Archive

Posts Tagged ‘steganography’

CSAW CTF 2016 Watchword 250 Forensics

September 18, 2016 Leave a comment

Here is the challenge description,

Canned epic hidden snek flavored cookies have shy gorilla.

password = password

and a link to this video

It’s a mp4 type video. Checking the metadata blob revealed a base64 encoded string,

meta

b64

So the challenge has to do something with the steghide. Check out the challenge description as well, they have mentioned about the passphrase (password = password). Steghide uses a passphrase to embed data in a cover file (only JPEG, BMP, WAV, AU).  We got an MP4 file that steghide won’t support and steghide is part of the challenge.

[Failed attempt]

You may skip reading this part.

The frame movement was little weird, so I thought I would export all the frames as JPEG files and then use steghide. I used this method to export the frames and the recording ratio was set to 1 (with this setting it extracts every frame). Once the video was stopped, there were around 275 frames generated by VLC. You can download the frames from here. Now, I have a set of JPEG images in place, now let’s try to use the [passphrase = “password”] with steghide.

script_brute

It did not work as expected, the stdout was “steghide: could not extract any data with that passphrase!“… :/ :/. Now what?? Let’s go back to the video and check if there are any signs of hidden files using a hexeditor. And what have we got??

png_hex

Now let’s extract the PNG image out of it. I had to do it by writing a script, as there were  dependency issues installing binwalk. You could alternatively use foremost as well.

After running the script, we got a PNG image file,

png_magic

Wow! looks awesome.. but still the fact is steghide won’t support PNG image. Then why steghide was given as a clue in the challenge file? Let’s dig deep.  I repeated almost all the steps from the beginning and I couldn’t find any lead from here. Histogram analysis, LSB, and other standard steganography techniques failed as well. It was little difficult to guess a pattern by just looking at the pixel values.

After an hour or later, the first hint was released, then it was pretty straight forward. The hint was to use stepic. and here is the detailed explanation.

$ stepic –decode –image-in=PNG_Magic.png –out=new_image.jpg

Using stepic we got another image and now it is a JPEG file (new_image.jpg). Finally, the clue given inside the challenge file makes sense,

new_image

Let’s pull out the hidden text file from the obtained image,

steg

So here it is,

W^7?+dsk&3VRB_4W^-?2X=QYIEFgDfAYpQ4AZBT9VQg%9AZBu9Wh@|fWgua4Wgup0ZeeU}c_3kTVQXa}eE

This doesn’t look like a base64 encoded string. Check the format. Base64 only contains, ‘+ and /’ as special characters, but we have several others (^,|,_,?,} etc). I was unable to crack this last part, which I left to my teammates to solve it. In the mean time there was another hint released [It’s not base64, but it uses the Python 3 base64 module].   Later, couple of my teammates ( dnivra, gokul_krishna) managed to quickly identify the encoding technique and it was found to be base64 b85 type encoding.

flag

So the flag is : flag{We are fsociety, we are finally free, we are finally awake!} Yaaayyyy!!!! 250 on the board!!! 😀 \m/

So summing up,

  1. Extract the png image from the mp4 video,
  2. Use stepic to uncover a jpeg file,
  3. Use steghide to extract a b85 type base64 string,
  4. Decode it and get the flag.
Advertisements

ECTF 2014 Forensics 200 Pixel Princess writeup

October 19, 2014 2 comments

The question is,

Find the princess.Get the flag

bowser

This is our challenge file, a villain in Mario! First you have to find if there are any hidden file signature in the challenge file. As you can see there will be a zip file embedded at this offset 0x226B5. Will now extract the zip file after converting the offset from hex to decimal. Decimal value is 140981.


➜  200 [0] dd if=bowser.jpg bs=1 skip=140981 of=flag.zip
41379+0 records in
41379+0 records out
41379 bytes (41 kB) copied, 0.075023 s, 552 kB/s

When I unzipped the file, I got an image. I saw a pass-phrase “BaD_DR4G0N”,

MarioCastle

I thought it is the flag and I submitted it. But it was not. The image also says, “Our Princess is in another castle”! Well usually we use the pass-phrase to encrypt any files and embed inside an image/audio file. I remember using steghide application to encrypt and hide the files inside an image. So I tried using steghide on the above image to see if there are any files hidden with the pass-phrase. There is no files embedded here! Then I tried checking with different steganography algorithms like Outguess, LSB etc, none of them was the solution. After some time in the evening I thought digging more information in the original challenge file. I was checking out the meta-data sections, none had a clue there. Then I thought why can’t we use steghide on the original image and use the pass-phrase which we obtained from the zip file? That surprisingly worked! Yea use the pass-phrase which you found and get the flag,


➜  200 [0] steghide extract -sf bowser.jpg
Enter passphrase:
wrote extracted data to "l.tar.gz".
➜  200 [0] tar -zxvf l.tar.gz
flaga.jpg

Yes we got it right!!!! Here is the flag!

flaga

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......