Zsteg for Easy Flags in the EverSec CTF (BSidesRDU 2018)

I was introduced to zsteg by Gabe during our last CTF, and I wanted to share it.

Zsteg Introduction

Zsteg is a Ruby tool that detects hidden data in PNG and BMP images.

I had never used it before, but it looks like a great tool for CTF challenges.

You can find it at its GitHub repository.

CTF Challenge

The CTF challenge in question was as follows.

Zsteg - CTF Challenge

When looking at the home page, I discovered the following HTML.

<img src="/images/LeverSecB.png" height=100 width=200 />
<div class="subnav">

Based on the filename, plus the general CTF difficulty, I figured that data would be hidden in the LSB of the image.

If you would like to play along, you can download the original image here.

Using Stegsolve

Normally, I'd use Stegsolve at this point, to see what was in the image.

First, I downloaded the image from the website.

root@kali:~# wget
--2018-10-19 14:44:30--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 30008 (29K) [image/png]
Saving to: ‘LeverSecB.png’

LeverSecB.png.1     100%[===================>]  29.30K  --.-KB/s    in 0.006s  

2018-10-19 14:44:30 (4.60 MB/s) - ‘LeverSecB.png’ saved [30008/30008]

Next, I opened the image in Stegsolve. As you can see, I found the hidden information in the RGB bit plane 0! Note that my Java isn't displaying the "0" selectors properly, so I have to tab over and hit space to enable them.

Zsteg - Stegsolve

For more information, you can also read the following write-up.

That said, the image might not use some/most of the colors, or Stegsolve can just be a pain in general. In this case, I think that zsteg is a great solution for these types of challenges!

Using Zsteg

First, I installed zsteg using gem.

root@kali:~# gem install zsteg
Fetching: iostruct-0.0.4.gem (100%)
Successfully installed iostruct-0.0.4
Fetching: rainbow-3.0.0.gem (100%)
Successfully installed rainbow-3.0.0
Fetching: zpng-0.2.5.gem (100%)
Successfully installed zpng-0.2.5
Fetching: zsteg-0.1.2.gem (100%)
Successfully installed zsteg-0.1.2
Parsing documentation for iostruct-0.0.4
Installing ri documentation for iostruct-0.0.4
Parsing documentation for rainbow-3.0.0
Installing ri documentation for rainbow-3.0.0
Parsing documentation for zpng-0.2.5
Installing ri documentation for zpng-0.2.5
Parsing documentation for zsteg-0.1.2
Installing ri documentation for zsteg-0.1.2
Done installing documentation for iostruct, rainbow, zpng, zsteg after 2 seconds
4 gems installed

Once I finished the install, I ran zsteg against the image in question.

As you can see, this grabbed the flag immediately!

root@kali:~# zsteg LeverSecB.png
imagedata           .. text: ",&&'eOOP"
b1,rgb,lsb,xy       .. text: "34:ilLs33yOuWH3nWeR3BOthL3553m0ti0n4l"
b1,abgr,lsb,xy      .. text: "A6 rb#4Aa6A6c!u5%1"
b2,abgr,lsb,xy      .. file: 0420 Alliant virtual executable not stripped
b4,r,lsb,xy         .. file: LANalyzer capture file
b4,b,lsb,xy         .. file: 0420 Alliant virtual executable not stripped
b4,rgb,lsb,xy       .. file: TeX font metric data (\021)
b4,rgba,msb,xy      .. file: Applesoft BASIC program data, first line number 8

Other than that, it also did some file analysis and checked other potential data-streams.

Zsteg Conclusion

This is definitely a tool that I could see myself using during every CTF. Between the ease of use, not needing to download Stegsolve, and the fact that it does all the checking automatically.

I'm also hoping to use it against images I've created myself using my ImageSteg tool.

If you have any ideas for other CTF tools, or want to build a framework to automate a lot of these checks, then reach out to me!

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.