There should be something hidden inside this photo... Can you find out?
This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with stegcracker tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2022 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'hackerman.jpg' with wordlist '/opt/rockyou.txt'..
Successfully cracked file with password: almost
Tried 11796 passwords
Your file has been written to: hackerman.jpg.out
almost
Now we got the password almost and extract with steghide tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ steghide extract -sf hackerman.jpg
Enter passphrase:
wrote extracted data to "hackerman.txt".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ cat hackerman.txt
SFRCezN2MWxfYzBycH0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ echo "SFRCezN2MWxfYzBycH0=" | base64 -d
HTB{3v1l_c0rp}
Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!
We got three jpg file for this challenge. After doing some emumeration stuff , I use binwalk on monalisa.jpg
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci]
└──╼ [??]$ binwalk -e monalisa.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip
450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg
568411 0x8AC5B End of Zip archive, footer length: 22
568537 0x8ACD9 End of Zip archive, footer length: 22
And then we got again two zip file which is 6DF3B.zip and famous.zip but it was locked
We will get Mona.jpg file. Just doing enumeration again and I used stegseek to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files)
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "Guernica"
[i] Original filename: "key".
[i] Extracting to "Mona.jpg.out".
In this file we get base64 encoded data and I decoded three time to get the flag.
If you are good at crypto, we can guess it can be rot13 or something like that.
He want to use fcrackzip tool with the four characters wordlist. So we can generate with crunch tool like this.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ crunch 4 4 abcdefghijklmnopqrstuvwxyz -o pass.lst
Crunch will now generate the following amount of data: 2284880 bytes
2 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976
crunch: 100% completed generating output
When we extract it with that password. We will get another jpg file.
After some enumeration, I didn't get anything and I decided to use stegseek tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ stegseek BAND.JPG
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "THEBEATLES"
[i] Original filename: "testabeatle.out".
[i] Extracting to "BAND.JPG.out".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ file BAND.JPG.out
BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ chmod +x BAND.JPG.out
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ ./BAND.JPG.out
Hey Paul! If you are here... Give my your favourite character!
batman
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
If we use strings command on this ELF file, we will get a base64 text.
└──╼ [??]$ strings BAND.JPG.out
[..snip...]
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX
lfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
Decode it and get the flag.
The tour was canceled for the following month...!
I'll go out for dinner with my girlfriend named Yoco! ;)
HTB{S0rRy_My_FR13nD}
