Steganography - HTB

All this challenge is from Hackthebox (Retired)

Widescreen

https://app.hackthebox.com/challenges/widescreen

Challenge Description

Someone has leaked pictures of our unreleased movie. Can you help identify him?

This is the given picture. Check it with file command to sure what type of file is this.

file widescreen.png 
widescreen.png: PNG image data, 628 x 281, 8-bit/color RGB, non-interlaced

If you pay close attention to the bottom of this image. You can see the flag with low brightness.I used stegsolve.jar to see clearly.

HTB{c3r34l_k1ll3r}

HackerMan

https://app.hackthebox.com/challenges/hackerman

Challenge Description

There should be something hidden inside this photo... Can you find out?

This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with stegcracker tool.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt 
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2022 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which 
will blast through the rockyou.txt wordlist within 1.9 second as opposed 
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

Counting lines in wordlist..
Attacking file 'hackerman.jpg' with wordlist '/opt/rockyou.txt'..
Successfully cracked file with password: almost
Tried 11796 passwords
Your file has been written to: hackerman.jpg.out
almost

Now we got the password almost and extract with steghide tool.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ steghide extract -sf hackerman.jpg
Enter passphrase: 
wrote extracted data to "hackerman.txt".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ cat hackerman.txt 
SFRCezN2MWxfYzBycH0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ echo "SFRCezN2MWxfYzBycH0=" | base64 -d
HTB{3v1l_c0rp}

HTB{3v1l_c0rp}

Milkshake

https://app.hackthebox.com/challenges/milkshake

It just mp3 music file and I opened with sonic-visualizer and add spectrogram.

And then you will see the flag.

HTB{str4wberry_milkshak3}

Da Vinci

https://app.hackthebox.com/challenges/da-vinci

Challenge Description

Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!

We got three jpg file for this challenge. After doing some emumeration stuff , I use binwalk on monalisa.jpg

┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci]
└──╼ [??]$ binwalk -e monalisa.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
450363        0x6DF3B         Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip
450440        0x6DF88         Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg
568411        0x8AC5B         End of Zip archive, footer length: 22
568537        0x8ACD9         End of Zip archive, footer length: 22

And then we got again two zip file which is 6DF3B.zip and famous.zip but it was locked

I used fcrackzip tool to bruteforce zip password.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ fcrackzip famous.zip -uDp /opt/rockyou.txt 


PASSWORD FOUND!!!!: pw == leonardo

We will get Mona.jpg file. Just doing enumeration again and I used stegseek to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files)

┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "Guernica"         
[i] Original filename: "key".
[i] Extracting to "Mona.jpg.out".

In this file we get base64 encoded data and I decoded three time to get the flag.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ cat Mona.jpg.out 
VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ echo "VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=" | base64 -d | base64 -d | base64 -d
HTB{M0n@_L1z@_!s_D3@D}

HTB{M0n@L1z@!s_D3@D}

Beatles

Challenge Description

John Lennon send a secret message to Paul McCartney about the next music tour of Beatles... Could you find the message and sumbit the flag?

When we extract the given file, we will get one zip file and one ASCII text file.Zip file was protected and the ascii file is just a non-sense text.

└──╼ [??]$ ls
BAND.zip  Beatles.zip  m3ss@g#_f0r_pAuL
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ cat m3ss@g#_f0r_pAuL 
Url Cnhy,

Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref.

Pbhyq lbh spenpx vg sbe zr???

V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu...

Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq...

-Wbua Yraaba


CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire!

If you are good at crypto, we can guess it can be rot13 or something like that.

He want to use fcrackzip tool with the four characters wordlist. So we can generate with crunch tool like this.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ crunch 4 4 abcdefghijklmnopqrstuvwxyz -o pass.lst
Crunch will now generate the following amount of data: 2284880 bytes
2 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976 

crunch: 100% completed generating output

Crack with fcrackzip

┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ fcrackzip -u -D -p pass.lst BAND.zip 


PASSWORD FOUND!!!!: pw == pass

When we extract it with that password. We will get another jpg file.

After some enumeration, I didn't get anything and I decided to use stegseek tool.

┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ stegseek BAND.JPG 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "THEBEATLES"      

[i] Original filename: "testabeatle.out".
[i] Extracting to "BAND.JPG.out".

┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ file BAND.JPG.out 
BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ chmod +x BAND.JPG.out 
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ ./BAND.JPG.out 
Hey Paul! If you are here... Give my your favourite character!
batman
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of  5+5?
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################

If we use strings command on this ELF file, we will get a base64 text.

└──╼ [??]$ strings BAND.JPG.out                                                    
[..snip...]                                                                     
Hey Paul! If you are here... Give my your favourite character!                     
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!                                                             
########################################Challenge############################################################                                                         
Tell me PAul! The result of  5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?                                                                                                      
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is  the message                                             
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX
lfRlIxM25EfQ0K                          
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!                                                             
########################################END OF CHALLENGE############################################################

Decode it and get the flag.

The tour was canceled for the following month...!

I'll go out for dinner with my girlfriend named Yoco! ;)

HTB{S0rRy_My_FR13nD}

HTB{S0rRy_My_FR13nD}

Comming Soon....