Steganography - HTB
All this challenge is from Hackthebox (Retired)
Widescreen
This is the given picture. Check it with file command to sure what type of file is this.
file widescreen.png
widescreen.png: PNG image data, 628 x 281, 8-bit/color RGB, non-interlacedIf you pay close attention to the bottom of this image. You can see the flag with low brightness.I used stegsolve.jar to see clearly.
HTB{c3r34l_k1ll3r}
HackerMan
This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with stegcracker tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2022 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'hackerman.jpg' with wordlist '/opt/rockyou.txt'..
Successfully cracked file with password: almost
Tried 11796 passwords
Your file has been written to: hackerman.jpg.out
almostNow we got the password almost and extract with steghide tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ steghide extract -sf hackerman.jpg
Enter passphrase:
wrote extracted data to "hackerman.txt".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ cat hackerman.txt
SFRCezN2MWxfYzBycH0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ echo "SFRCezN2MWxfYzBycH0=" | base64 -d
HTB{3v1l_c0rp}HTB{3v1l_c0rp}
Milkshake
It just mp3 music file and I opened with sonic-visualizer and add spectrogram.
And then you will see the flag.
HTB{str4wberry_milkshak3}
Da Vinci
We got three jpg file for this challenge. After doing some emumeration stuff , I use binwalk on monalisa.jpg
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci]
└──╼ [??]$ binwalk -e monalisa.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip
450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg
568411 0x8AC5B End of Zip archive, footer length: 22
568537 0x8ACD9 End of Zip archive, footer length: 22And then we got again two zip file which is 6DF3B.zip and famous.zip but it was locked
I used fcrackzip tool to bruteforce zip password.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ fcrackzip famous.zip -uDp /opt/rockyou.txt
PASSWORD FOUND!!!!: pw == leonardoWe will get Mona.jpg file. Just doing enumeration again and I used stegseek to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files)
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "Guernica"
[i] Original filename: "key".
[i] Extracting to "Mona.jpg.out".In this file we get base64 encoded data and I decoded three time to get the flag.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ cat Mona.jpg.out
VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ echo "VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=" | base64 -d | base64 -d | base64 -d
HTB{M0n@_L1z@_!s_D3@D}HTB{M0n@L1z@!s_D3@D}
Beatles
When we extract the given file, we will get one zip file and one ASCII text file.Zip file was protected and the ascii file is just a non-sense text.
└──╼ [??]$ ls
BAND.zip Beatles.zip m3ss@g#_f0r_pAuL
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ cat m3ss@g#_f0r_pAuL
Url Cnhy,
Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref.
Pbhyq lbh spenpx vg sbe zr???
V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu...
Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq...
-Wbua Yraaba
CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire!If you are good at crypto, we can guess it can be rot13 or something like that.
He want to use fcrackzip tool with the four characters wordlist. So we can generate with crunch tool like this.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ crunch 4 4 abcdefghijklmnopqrstuvwxyz -o pass.lst
Crunch will now generate the following amount of data: 2284880 bytes
2 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976
crunch: 100% completed generating outputCrack with fcrackzip
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ fcrackzip -u -D -p pass.lst BAND.zip
PASSWORD FOUND!!!!: pw == passWhen we extract it with that password. We will get another jpg file.
After some enumeration, I didn't get anything and I decided to use stegseek tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ stegseek BAND.JPG
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "THEBEATLES"
[i] Original filename: "testabeatle.out".
[i] Extracting to "BAND.JPG.out".┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ file BAND.JPG.out
BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ chmod +x BAND.JPG.out
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ ./BAND.JPG.out
Hey Paul! If you are here... Give my your favourite character!
batman
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################If we use strings command on this ELF file, we will get a base64 text.
└──╼ [??]$ strings BAND.JPG.out
[..snip...]
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX
lfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################Decode it and get the flag.
The tour was canceled for the following month...!
I'll go out for dinner with my girlfriend named Yoco! ;)
HTB{S0rRy_My_FR13nD}HTB{S0rRy_My_FR13nD}
Comming Soon....
Last updated