Archive

Archive for the ‘Stegano’ Category

CSAW CTF 2016 Watchword 250 Forensics

September 18, 2016 Leave a comment

Here is the challenge description,

Canned epic hidden snek flavored cookies have shy gorilla.

password = password

and a link to this video

It’s a mp4 type video. Checking the metadata blob revealed a base64 encoded string,

meta

b64

So the challenge has to do something with the steghide. Check out the challenge description as well, they have mentioned about the passphrase (password = password). Steghide uses a passphrase to embed data in a cover file (only JPEG, BMP, WAV, AU).  We got an MP4 file that steghide won’t support and steghide is part of the challenge.

[Failed attempt]

You may skip reading this part.

The frame movement was little weird, so I thought I would export all the frames as JPEG files and then use steghide. I used this method to export the frames and the recording ratio was set to 1 (with this setting it extracts every frame). Once the video was stopped, there were around 275 frames generated by VLC. You can download the frames from here. Now, I have a set of JPEG images in place, now let’s try to use the [passphrase = “password”] with steghide.

script_brute

It did not work as expected, the stdout was “steghide: could not extract any data with that passphrase!“… :/ :/. Now what?? Let’s go back to the video and check if there are any signs of hidden files using a hexeditor. And what have we got??

png_hex

Now let’s extract the PNG image out of it. I had to do it by writing a script, as there were  dependency issues installing binwalk. You could alternatively use foremost as well.

After running the script, we got a PNG image file,

png_magic

Wow! looks awesome.. but still the fact is steghide won’t support PNG image. Then why steghide was given as a clue in the challenge file? Let’s dig deep.  I repeated almost all the steps from the beginning and I couldn’t find any lead from here. Histogram analysis, LSB, and other standard steganography techniques failed as well. It was little difficult to guess a pattern by just looking at the pixel values.

After an hour or later, the first hint was released, then it was pretty straight forward. The hint was to use stepic. and here is the detailed explanation.

$ stepic –decode –image-in=PNG_Magic.png –out=new_image.jpg

Using stepic we got another image and now it is a JPEG file (new_image.jpg). Finally, the clue given inside the challenge file makes sense,

new_image

Let’s pull out the hidden text file from the obtained image,

steg

So here it is,

W^7?+dsk&3VRB_4W^-?2X=QYIEFgDfAYpQ4AZBT9VQg%9AZBu9Wh@|fWgua4Wgup0ZeeU}c_3kTVQXa}eE

This doesn’t look like a base64 encoded string. Check the format. Base64 only contains, ‘+ and /’ as special characters, but we have several others (^,|,_,?,} etc). I was unable to crack this last part, which I left to my teammates to solve it. In the mean time there was another hint released [It’s not base64, but it uses the Python 3 base64 module].   Later, couple of my teammates ( dnivra, gokul_krishna) managed to quickly identify the encoding technique and it was found to be base64 b85 type encoding.

flag

So the flag is : flag{We are fsociety, we are finally free, we are finally awake!} Yaaayyyy!!!! 250 on the board!!! 😀 \m/

So summing up,

  1. Extract the png image from the mp4 video,
  2. Use stepic to uncover a jpeg file,
  3. Use steghide to extract a b85 type base64 string,
  4. Decode it and get the flag.
Advertisements

MMA CTF 2015 Steganography 100 Nagoya Castle writeup

September 7, 2015 2 comments

This challenge was one among the easiest. The flag was readable in the blue plane!

Given this image, we need to find the flag.

nagoya_Castle

Either write a script using Python PIL library or just use the stegsolve tool and view the image in a blue plane 0 to get the flag.

solved

ECTF 2014 Forensics 200 Pixel Princess writeup

October 19, 2014 2 comments

The question is,

Find the princess.Get the flag

bowser

This is our challenge file, a villain in Mario! First you have to find if there are any hidden file signature in the challenge file. As you can see there will be a zip file embedded at this offset 0x226B5. Will now extract the zip file after converting the offset from hex to decimal. Decimal value is 140981.


➜  200 [0] dd if=bowser.jpg bs=1 skip=140981 of=flag.zip
41379+0 records in
41379+0 records out
41379 bytes (41 kB) copied, 0.075023 s, 552 kB/s

When I unzipped the file, I got an image. I saw a pass-phrase “BaD_DR4G0N”,

MarioCastle

I thought it is the flag and I submitted it. But it was not. The image also says, “Our Princess is in another castle”! Well usually we use the pass-phrase to encrypt any files and embed inside an image/audio file. I remember using steghide application to encrypt and hide the files inside an image. So I tried using steghide on the above image to see if there are any files hidden with the pass-phrase. There is no files embedded here! Then I tried checking with different steganography algorithms like Outguess, LSB etc, none of them was the solution. After some time in the evening I thought digging more information in the original challenge file. I was checking out the meta-data sections, none had a clue there. Then I thought why can’t we use steghide on the original image and use the pass-phrase which we obtained from the zip file? That surprisingly worked! Yea use the pass-phrase which you found and get the flag,


➜  200 [0] steghide extract -sf bowser.jpg
Enter passphrase:
wrote extracted data to "l.tar.gz".
➜  200 [0] tar -zxvf l.tar.gz
flaga.jpg

Yes we got it right!!!! Here is the flag!

flaga

ECTF 2014 Forensics 100 We hate Engineering writeup

October 19, 2014 Leave a comment

This is another easy challenge! When you play it only the 2nd half of the audio will be clear. When you listen to it first time you may not understand that a flag is concealed. Listen multiple times you will get it clearly. I played the audio by reversing the stream then I could hear the other half! I will upload the reversed audio as well as the actual audio along with this article. You can download and listen to them.

Download the actual file from here. And the solved file from here. When you play the solved audio file you will not hear the first half of the audio properly since I reversed it, but you will get the second half clearly where we can hear the flag! I used audacity to reverse the audio file.

ECTF14_HATE_ENGG

The flag is {high_level_encryption}

SECURE CTF 2014 Writeup

October 16, 2014 1 comment

Task – 1

Not solved!

Task – 2: Great Number

They gave this question and we were asked to find the flag.

FLAG = ( 31337 +  X  ) / 31337

NOTE: You should get ascii text !
NOTE2: We re-uploaded correct ‘X’.

and the value of X was 20609038575248457690773428127436065356620526665061920

I thought I have to break my head to solve this math challenge, but it was not after looking at the hint given in the source page. The hint was “<!– h–>”. Decode it to hex! Before that, it is good to divide before you add anything! I divided the value of X after adding 1 with 31337. Then convert the resulting integer to hex and finally decode the hex string, you will see the flag!

&amp;gt;&amp;gt;&amp;gt;20609038575248457690773428127436065356620526665061920/31337+1
657658313662713651299531803536907341373473104161L
&amp;gt;&amp;gt;&amp;gt;hex(657658313662713651299531803536907341373473104161)
'0x73326b31345f576f77536f426967496e74212121L'
&amp;gt;&amp;gt;&amp;gt;&amp;quot;73326b31345f576f77536f426967496e74212121&amp;quot;.decode(&amp;quot;hex&amp;quot;)
's2k14_WowSoBigInt!!!'

The Flag was : ‘s2k14_WowSoBigInt!!!’

Task – 3: Capture the Memories

To solve this challenge you need to download this file,

Initially I assumed that I need to figure out a way to decrypt the SSL packets and then to find the flag. But when I went through the first packet, I dropped my assumption. It was very easy then!

SECURE_CTF

So you just have to xor 2 strings to get the flag!,

str1 = '0x0b4a13494c272b190130112c17301d190a0c1a141d1d1c391f191116';
str2 = '0x78787878787878787878787878787878787878787878787878787878'
xorstr = ''
for pair in zip(str1[2:].decode('hex'), str2[2:].decode('hex')):
    xorstr += chr(ord(pair[0]) ^ ord(pair[1]))
print xorstr

Running the program gives the flag : s2k14_SayHiToHeartbleedAgain

Task 4 : Much Difference, So Stegano WOW

They image to be solved is given here below,

task

When you try to view the image in Green Plan 0 or in any Random Color Map, the flag will be clear,

flag

Task 5 – Do not Stop the Run

I couldn’t submit the flag before the contest time! But happy that I solved it!

A link was given and when you click, it redirects to http://do.not.sleep ! When I viewed the source code, I got this hint “<!– use ctf.secure.edu.pl as domain resolver 🙂 –>”. Then I added the IP address (195.187.4.199) of ctf.secure.edu.pl in the resolv.conf file as mentioned in the hint. After adding it once again I tried accessing the link, still the error was thrown saying “Server was not found”. When you start with digging the nameserver, you will notice the flag soon.


➜  CTF [0] dig do.not.sleep @ctf.secure.edu.pl                                                                                                                                                      

;;DiG 9.9.5-3-Ubuntu &amp;amp;amp;lt;&amp;amp;amp;lt;&amp;amp;amp;gt;&amp;amp;amp;gt; do.not.sleep @ctf.secure.edu.pl
;; global options: +cmd
;; Got answer:
;; &amp;lt;&amp;lt;HEADER&amp;gt;&amp;gt;- opcode: QUERY, status: NOERROR, id: 11453
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;do.not.sleep.            IN    A

;; ANSWER SECTION:
do.not.sleep.        1    IN    CNAME    0.step.do.not.sleep.

;; Query time: 195 msec
;; SERVER: 195.187.4.199#53(195.187.4.199)
;; WHEN: Fri Oct 17 00:40:04 IST 2014
;; MSG SIZE  rcvd: 75

Find the IP addresses of the subdomains and find it’s alias, you will get the flag ( I am assuming what I found is the correct flag since the flag format specified in the rules page is found to be s2k14_[a-zA-Z0-9]* (<-readable text!!!) and it matches mine except for the underscore(“_”))


0.step.do.not.sleep has address 45.92.24.97
0.step.do.not.sleep is an alias for 1.step.do.not.sleep.
0.step.do.not.sleep has address 16.39.74.97
0.step.do.not.sleep is an alias for 1.step.do.not.sleep.
s2k14.do.not.sleep is an alias for 0.step.do.not.sleep.

<strike>The Flag was the alias of a domain name! s2k14.do.not.sleep</strike>

This is not the flag it seems. From here I have to take some more steps to reach the flag. Will update once after finding the proper flag.

SU CTF 2014 Hear With Your Eyes writeup

September 29, 2014 Leave a comment

You will clearly figure out how to get the flag when you listen to the audio. This challenge is almost common in all CTF’s now!

su

The flag is : e5353bb7b575578bd4da1c898a8e2d7667

DEFKTHON CTF Misc 200 Writeup

March 5, 2014 3 comments

If there is a frustrating side in CTF, then I would rather vote for Steganography. It is interesting too see, how message can embedded inside covert objects, but it is always a tedious job to analyze the patterns and extract them back 😀 :P. I found it always difficult 😦 . I have seen challenges with convert objects, either as an image file or as an audio file, but the challenge was designed differently. It was quite weird though. The challenge was to construct an image from a given RGB values. You can download the file here. Actually I didn’t solved it alone. I was able to get it done with my team mates and my friend. Initially my thought was to build an image with those values with an assumed width and height.

import os,sys
import Image
im = Image.open("black.jpg")
pix = im.load()
h,w = im.size
m = open("flag.txt","r").readlines()
o = -1
for i in range(255):
   for j in range(255):
       o+=1
       if (o < 61366 ):
           steg = eval("("+m[o].strip()+")")
           pix[i,j]= steg
im.show()

When I ran the code, the ramifications came as a contrary to my expectations. The method didn’t work though.

steg

But later my friend directed me with a hint of doing it in a right way. Start with a black image and assign the RGB values to it. Way simpler it is, but I think I complicated it very much with the above snippet.. 😀 ( credit goes to you guyz (vivek and ajith! 😉 )

import Image,csv
img = Image.new( 'RGB', (503,122), "black")
pixels = img.load()
f=open('flag.txt','r')
reader = csv.reader(f, delimiter=',')
mycsv = list(reader)
k=0
for i in range(img.size[0]): # for every pixel:
 for j in range(img.size[1]):
 pixels[i,j] = (int(mycsv[k][0]), int(mycsv[k][1]), int(mycsv[k][2]))
 k=k+1
img.show()

Now, I should be getting it 🙂

flag

The flag is youc@n’tseeme. 

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......