There should be something hidden inside this photo... Can you find out?
This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with stegcracker tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]└──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt StegCracker 2.1.0- (https://github.com/Paradoxis/StegCracker)Copyright (c) 2022 - LukeParis (Paradoxis)StegCrackerhasbeenretiredfollowingthereleaseofStegSeek, which will blast through the rockyou.txt wordlist within 1.9 second as opposed to StegCracker which takes ~5 hours.StegSeek can be found at:https://github.com/RickdeJager/stegseekCountinglinesinwordlist..Attackingfile'hackerman.jpg'withwordlist'/opt/rockyou.txt'..Successfullycrackedfilewithpassword:almostTried11796passwordsYourfilehasbeenwrittento:hackerman.jpg.outalmost
Now we got the password almost and extract with steghide tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]└──╼ [??]$ steghide extract -sf hackerman.jpgEnter passphrase:wrote extracted data to "hackerman.txt".┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]└──╼ [??]$ cat hackerman.txt SFRCezN2MWxfYzBycH0=┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]└──╼ [??]$ echo "SFRCezN2MWxfYzBycH0="| base64 -dHTB{3v1l_c0rp}
Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!
We got three jpg file for this challenge. After doing some emumeration stuff , I use binwalk on monalisa.jpg
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci]└──╼ [??]$ binwalk -e monalisa.jpg DECIMALHEXADECIMALDESCRIPTION--------------------------------------------------------------------------------00x0JPEG image data,JFIF standard 1.014503630x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size:117958, name:famous.zip450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg
5684110x8AC5B End of Zip archive, footer length:225685370x8ACD9 End of Zip archive, footer length:22
And then we got again two zip file which is 6DF3B.zip and famous.zip but it was locked
We will get Mona.jpg file. Just doing enumeration again and I used stegseek to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files)
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]└──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt StegSeek 0.6- https://github.com/RickdeJager/StegSeek[i] Found passphrase:"Guernica"[i] Original filename:"key".[i] Extracting to "Mona.jpg.out".
In this file we get base64 encoded data and I decoded three time to get the flag.
If you are good at crypto, we can guess it can be rot13 or something like that.
He want to use fcrackzip tool with the four characters wordlist. So we can generate with crunch tool like this.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]└──╼ [??]$ crunch 44 abcdefghijklmnopqrstuvwxyz -o pass.lstCrunch will now generate the following amount of data:2284880 bytes2MB0GB0TB0PBCrunch will now generate the following number of lines:456976crunch:100% completed generating output
When we extract it with that password. We will get another jpg file.
After some enumeration, I didn't get anything and I decided to use stegseek tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]└──╼ [??]$ stegseek BAND.JPGStegSeek 0.6- https://github.com/RickdeJager/StegSeek[i] Found passphrase:"THEBEATLES"[i] Original filename:"testabeatle.out".[i] Extracting to "BAND.JPG.out".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]└──╼ [??]$ file BAND.JPG.out BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]└──╼ [??]$ chmod +x BAND.JPG.out ┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]└──╼ [??]$ ./BAND.JPG.out Hey Paul! If you are here... Give my your favourite character!batmanOk Paul...A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!########################################Challenge############################################################Tell me PAul! The result of5+5?WTF! You are not Paul!!SOSSOSSOSHACKERHERE!!I will call the police someone want to steal my data!!!########################################ENDOFCHALLENGE############################################################
If we use strings command on this ELF file, we will get a base64 text.
└──╼ [??]$ strings BAND.JPG.out
[..snip...]
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX
lfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
Decode it and get the flag.
The tour was canceled for the following month...!I'll go out for dinner with my girlfriend named Yoco! ;)HTB{S0rRy_My_FR13nD}
