# Steganography - HTB ## Widescreen >
Challenge Description Someone has leaked pictures of our unreleased movie. Can you help identify him?
![](/files/HrbXOzh397EqirSZYMzv) This is the given picture. Check it with `file` command to sure what type of file is this. ```javascript file widescreen.png widescreen.png: PNG image data, 628 x 281, 8-bit/color RGB, non-interlaced ``` If you pay close attention to the bottom of this image. You can see the flag with low brightness.I used `stegsolve.jar` to see clearly. ![](/files/43CGAEdEf3i6uuwcCRXb) > HTB{c3r34l\_k1ll3r} ## HackerMan >
Challenge Description There should be something hidden inside this photo... Can you find out?
![](/files/HZlOchxi0XcNpOoeEDdB) This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with `stegcracker` tool. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen] └──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker) Copyright (c) 2022 - Luke Paris (Paradoxis) StegCracker has been retired following the release of StegSeek, which will blast through the rockyou.txt wordlist within 1.9 second as opposed to StegCracker which takes ~5 hours. StegSeek can be found at: https://github.com/RickdeJager/stegseek Counting lines in wordlist.. Attacking file 'hackerman.jpg' with wordlist '/opt/rockyou.txt'.. Successfully cracked file with password: almost Tried 11796 passwords Your file has been written to: hackerman.jpg.out almost ``` Now we got the password `almost` and extract with `steghide` tool. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen] └──╼ [??]$ steghide extract -sf hackerman.jpg Enter passphrase: wrote extracted data to "hackerman.txt". ┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen] └──╼ [??]$ cat hackerman.txt SFRCezN2MWxfYzBycH0= ┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen] └──╼ [??]$ echo "SFRCezN2MWxfYzBycH0=" | base64 -d HTB{3v1l_c0rp} ``` > HTB{3v1l\_c0rp} ## Milkshake > ![](/files/bKJIy1gpKVI4Gd9ooEVs) It just mp3 music file and I opened with `sonic-visualizer` and add spectrogram. ![](/files/jfZtntuInYgRO0AwWE1T) And then you will see the flag. ![](/files/S8ttveU8ui8qgn6nbkvZ) > HTB{str4wberry\_milkshak3} ## Da Vinci >
Challenge Description Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!
![](/files/yFwYuuBwlJLjqbdOKcJ5) We got three jpg file for this challenge. After doing some emumeration stuff , I use `binwalk` on `monalisa.jpg` ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci] └──╼ [??]$ binwalk -e monalisa.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip 450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg 568411 0x8AC5B End of Zip archive, footer length: 22 568537 0x8ACD9 End of Zip archive, footer length: 22 ``` And then we got again two `zip` file which is `6DF3B.zip` and `famous.zip` but it was locked I used `fcrackzip` tool to bruteforce zip password. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted] └──╼ [??]$ fcrackzip famous.zip -uDp /opt/rockyou.txt PASSWORD FOUND!!!!: pw == leonardo ``` We will get `Mona.jpg` file. Just doing enumeration again and I used `stegseek` to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files) ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted] └──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Found passphrase: "Guernica" [i] Original filename: "key". [i] Extracting to "Mona.jpg.out". ``` In this file we get base64 encoded data and I decoded three time to get the flag. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted] └──╼ [??]$ cat Mona.jpg.out VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0= ┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted] SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted] └──╼ [??]$ echo "VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=" | base64 -d | base64 -d | base64 -d HTB{M0n@_L1z@_!s_D3@D} ``` > HTB{M0n@*L1z@*!s\_D3\@D} ## Beatles
Challenge Description John Lennon send a secret message to Paul McCartney about the next music tour of Beatles... Could you find the message and sumbit the flag?
When we extract the given file, we will get one `zip` file and one `ASCII` text file.Zip file was protected and the ascii file is just a non-sense text. ``` └──╼ [??]$ ls BAND.zip Beatles.zip m3ss@g#_f0r_pAuL ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ cat m3ss@g#_f0r_pAuL Url Cnhy, Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref. Pbhyq lbh spenpx vg sbe zr??? V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu... Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq... -Wbua Yraaba CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire! ``` If you are good at crypto, we can guess it can be [rot13](https://rot13.com/) or something like that. ![](/files/73dk30lxzVESrGARwNDv) He want to use `fcrackzip` tool with the four characters wordlist. So we can generate with `crunch` tool like this. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ crunch 4 4 abcdefghijklmnopqrstuvwxyz -o pass.lst Crunch will now generate the following amount of data: 2284880 bytes 2 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 456976 crunch: 100% completed generating output ``` Crack with `fcrackzip` ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ fcrackzip -u -D -p pass.lst BAND.zip PASSWORD FOUND!!!!: pw == pass ``` When we extract it with that password. We will get another `jpg` file. After some enumeration, I didn't get anything and I decided to use `stegseek` tool. ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ stegseek BAND.JPG StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Found passphrase: "THEBEATLES" [i] Original filename: "testabeatle.out". [i] Extracting to "BAND.JPG.out". ``` ```javascript ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ file BAND.JPG.out BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ chmod +x BAND.JPG.out ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles] └──╼ [??]$ ./BAND.JPG.out Hey Paul! If you are here... Give my your favourite character! batman Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin! ########################################Challenge############################################################ Tell me PAul! The result of 5+5? WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!! ########################################END OF CHALLENGE############################################################ ``` If we use `strings` command on this ELF file, we will get a `base64` text. ``` └──╼ [??]$ strings BAND.JPG.out [..snip...] Hey Paul! If you are here... Give my your favourite character! Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin! ########################################Challenge############################################################ Tell me PAul! The result of 5+5? Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)? Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40 Hey Paul! nice!!! this is the message VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX lfRlIxM25EfQ0K WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!! ########################################END OF CHALLENGE############################################################ ``` Decode it and get the flag. ```javascript The tour was canceled for the following month...! I'll go out for dinner with my girlfriend named Yoco! ;) HTB{S0rRy_My_FR13nD} ``` > HTB{S0rRy\_My\_FR13nD} {% hint style="warning" %} Comming Soon.... {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l33t-en0ugh.gitbook.io/infosec/capture-the-flag-ctf/steganography-htb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.