HACK YOU CTF 2012
For the first time Leet More organized Hackyou’12 CTF. We were placed in 97th position. It was a jeopardy style CTF. This time Steganography challenges were quite fair and easy and it was totally a new topic for me this time. There were 3 challenges in this field. Stegano100 was solved by my team mates and Stegano200,300 by myself and with some hints from my friends and from my team mates.
Stegano-200
They provided a PNG image and we are asked to get the embedded flag from it. It took 2 days for me to complete and it was more than a brute force attempt. First I tried for the presence of any embedded text using steghide tool, alas no text files hidden:( and the next attempt was reversing the bits of the image and this also didn’t produced the expected flag. Then there was a challenge in Null-Con CTF where the flag is hided inside the image and if we adjust the brightness and sharpness of the image we can reveal the hidden message. So I did the same, and I found a text (secret key) with patterns covered by dots. So I suspected this should be the flag for this challenge. We started with some paper work by joining the dots to get some pattern for some time, but that is not the way. Later by some hints from my friend I figured the key. Hint given to me was “ASSUME dots as 1 and blank spaces as 0”. So there are 7 bits for each pattern. We have to assume dots as “1” and blank spaces as “0”. So it looks like this
(1100001) (1101001) (1101110) (1110100) (1011111) (1100001) (1100110) (1110010) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1100001) (1101001) (1100100) (1011111) (1101111) (1100110) (1011111) (1101110) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1101111) (1011111) (1100111) (1101000) (1101111) (1110011) (1110100) (1110011) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111) (1111111)
Now convert the binary numbers to ASCII characters.
a i n t _ a f r a i d _ o f _ n o _ g h o s t s
Joining everything we got “ aint_afraid_of_no_ghosts “
Stegano – 300
I thought it will be a complicated one, but it is not so. The image was quite weird with few layers and at the center of the image there was a text like “Congratz You win the flag……”.I assumed the image was formed by combining 2 or more layers of images. So I thought of cropping the center part alone and if we analyze the cropped image will take us to the key. Once the hints were published in their site for all the task holding 300 points, I realized that my assumptions is wrong. The hint was “Lucy in the Sky with Balls”. See the starting letter of each word; it is emphasized. So taking the first character in each word gives “LSB”. The flag is hidden in the image by Least Significant Bit substitution method. This is one of the basic methods used in Steganalysis to hide the secret text. So i searched for some program or tool which can extract the LSB of an image. I used pylsb tool. But it displayed non printable characters rather than displaying the flag. So searching for a long time and with a help from my friend I got a MATLAB code which can extract the LSB bits from an image. But i did it using Octave (Open source tool similar to MATLAB). There were few bugs in the code, but it is fixed. See below P.S : Give the name of your task image (I changed my task image as “stg300.png”) as argument.
function Ext %read into a matrix s s = imread('stg300.png'); height = size(s,1); width = size(s,2); %For this example the max size is 100 bytes, or 800 bits, (bytes * = bits m = 800; %LSB Extraction %Go through each pixel data and save the least significant bit. k = 1; for i = 1 : height for j = 1 : width if (k <= m) b(k) = mod(double(s(i,j)),2); k = k + 1 end end end %Convert to string %Use a binary matrix multiply to do this binaryVector = b; binaryValues = [ 128 64 32 16 8 4 2 1 ]; binaryVector = binaryVector(); if mod(length(binaryVector),8) ~= 0 error('Length of binary vector must be a multiple of 8.'); end binMatrix = reshape(binaryVector,8,100); textString = char(binaryValues*binMatrix); %Print text disp(textString); end
So compiling the code in Octave we got the flag for this challenge.
shankie@ubuntu:~/Desktop/hackyou12/Steganography/300$ octave GNU Octave, version 3.2.4 Copyright (C) 2009 John W. Eaton and others. This is free software; see the source code for copying conditions. octave:1> lsb.m warning: function name `Ext' does not agree with function file name `/home/shankie/Desktop/hackyou12/Steganography/300/lsb.m' Congrats You win! The Flag is 4E34B38257200616FB75CD869B8C3CF0 *** Congrats You win! The Flag is 4E3 error: can't perform indexing operations for <unknown type> type octave:1> shankie@ubuntu:~/Desktop/hackyou12/Steganography/300$
So the flag is “4E34B38257200616FB75CD869B8C3CF0”. Yipee 300 points awarded.