7rq7rqryqgryqgryqgyrgyqgryqgurgqurgqugruqgruqgruqrgfdfiaufiuyoqwieuytrgfvbvjcnso8732965ythf012374

This will only display the lines in which flag{ was found, speeding up your search. I have encountered CTFs where flag syntax was FLAG{ in caps, so you should throw in the case insensitive flag just to be sure:

silence@mayday$ strings castle.jpg | grep -i flag{

It’s also worth your time to use regular expressions. Note that the following one will only work if there is only 1 flag per line and if the flag doesn’t span on multiple lines. But you can make it fancier to overcome the aforementioned barriers. The -o flag means “Print only the matched (non-empty) parts of a matching line” so this prevents from printing the whole line.

silence@mayday$ strings castle.jpg | grep -o flag{.*}
flag{s1mpl3r_th4n_ud_th1nk}

Challenge 2/3

Alright, consider yourself warmed; we'll begin shoveling
What a beautiful day at ShellCon!

Download the file so that you can try this challenge too:

castle.jpgDownload

In this case, neither file, strings, nor binwalk help out much. But steghide seems promising:

silence@mayday$ steghide info castle.jpg 
"castle.jpg":
  format: jpeg
  capacity: 16.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "f.jpg":
    size: 7.0 KB
    encrypted: rijndael-128, cbc
    compressed: yes

After typing y because obviously I want to get information about any data that could be embedded in the image, steghide always asks for a passphrase (password) even if there isn’t any protecting the embedded files. So it’s always a surprise when I get a result without entering a password like I do here. As you can see on line 7, steghide tells me that there is an embedded file called f.jpg that I will be able to extract without having to enter a password:

silence@mayday$ sudo steghide extract -sf castle.jpg
Enter passphrase: 
wrote extracted data to "f.jpg".

Let’s check out this image that was extracted from castle.jpg:

And there’s our flag!

Keep steghide handy in your toolbox, it will be used often!

Challenge 3/3

Like the rising sun upon a morning beach, I just wanna get you warmed-up

For this challenge, we are given a pdf file that you can download here:

NotASuspiciousPDFDownload

Most of the time, what PDFs hide is text that is invisible (or white on white background) so this is the first thing to search for and it can be done multiple ways.

In this case I start by using the search feature of my PDF reader, searching for “flag”. Bingo! My reader highlighted an area where there was supposedly no text! I highlighted the rest of the invisible content and pasted it in a text file editor to see what it was. Sure enough, it was the flag:
flag{n1c3_5c0p1ng}

Another way of solving this would have been to select all the text with CTRL-A and paste it in a text editor, and then search for “flag”.

Thanks for reading this write-up on steganography. If you know a better way of solving the above challenges, please share in the comments below, thanks!

Kudos to @S1rDr0n3 for the cool challenges! Keep’em coming!

2 thoughts on “Sand Castles

  1. Following your advice with grep, here you have another way for challenge 3:

    $ pdftotext NotASuspiciousPDF.pdf – | grep -o flag{.*}
    flag{n1c3_5c0p1ng}

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s