Steganography - HTB
All this challenge is from Hackthebox (Retired)
Widescreen

This is the given picture. Check it with file
command to sure what type of file is this.
file widescreen.png
widescreen.png: PNG image data, 628 x 281, 8-bit/color RGB, non-interlaced
If you pay close attention to the bottom of this image. You can see the flag with low brightness.I used stegsolve.jar
to see clearly.

HTB{c3r34l_k1ll3r}
HackerMan

This is the given image and I checked a couple of tools and didn't get anything.So I bruteforced with stegcracker
tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ stegcracker hackerman.jpg /opt/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2022 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'hackerman.jpg' with wordlist '/opt/rockyou.txt'..
Successfully cracked file with password: almost
Tried 11796 passwords
Your file has been written to: hackerman.jpg.out
almost
Now we got the password almost
and extract with steghide
tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ steghide extract -sf hackerman.jpg
Enter passphrase:
wrote extracted data to "hackerman.txt".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ cat hackerman.txt
SFRCezN2MWxfYzBycH0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/hackermen]
└──╼ [??]$ echo "SFRCezN2MWxfYzBycH0=" | base64 -d
HTB{3v1l_c0rp}
HTB{3v1l_c0rp}
Milkshake

It just mp3 music file and I opened with sonic-visualizer
and add spectrogram.

And then you will see the flag.

HTB{str4wberry_milkshak3}
Da Vinci

We got three jpg file for this challenge. After doing some emumeration stuff , I use binwalk
on monalisa.jpg
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci]
└──╼ [??]$ binwalk -e monalisa.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip
450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg
568411 0x8AC5B End of Zip archive, footer length: 22
568537 0x8ACD9 End of Zip archive, footer length: 22
And then we got again two zip
file which is 6DF3B.zip
and famous.zip
but it was locked
I used fcrackzip
tool to bruteforce zip password.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ fcrackzip famous.zip -uDp /opt/rockyou.txt
PASSWORD FOUND!!!!: pw == leonardo
We will get Mona.jpg
file. Just doing enumeration again and I used stegseek
to extract hidden files.(stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files)
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ stegseek Mona.jpg /opt/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "Guernica"
[i] Original filename: "key".
[i] Extracting to "Mona.jpg.out".
In this file we get base64 encoded data and I decoded three time to get the flag.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ cat Mona.jpg.out
VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=
┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
SFRCe00wbkBfTDF6QF8hc19EM0BEfQ==┌─[sheinn101@parrot]─[~/htb/challenge/stego/davinci/_monalisa.jpg.extracted]
└──╼ [??]$ echo "VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=" | base64 -d | base64 -d | base64 -d
HTB{M0n@_L1z@_!s_D3@D}
HTB{M0n@L1z@!s_D3@D}
Beatles
When we extract the given file, we will get one zip
file and one ASCII
text file.Zip file was protected and the ascii file is just a non-sense text.
└──╼ [??]$ ls
BAND.zip Beatles.zip m3ss@g#_f0r_pAuL
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ cat m3ss@g#_f0r_pAuL
Url Cnhy,
Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref.
Pbhyq lbh spenpx vg sbe zr???
V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu...
Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq...
-Wbua Yraaba
CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire!
If you are good at crypto, we can guess it can be rot13 or something like that.

He want to use fcrackzip
tool with the four characters wordlist. So we can generate with crunch
tool like this.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ crunch 4 4 abcdefghijklmnopqrstuvwxyz -o pass.lst
Crunch will now generate the following amount of data: 2284880 bytes
2 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976
crunch: 100% completed generating output
Crack with fcrackzip
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ fcrackzip -u -D -p pass.lst BAND.zip
PASSWORD FOUND!!!!: pw == pass
When we extract it with that password. We will get another jpg
file.
After some enumeration, I didn't get anything and I decided to use stegseek
tool.
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ stegseek BAND.JPG
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "THEBEATLES"
[i] Original filename: "testabeatle.out".
[i] Extracting to "BAND.JPG.out".
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ file BAND.JPG.out
BAND.JPG.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ chmod +x BAND.JPG.out
┌─[sheinn101@parrot]─[~/htb/challenge/stego/beatles]
└──╼ [??]$ ./BAND.JPG.out
Hey Paul! If you are here... Give my your favourite character!
batman
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
If we use strings
command on this ELF file, we will get a base64
text.
└──╼ [??]$ strings BAND.JPG.out
[..snip...]
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTX
lfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
Decode it and get the flag.
The tour was canceled for the following month...!
I'll go out for dinner with my girlfriend named Yoco! ;)
HTB{S0rRy_My_FR13nD}
HTB{S0rRy_My_FR13nD}
Comming Soon....
Last updated