Category: Stegano Points: 300 Solves 8 Description:
Description: A key is Hidden within this file, Find it and get the f**kin' flag
Attachment: 61b94d373df24a669390bf5cc31090ac
This particular steganography challenge covers a bunch of different techniques, which is why it was called Ultimate Steg. In solving this, I utilized my StegoDone tool extensively. Let's start by taking a look at the initial file we are given. Since it has no extension, lets use file to discover what it is:
$ file 61b94d373df24a669390bf5cc31090ac
61b94d373df24a669390bf5cc31090ac: GIF image data, version 89a, 189 x 188
Ok. It's an image. Let's open it:
Nothing immediately interesting. Let's open it in StegoDone:
$ stegodone.py 61b94d373df24a669390bf5cc31090ac.gif
Type: Compuserve GIF
Mode: ColorMap
Checking Meta Data
No metadata parsing support for GIF
Checking for trailing data
Discovered trailing data: b'PK\x03\x04\x14\x03\x00\x00\x08\x00V\x962F\xcb\xd1\xb2i\x0b\x17\x01\x00w\x17\x01\x00\x05\x00\x00\x001.png4Zy4\xd4\x81\x1<clipped> Running image filters
Colormap detected...
Image is a colormap, skipping LSB Extract
So a couple things. This is a colormap file, which can certainly contain stego. However, there appears to be a TON of extra trailing data on this file. A cursory look through the image files created doesn't show anything interesting, so let's move on to all that trailing data.
StegoDone creates a "trailing_data.bin" file in the results section containing everything that appears after the valid end of the image file as discovered through parsing the format.
$ file trailing_data.bin
trailing_data.bin: Zip archive data, at least v2.0 to extract
A zip file (as you could tell by the PK in any case). Let's extract to find the next step.
-rw-r--r-- 1 user user 71543 Jan 18 2015 1.png
-rw-r--r-- 1 user user 2880 Jan 18 2015 2.jpg
-rw-r--r-- 1 user user 101684 Jan 18 2015 3.jpg
-rw-r----- 1 user user 7019 Jan 18 2015 4.jpg
-rw-r--r-- 1 user user 21072 Jan 18 2015 5.jpg
-rw-r--r-- 1 user user 3693 Jan 18 2015 6.jpg
-rw-r--r-- 1 user user 947 Jan 18 2015 strange_file.png
Being concrete sequential, I started with 1.png.
Time to run stegodone:
$ stegodone.py 1.png
Type: Portable network graphics
Mode: RGB
Checking Meta Data
Size : 187x186
Bit Depth : 8
Color Type : RGB
Compression Used : Deflate
Filter Method : Adaptive Filtering
Interlace Method : No Interlace
b'Comment\x00\x00\x00\x00\x00CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 70\n'
Checking for trailing data
Discovered Trailing Data:
b'Lets begin:\n3tKdX\n'
Running image filters
Attempting to brute force LSB items
<clipped>
Looks like the next clue is "3tKdX". How about 2.jpg?
$ stegodone.py 2.jpg
Type: JPEG (ISO 10918)
Mode: RGB
Checking Meta Data
Exif Data
=========
Checking for trailing data
Trailing Data Discovered... Saving
b'Dont be stupid\nUse another method\n'
Running image filters
Attempting to brute force LSB items
Well then. "Don't be stupid. Use another method". The image transforms were of little use in this image. On a whim, I went ahead and used outguess (a common stego tool) to see if there was info in this:
$ outguess -r 2.jpg out && cat out
Reading 2.jpg....
Extracting usable bits: 2315 bits
Steg retrieve: seed: 32, len: 16
N0LWF
Dont stop
Ok. Second clue is "N0LWF". On to the next image, 3.jpg.
$ stegodone.py 3.jpg
Type: JPEG (ISO 10918)
Mode: RGB
Checking Meta Data
Exif Data
=========
Checking for trailing data
Trailing Data Discovered... Saving
b'PK\x03\x04\n\x03\x00\x00\x00\x00a\x9c2F\xc82\nQ\x0c\x00\x00<clipped>
This was another file with a TON of trailing data. Again, utilizing the created "trailing_data.bin" file, unzip it to find 1000 files, named from 0 to 999. Catting a few of them I find:
$ cat 0
NotHiNg HeRe $ cat 1
NotHiNg HeRe
Time to find the needle in the haystack. Now the authors were a little clever here, and ensured that all the file sizes were 12 bytes. I took a different route and utilized grep.
$ grep -vi "Nothing" *
368:GoOd 3RlZ30=
So our next clue is "3RlZ30=". On to 4.jpg.
$ stegodone.py 4.jpg
Type: JPEG (ISO 10918)
Mode: RGB
Checking Meta Data
Exif Data
=========
Image Artist: If you insist here is your gift: ZmxhZ
Checking for trailing data
Running image filters
Attempting to brute force LSB items
<clipped>
Looks like this one was just hanging out in the Image Artist exif field. "ZmxhZ" is our clue. On to 5.jpg:
$ stegodone.py 5.jpg
Type: JPEG (ISO 10918)
Mode: RGB
Checking Meta Data
Exif Data
=========
Checking for trailing data
Trailing Data Discovered... Saving
b'So easy\nJust Look Carefully\n'
Running image filters
Attempting to brute force LSB items
<clipped>
We're being asked to look carefully. This probably means that the image transforms will help me here. I find that the Edge Enhance More is my friend on this one:
Our clue here is "TaU1w". Finally, on to 6.jpg.
$ stegodone.py 6.jpg
Type: JPEG (ISO 10918)
Mode: RGB
Checking Meta Data
Exif Data
=========
Checking for trailing data
Trailing Data Discovered... Saving
b'Almost done!\nHere is your last gift\nTGUtU\nNow form the flag :)\n'
Running image filters
Attempting to brute force LSB items
<clipped>
Final clue is "TGUtU". We now have a bunch of random characters. However, given the character types involved (uppercase, lowercase, number) and the equal sign at the end of one, my guess was that this is chunks of a base64 encoded string. We don't know what the correct order is, aside from the = coming at the end. However, this is fairly trivial to brute force with python as follows:
import itertools
from base64 import b64decode
d = ["3tKdX","N0LWF","ZmxhZ","TaU1w","TGUtU"]
for x in itertools.permutations(d):
print(b64decode(''.join(x) + "3RlZ30="))
In this script we utilize itertools to give us all the permutations of the 5 different character groups. We also utilize the fact that we know the "=" sign one must come at the end to reduce our search space. Then we just decode all the possibilities and use visual inspection to find the flag. We quickly find the following flag:
flag{Just-aSiMpLe-Steg}