forensics / steg
Asked a file magician for our flag, he gave us this and laughed.
First let’s go through the standard steg image analysis techniques
exiftool doesn’t give much obvious except a warning field, which is interesting
Warning : [minor] Trailer data after PNG IEND chunk
This suggests something funny is going on with this file’s data.
So let’s look up the details of a PNG: http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html
This says PNGs begin with a 0x89 0x50 0x4e 0x47 (.PNG in string form), followed by the string IHDR and end with IEND.
xxd is a good command line hex viewer for examining files so lets use that.
at the start, but at the end we get this:
Now that’s interesting, there is an IEND in there but a reference to flag.png as well. This sounds like what we’re looking for.
Now we can use
strings to get a quick overview of the readable strings from the file, it’ll give us a quicker overview of the file than scrolling through xxd.
Somewhere near the end we can see this:
This appears to be the end of one image and the start of another called flag.png.
So at this point we can try extracting the 2nd image. To do this we need to know where the 2nd image is. Using grep we can search for the .PNG in xxd:
The address on the left shows the offset at the start of that row of string output
if we take the address 0x00020c00 and add bytes we get the address 0x00020c04. Converting this from hex tells us the 2nd image is 134148 bytes into the file.
Using the linux dd tool we can read data from the image and out to another file. we can specify the starting offset using the skip argument. This will copy the bytes from that point on into a new file. This will carve the 2nd image from the original into a new image file.
dd if=unsuspicious.png of=answer.png skip=134148 bs=1
if: input file of: output file skip: number of blocks to skip bs: number of bytes in a block
we should now have an image called answer.png in our directory.
But viewing it gives us an empty white image?
Using our usual steganography / forensics tools on this reveals nothing odd, so let’s open it in an image editor as a last resort.
If we increase the contrast and decrease brightness the sneaky trick is revealed: The flag has been written in a colour 1 bit off white.
Our flag is
General Steganography / image forensics techniques:
- hex editor like xxd, bless, hexedit
- Least significant bit encoding
Tools for file carving: