NACTF 2020 Stego

NACTF was held between October 30th and November 4. There were numerous challenges such as Reverse Engineering, Binary Exploitation, Cryptography, Steganography, and Web App Exploitation. This is a write-up of a few of the steganography challenges.


Kylie is obsessed with gummies. With her  collection of miscellaneous gummy bears, she took this incredible  picture which is now her phone's wallpaper. Can you find her flag?

This challenge had me stumped for a while. Going through my usual stego checklist, I just couldn’t see what I was missing. Steghide and jsteg only relate to JPEG and BMP, strings didn’t yield anything, and neither did stegsolve, binwalk, foremost, etc… My last chance was zsteg which manages steganography for both PNG and BMP. Luckily, this revealed the flag!

silence@mayday:~/$ zsteg gummy.png 
b1,rgb,lsb,xy       .. text: "nactf{5t3gan0graphy_rul35!}"
b2,r,msb,xy         .. text: "QEU@Q@ED"
b2,rgb,msb,xy       .. text: "D@PUEPQAE"
b2,rgba,lsb,xy      .. file: PGP Secret Sub-key -
b4,r,msb,xy         .. text: "Agc' @A313"
b4,g,msb,xy         .. text: "u$C4t3T%7U"
b4,b,lsb,xy         .. file: Targa image data - Map 17 x 4097 x 16 +273 +256 "\023l8\341\253\220\g\223d\263\312n'\237 \351\367"                                                                     
b4,b,msb,xy         .. text: "`F3pB`sap3"
b4,rgb,msb,xy       .. text: "dPVCPc0p"
b4,bgr,msb,xy       .. text: "V@SS0`pp"


Mikey really likes Metamorphosis by Franz Kafka, so much so that he sent this meme to the class.

This was a quick solve, going through my usual checklist, I found the flag with exiftool:

silence@mayday:~/$ exiftool meme-3.jpg 
ExifTool Version Number         : 12.07
File Name                       : meme-3.jpg
Directory                       : .
File Size                       : 52 kB
File Modification Date/Time     : 2020:11:02 21:00:31-05:00
File Access Date/Time           : 2020:11:09 23:40:56-05:00
File Inode Change Date/Time     : 2020:11:02 21:00:39-05:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
X Resolution                    : 1
Y Resolution                    : 1
Exif Byte Order                 : Big-endian (Motorola, MM)
Resolution Unit                 : None
Artist                          : nactf{m3ta_m3ta_m3ta_d3f4j}
Y Cb Cr Positioning             : Centered
Image Width                     : 500
Image Height                    : 461
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 500x461
Megapixels                      : 0.231


Dr. J loves his ch0nky turnips, can you find his ch0nky flag?

I solved this one with a simple strings command:

silence@mayday:~/$ strings turnip-for-what.jpg | grep -i nactf

Turnips 2

Uh oh.. Parth's file seems to have been corrupted. Can you figure out how to find his flag?

A corrupted file? This sounds like fun! Let’s take a look at what file and trid tells us on this file:

silence@mayday:~/$ file file.txt 
file.txt: data

silence@mayday:~/$ trid file.txt 

TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Definitions found:  13206

Collecting data from file: file.txt

Ok well that doesn’t help much! Let’s give binwalk a try:

silence@mayday:~/$ binwalk file.txt 

6284          0x188C          TIFF image data, big-endian, offset of first image directory: 8

Hmmm… ok looks like there is some image data in there. Let’s whip our out hex editor. I recommend ghex which is an awesome compact hexadecimal editor. If you’re running a Debian based linux, install it this way:
sudo apt install ghex

That file header seems familiar…

Examining the file header, I notice that some bytes are similar to what we find at the beginning of a PNG file. This could be a corrupted PNG file! All PNGs start with 89 50 4E 47 0D 0A 1A 0A. Also, often right after these bytes we have 00 00 00 0D 49 48 44 52. I make these 2 changes, save the file and bingo! The flag appears inside the repaired image file:

Secret Message

Monica loves inventing secret languages. So much so that she claims to be the only one to know the message in this recording. What does it say?

This “sounds” pretty straightforward. Playing the audio clearly reveals morse code. Let’s load it up inside our favorite morse audio decoder:

And there’s our flag: nactf{QU33N_0F_L4NGU4G3S}

Many thanks to the organizers of NACTF and Trail of Bits for providing the competition prizes!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s