304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Zsteg for Easy Flags in the EverSec CTF (BSidesRDU 2018)

I was introduced to zsteg by Gabe during our last CTF, and I wanted to share it.

Zsteg Introduction

Zsteg is a Ruby tool that detects hidden data in PNG and BMP images.

I had never used it before, but it looks like a great tool for CTF challenges.

You can find it at its GitHub repository.

YouTube Version of this Post

If you prefer a video over reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

CTF Challenge

The CTF challenge in question was as follows.

Zsteg - CTF Challenge

When looking at the home page, I discovered the following HTML.

<img src="/images/LeverSecB.png" height=100 width=200 />
<div class="subnav">

Based on the filename, plus the general CTF difficulty, I figured that data would be hidden in the LSB of the image.

If you would like to play along, you can download the original image here.

Using Stegsolve

Normally, I’d use Stegsolve at this point, to see what was in the image.

First, I downloaded the image from the website.

root@kali:~# wget
--2018-10-19 14:44:30--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 30008 (29K) [image/png]
Saving to: 'LeverSecB.png'

LeverSecB.png.1     100%[===================>]  29.30K  --.-KB/s    in 0.006s  

2018-10-19 14:44:30 (4.60 MB/s) - 'LeverSecB.png' saved [30008/30008]

Next, I opened the image in Stegsolve. As you can see, I found the hidden information in the RGB bit plane 0! Note that my Java isn’t displaying the “0” selectors properly, so I have to tab over and hit space to enable them.

Zsteg - Stegsolve

For more information, you can also read the following write-up.

That said, the image might not use some/most of the colors, or Stegsolve can just be a pain in general. In this case, I think that zsteg is a great solution for these types of challenges!

Using Zsteg

First, I installed zsteg using gem.

root@kali:~# gem install zsteg
Fetching: iostruct-0.0.4.gem (100%)
Successfully installed iostruct-0.0.4
Fetching: rainbow-3.0.0.gem (100%)
Successfully installed rainbow-3.0.0
Fetching: zpng-0.2.5.gem (100%)
Successfully installed zpng-0.2.5
Fetching: zsteg-0.1.2.gem (100%)
Successfully installed zsteg-0.1.2
Parsing documentation for iostruct-0.0.4
Installing ri documentation for iostruct-0.0.4
Parsing documentation for rainbow-3.0.0
Installing ri documentation for rainbow-3.0.0
Parsing documentation for zpng-0.2.5
Installing ri documentation for zpng-0.2.5
Parsing documentation for zsteg-0.1.2
Installing ri documentation for zsteg-0.1.2
Done installing documentation for iostruct, rainbow, zpng, zsteg after 2 seconds
4 gems installed

Once I finished the install, I ran zsteg against the image in question.

As you can see, this grabbed the flag immediately!

root@kali:~# zsteg LeverSecB.png
imagedata           .. text: ",&&'eOOP"
b1,rgb,lsb,xy       .. text: "34:ilLs33yOuWH3nWeR3BOthL3553m0ti0n4l"
b1,abgr,lsb,xy      .. text: "A6 rb#4Aa6A6c!u5%1"
b2,abgr,lsb,xy      .. file: 0420 Alliant virtual executable not stripped
b4,r,lsb,xy         .. file: LANalyzer capture file
b4,b,lsb,xy         .. file: 0420 Alliant virtual executable not stripped
b4,rgb,lsb,xy       .. file: TeX font metric data (\021)
b4,rgba,msb,xy      .. file: Applesoft BASIC program data, first line number 8

Other than that, it also did some file analysis and checked other potential data-streams.

Zsteg Conclusion

This is definitely a tool that I could see myself using during every CTF. Between the ease of use, not needing to download Stegsolve, and the fact that it does all the checking automatically.

I’m also hoping to use it against images I’ve created myself using my ImageSteg tool.

If you have any ideas for other CTF tools, or want to build a framework to automate a lot of these checks, then reach out to me!


    • That looks to be a different image than my example in the post. That said, if you think that is where your text is supposed to be, you might want to ask the organizers/creator!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.