Home

CC: Steganography

Date: 19, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Introduction

  • Steganography(Stego) is the art of concealing something inside something else, for example: A message inside a jpg file, or a binary inside a png.

  • All needed files can be found inside the included zip file

StegHide

  • Steghide is one of the most famous steganography tools.

  • It is used for hiding a message inside an image.

  • Works only for jpg image:

    • A downside of steghide is that it only works on jpgs; however, that means that if you believe there is a hidden message inside a jpg, then steghide is a probable option.

  • Benefits of stegohide:

    • It can encrypt data with a passphrase.

What argument allows you to embed data(such as files) into other files?

  • Answer: embed

What flag let's you set the file to embed?

  • Answer: -ef

What flag allows you to set the "cover file"?(i.e the jpg)

  • Answer: -cf

How do you set the password to use for the cover file?

  • Answer: -p

What argument allows you to extract data from files?

  • Answer: extract

How do you select the file that you want to extract data from?

  • Answer: -sf

Given the passphrase "password123", what is the hidden message in the included "jpeg1" file.

  • Answer: pinguftw

  • Steps to Reproduce:

$ steghide extract -sf jpeg1.jpeg 
Enter passphrase: 
wrote extracted data to "a.txt".

$ cat a.txt 
pinguftw

zsteg

  • zsteg is to png's what steghide is to jpg's. It supports various techniques to extract any and all data from png files.

  • zsteg also supports BMP files, but it is primarily used for png's.

How do you specify that the least significant bit comes first

  • Answer: --lsb

What about the most significant bit?

  • Answer: --msb

How do you specify verbose mode?

  • Answer: -v

How do you extract the data from a specific payload?

  • Answer: -E

In the included file "png1" what is the hidden message?

  • Answer: nootnoot

What about the payload used to encrypt it.

  • Answer: b1,bgr,lsb,xy

$ zsteg png1.png -v
imagedata           .. file: DOS 2.0 backup id file, sequence 48
    00000000: 01 30 90 de 24 12 04 00  00 00 00 00 00 00 00 01  |.0..$...........|
    00000010: 01 00 ff 00 00 01 ff 01  00 01 00 ff 00 00 00 ff  |................|
    00000020: 00 01 00 00 00 01 00 00  00 ff 00 ff 01 00 00 ff  |................|
    00000030: 00 01 01 ff 00 00 00 ff  ff 01 00 01 00 01 00 00  |................|
    00000040: 00 ff 00 00 00 00 00 01  00 00 00 ff 00 ff 01 ff  |................|
    00000050: 00 ff 00 01 00 00 00 00  00 00 00 00 00 00 00 00  |................|
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
    *
    00000100: 
b1,bgr,lsb,xy       .. text: "nootnoot$"
    00000000: 00 08 6e 6f 6f 74 6e 6f  6f 74 24 92 49 24 92 49  |..nootnoot$.I$.I|
    00000010: 24 92 49 24 92 49 24 92  49 24 92 49 24 92 49 24  |$.I$.I$.I$.I$.I$|
    00000020: 92 49 24 92 49 24 92 49  24 92 49 24 92 49 24 92  |.I$.I$.I$.I$.I$.|
    00000030: 49 24 92 49 24 92 49 24  92 49 24 92 49 24 92 49  |I$.I$.I$.I$.I$.I|
    00000040: 24 92 49 24 92 49 24 92  49 24 92 49 24 92 49 24  |$.I$.I$.I$.I$.I$|
    00000050: 92 49 24 92 49 24 92 49  24 92 49 24 92 49 24 92  |.I$.I$.I$.I$.I$.|
    00000060: 49 24 92 49 24 92 49 24  92 49 24 92 49 24 92 49  |I$.I$.I$.I$.I$.I|
    00000070: 24 92 49 24 92 49 24 92  49 24 92 49 24 92 49 24  |$.I$.I$.I$.I$.I$|
    00000080: 92 49 24 92 49 24 92 49  24 92 49 24 92 49 24 92  |.I$.I$.I$.I$.I$.|
    00000090: 49 24 92 49 24 92 49 24  92 49 24 92 49 24 92 49  |I$.I$.I$.I$.I$.I|
    000000a0: 24 92 49 24 92 49 24 92  49 24 92 49 24 92 49 24  |$.I$.I$.I$.I$.I$|
    000000b0: 92 49 24 92 49 24 92 49  24 92 49 24 92 49 24 92  |.I$.I$.I$.I$.I$.|
    000000c0: 49 24 92 49 24 92 49 24  92 49 24 92 49 24 92 49  |I$.I$.I$.I$.I$.I|
    000000d0: 24 92 49 24 92 49 24 92  49 24 92 49 24 92 49 24  |$.I$.I$.I$.I$.I$|
    000000e0: 92 49 24 92 49 24 92 49  24 92 49 24 92 49 24 92  |.I$.I$.I$.I$.I$.|
    000000f0: 49 24 92 49 24 92 49 24  92 49 24 92 49 24 92 49  |I$.I$.I$.I$.I$.I|
.
.
.

Exiftool

  • Exiftool is a tool that allows you to view and edit image metadata.

In the included jpeg3 file, what is the document name

  • Answer: Hello :)

  • Steps to Reproduce:

$ exiftool jpeg3.jpeg

ExifTool Version Number         : 12.16
File Name                       : jpeg3.jpeg
Directory                       : .
File Size                       : 8.3 KiB
File Modification Date/Time     : 2020:01:07 02:39:44+05:30
File Access Date/Time           : 2020:01:07 02:39:46+05:30
File Inode Change Date/Time     : 2021:05:19 00:50:34+05:30
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : Hello :)
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Image Width                     : 213
Image Height                    : 160
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 213x160
Megapixels                      : 0.034

Stegoveritas

  • Stegoveritas supports just about every image file, and is able to extract all types of data from it.

  • It is an incredibly useful tool if you don't know exactly what you're looking for, as it has a myriad of built in tests to extract any and all data.

  • Stegoveritas has other features as well such as color correcting images.

How do you check the file for metadata?

  • Answer: -meta

How do you check for steghide hidden information

  • Answer: -steghide

What flag allows you to extract LSB data from the image?

  • Answer: -extractLSB

In the included image jpeg2 what is the hidden message?

  • Answer: kekekekek

  • Steps to Reproduce:

$ stegoveritas -steghide jpeg2.jpeg 

Running Module: SVImage
+------------------+------+
|   Image Format   | Mode |
+------------------+------+
| JPEG (ISO 10918) | RGB  |
+------------------+------+
Found something with StegHide: $(pwd)/results/steghide_d8cdce3ca233a852bffff1ccd1c03488.bin
Running Module: MultiHandler

$ ls
a.txt  jpeg1.jpeg  jpeg2.jpeg  jpeg3.jpeg  png1.png  results  wav1.wav  wav2.wav

$ cat results/steghide_d8cdce3ca233a852bffff1ccd1c03488.bin 
kekekekek

Spectrograms

  • Spectrogram stegonography is the art of hiding hidden an image inside in an audio file's spectogram.

  • Therefore when ever dealing with audio stego it is always worth analyzing the spectrogram of the audio.

What is the hidden text in the included wav2 file?

  • Answer: Google

  • Steps to Reproduce:

Final Exam

What is key 1?

  • Answer: superkeykey

  • Steps to Reproduce:

    • Since, it's a jpg image, the key must be hidden using steghide.

    • But we need a passphrase to extract the data.

    • So, let's try exiftool first to checkout some of the metadata.

    $ exiftool exam1.jpeg 
ExifTool Version Number         : 12.16
File Name                       : exam1.jpeg
Directory                       : .
File Size                       : 8.6 KiB
File Modification Date/Time     : 2020:01:07 06:43:27+05:30
File Access Date/Time           : 2021:05:19 12:16:10+05:30
File Inode Change Date/Time     : 2021:05:19 12:15:53+05:30
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : password=admin
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Image Width                     : 213
Image Height                    : 160
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 213x160
Megapixels                      : 0.034

    • The metadata contains password=admin.

    • Now we can run steghide to extract the data!

    $ steghide extract -sf exam1.jpeg
Enter passphrase: 
wrote extracted data to "a.txt".

$ cat a.txt 
the key is: superkeykey

What is key 2?

  • Answer:

  • Steps to Reproduce:

    • We can see the link in the image after spectrogram analysis: https://imgur.com/KTrtNI5

    • We'll download the image file using wget https://i.imgur.com/KTrtNI5.png .

    • It is a png file, hence we can use either zsteg and stegoveritas to find the hidden information.

$ wget https://i.imgur.com/KTrtNI5.png
--2021-05-19 12:52:01--  https://i.imgur.com/KTrtNI5.png
Resolving i.imgur.com (i.imgur.com)... 151.101.36.193
Connecting to i.imgur.com (i.imgur.com)|151.101.36.193|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14915 (15K) [image/png]
Saving to: ‘KTrtNI5.png’

KTrtNI5.png                 100%[===========================================>]  14.57K  17.7KB/s    in 0.8s    

2021-05-19 12:52:02 (17.7 KB/s) - ‘KTrtNI5.png’ saved [14915/14915]

$ stegoveritas KTrtNI5.png 
Running Module: SVImage
+---------------------------+------+
|        Image Format       | Mode |
+---------------------------+------+
| Portable network graphics | RGB  |
+---------------------------+------+

Running Module: MultiHandler

Exif
====
+---------------------+---------------------------------------------------------+
| key                 | value                                                   |
+---------------------+---------------------------------------------------------+
| SourceFile          | REDACTED/KTrtNI5.png                                    |
| ExifToolVersion     | 12.16                                                   |
| FileName            | KTrtNI5.png                                             |
| Directory           | REDACTED/ccsteganography                                |
| FileSize            | 15 KiB                                                  |
| FileModifyDate      | 2020:01:07 03:20:48+05:30                               |
| FileAccessDate      | 2021:05:19 12:52:56+05:30                               |
| FileInodeChangeDate | 2021:05:19 12:52:02+05:30                               |
| FilePermissions     | rw-r--r--                                               |
| FileType            | PNG                                                     |
| FileTypeExtension   | png                                                     |
| MIMEType            | image/png                                               |
| ImageWidth          | 205                                                     |
| ImageHeight         | 246                                                     |
| BitDepth            | 8                                                       |
| ColorType           | RGB                                                     |
| Compression         | Deflate/Inflate                                         |
| Filter              | Adaptive                                                |
| Interlace           | Noninterlaced                                           |
| ImageSize           | 205x246                                                 |
| Megapixels          | 0.05                                                    |
+---------------------+---------------------------------------------------------+
Found something worth keeping!
PNG image data, 205 x 246, 8-bit/color RGB, non-interlaced

$ zsteg KTrtNI5.png 
imagedata           .. text: ")))xxxLMO"
b1,bgr,lsb,xy       .. text: "\rKey: fatality"
b2,rgb,lsb,xy       .. file: SoftQuad DESC or font file binary
b2,rgb,msb,xy       .. file: VISX image file
b2,bgr,lsb,xy       .. file: SoftQuad DESC or font file binary
b2,bgr,msb,xy       .. file: VISX image file\

What is key 3?

  • Answer: killshot

  • Steps to Reproduce:

    • It seems like the qrcode cannot be scanned from this image.

    • Initially I tried to scan it using zbarimg, which gave the following error:

    $ zbarimg qrcode.png 
scanned 0 barcode symbols from 1 images in 0.02 seconds

WARNING: barcode data was not detected in some image(s)
Things to check:
- is the barcode type supported? Currently supported symbologies are:
    . EAN/UPC (EAN-13, EAN-8, EAN-2, EAN-5, UPC-A, UPC-E, ISBN-10, ISBN-13)
    . DataBar, DataBar Expanded
    . Code 128
    . Code 93
    . Code 39
    . Codabar
    . Interleaved 2 of 5
    . QR code
    . SQ code
- is the barcode large enough in the image?
- is the barcode mostly in focus?
- is there sufficient contrast/illumination?
- If the symbol is split in several barcodes, are they combined in one image?
- Did you enable the barcode type?
    some EAN/UPC codes are disabled by default. To enable all, use:
    $ zbarimg -S*.enable <files>
    Please also notice that some variants take precedence over others.
    Due to that, if you want, for example, ISBN-10, you should do:
    $ zbarimg -Sisbn10.enable <files>

    • Remember that stegoveritas has color-correction features too?

    • So, we'll run stegoveritas for this final challenge:

    $ stegoveritas qrcode.png 
ERROR:StegoVeritas:Missing the following required packages: foremost
ERROR:StegoVeritas:Either install them manually or run 'stegoveritas_install_deps'.
Running Module: SVImage
+---------------------------+------+
|        Image Format       | Mode |
+---------------------------+------+
| Portable network graphics | RGB  |
+---------------------------+------+
Found something worth keeping!
International EBCDIC text, with very long lines, with no line terminators
Found something worth keeping!
Non-ISO extended-ASCII text, with very long lines, with no line terminators
Found something worth keeping!
ISO-8859 text, with very long lines, with no line terminators
Found something worth keeping!
Non-ISO extended-ASCII text, with very long lines, with no line terminators
Found something worth keeping!
ISO-8859 text, with very long lines, with no line terminators
Running Module: MultiHandler

Exif
====
+---------------------+--------------------------------------------------------------+
| key                 | value                                                        |
+---------------------+--------------------------------------------------------------+
| SourceFile          | REDACTED/qrcode.png                                          |
| ExifToolVersion     | 12.16                                                        |
| FileName            | qrcode.png                                                   |
| Directory           | REDACTED/final                                               |
| FileSize            | 2.3 KiB                                                      |
| FileModifyDate      | 2020:01:07 06:32:58+05:30                                    |
| FileAccessDate      | 2021:05:19 12:58:31+05:30                                    |
| FileInodeChangeDate | 2021:05:19 12:58:22+05:30                                    |
| FilePermissions     | rw-r--r--                                                    |
| FileType            | PNG                                                          |
| FileTypeExtension   | png                                                          |
| MIMEType            | image/png                                                    |
| ImageWidth          | 464                                                          |
| ImageHeight         | 464                                                          |
| BitDepth            | 8                                                            |
| ColorType           | RGB                                                          |
| Compression         | Deflate/Inflate                                              |
| Filter              | Adaptive                                                     |
| Interlace           | Noninterlaced                                                |
| BackgroundColor     | 255 255 255                                                  |
| ImageSize           | 464x464                                                      |
| Megapixels          | 0.215                                                        |
+---------------------+--------------------------------------------------------------+
Found something worth keeping!
PNG image data, 464 x 464, 8-bit/color RGB, non-interlaced
+--------+------------------+-------------------------------------------+-----------+
| Offset | Carved/Extracted | Description                               | File Name |
+--------+------------------+-------------------------------------------+-----------+
| 0x3b   | Carved           | Zlib compressed data, default compression | 3B.zlib   |
| 0x3b   | Extracted        | Zlib compressed data, default compression | 3B        |
+--------+------------------+-------------------------------------------+-----------+

    • It color corrected and gave out almost 50 images.

    • Only 5 out of 50 images were scannable using zbarimg.

    • We'll check the one with inverted:

    $ cd results/
$ ls
exif                                   qrcode.png_enhance_sharpness_-50.png  qrcode.png_Max.png
keepers                                qrcode.png_enhance_sharpness_50.png   qrcode.png_Median.png
qrcode.png_autocontrast.png            qrcode.png_enhance_sharpness_-75.png  qrcode.png_Min.png
qrcode.png_Blue_0.png                  qrcode.png_enhance_sharpness_75.png   qrcode.png_Mode.png
qrcode.png_Blue_1.png                  qrcode.png_equalize.png               qrcode.png_Red_0.png
qrcode.png_Blue_2.png                  qrcode.png_Find_Edges.png             qrcode.png_Red_1.png
qrcode.png_Blue_3.png                  qrcode.png_GaussianBlur.png           qrcode.png_Red_2.png
qrcode.png_Blue_4.png                  qrcode.png_grayscale.png              qrcode.png_Red_3.png
qrcode.png_Blue_5.png                  qrcode.png_Green_0.png                qrcode.png_Red_4.png
qrcode.png_Blue_6.png                  qrcode.png_Green_1.png                qrcode.png_Red_5.png
qrcode.png_Blue_7.png                  qrcode.png_Green_2.png                qrcode.png_Red_6.png
qrcode.png_blue_plane.png              qrcode.png_Green_3.png                qrcode.png_Red_7.png
qrcode.png_Edge-enhance_More.png       qrcode.png_Green_4.png                qrcode.png_red_plane.png
qrcode.png_Edge-enhance.png            qrcode.png_Green_5.png                qrcode.png_Sharpen.png
qrcode.png_enhance_sharpness_-100.png  qrcode.png_Green_6.png                qrcode.png_Smooth.png
qrcode.png_enhance_sharpness_100.png   qrcode.png_Green_7.png                qrcode.png_solarized.png
qrcode.png_enhance_sharpness_-25.png   qrcode.png_green_plane.png
qrcode.png_enhance_sharpness_25.png    qrcode.png_inverted.png

$ zbarimg qrcode.png_inverted.png 
QR-Code:http://key=killshot
scanned 1 barcode symbols from 1 images in 0.02 seconds

References

PreviousPickle RickNextOverPass

Last updated