I was introduced to zsteg by Gabe during our last CTF, and I wanted to share it.
Zsteg is a Ruby tool that detects hidden data in PNG and BMP images.
I had never used it before, but it looks like a great tool for CTF challenges.
You can find it at its GitHub repository.
YouTube Version of this Post
If you prefer a video over reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
The CTF challenge in question was as follows.
When looking at the home page, I discovered the following HTML.
<header> <img src="/images/LeverSecB.png" height=100 width=200 /> <div class="subnav">
Based on the filename, plus the general CTF difficulty, I figured that data would be hidden in the LSB of the image.
If you would like to play along, you can download the original image here.
Normally, I’d use Stegsolve at this point, to see what was in the image.
First, I downloaded the image from the website.
[email protected]:~# wget http://192.168.0.200/images/LeverSecB.png --2018-10-19 14:44:30-- http://192.168.0.200/images/LeverSecB.png Connecting to 192.168.0.200:80... connected. HTTP request sent, awaiting response... 200 OK Length: 30008 (29K) [image/png] Saving to: 'LeverSecB.png' LeverSecB.png.1 100%[===================>] 29.30K --.-KB/s in 0.006s 2018-10-19 14:44:30 (4.60 MB/s) - 'LeverSecB.png' saved [30008/30008]
Next, I opened the image in Stegsolve. As you can see, I found the hidden information in the RGB bit plane 0! Note that my Java isn’t displaying the “0” selectors properly, so I have to tab over and hit space to enable them.
For more information, you can also read the following write-up.
That said, the image might not use some/most of the colors, or Stegsolve can just be a pain in general. In this case, I think that zsteg is a great solution for these types of challenges!
First, I installed zsteg using gem.
[email protected]:~# gem install zsteg Fetching: iostruct-0.0.4.gem (100%) Successfully installed iostruct-0.0.4 Fetching: rainbow-3.0.0.gem (100%) Successfully installed rainbow-3.0.0 Fetching: zpng-0.2.5.gem (100%) Successfully installed zpng-0.2.5 Fetching: zsteg-0.1.2.gem (100%) Successfully installed zsteg-0.1.2 Parsing documentation for iostruct-0.0.4 Installing ri documentation for iostruct-0.0.4 Parsing documentation for rainbow-3.0.0 Installing ri documentation for rainbow-3.0.0 Parsing documentation for zpng-0.2.5 Installing ri documentation for zpng-0.2.5 Parsing documentation for zsteg-0.1.2 Installing ri documentation for zsteg-0.1.2 Done installing documentation for iostruct, rainbow, zpng, zsteg after 2 seconds 4 gems installed
Once I finished the install, I ran zsteg against the image in question.
As you can see, this grabbed the flag immediately!
[email protected]:~# zsteg LeverSecB.png imagedata .. text: ",&&'eOOP" b1,rgb,lsb,xy .. text: "34:ilLs33yOuWH3nWeR3BOthL3553m0ti0n4l" b1,abgr,lsb,xy .. text: "A6 rb#4Aa6A6c!u5%1" b2,abgr,lsb,xy .. file: 0420 Alliant virtual executable not stripped b4,r,lsb,xy .. file: LANalyzer capture file b4,b,lsb,xy .. file: 0420 Alliant virtual executable not stripped b4,rgb,lsb,xy .. file: TeX font metric data (\021) b4,rgba,msb,xy .. file: Applesoft BASIC program data, first line number 8
Other than that, it also did some file analysis and checked other potential data-streams.
This is definitely a tool that I could see myself using during every CTF. Between the ease of use, not needing to download Stegsolve, and the fact that it does all the checking automatically.
I’m also hoping to use it against images I’ve created myself using my ImageSteg tool.
If you have any ideas for other CTF tools, or want to build a framework to automate a lot of these checks, then reach out to me!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.