Crash Course: Steganography Writeup

Steganography is the art of concealing data within some other data. A common example of this is embedding hidden text in an image file. This room serves as an introduction to steganography and some of the tools you can use to embed and extract data within other data.

To complete this room you will need the following tools available to you:

  • steghide
  • zsteg
  • exiftool
  • stegoveritas
  • sonic-visualiser

Make sure you download the files needed to complete these tasks. You cannot answer some of the questions without them. Unzip spect.zip and you should have the files below.

spect.zip contents

steghide

steghide allows you to embed and extract data from a jpg file. You can find the answers to questions 1-6 by reading the man page or by running steghide –help.

steghide includes 7 commands;

  • embed
  • extract
  • info
  • encinfo
  • version
  • license
  • help

encinfo, version, license, and help do not require arguments and are informational. embed, extract and info are the functional commands within steghide. Each has their own set of arguments. These arguments can be found in the documentation.

steghide command [ arguments ]

To find the hidden message in jpeg1.jpeg, we need to use steghide’s extract command with the -sf argument. We can optionally specify the -p argument to skip the passphrase prompt, and the -xf argument to specify an output filename (default: a.txt).

steghide extract -sf jpeg1.jpeg -p password123

zsteg

zsteg works much in the same way as steghide, except it is used for png and bmp files. You can find the answers to questions 1-4 by running zsteg -h.

zsteg can work with a single argument; the filename. You can iterate over all known extraction methods with the -a flag. You can also specify parameters to constrain zsteg. There are many ways you can run a file through zsteg, but just specifying the filename is a good place to start.

To find png1.png’s hidden message, and the payload used to encrypt it,  you do not need to use any arguments with zsteg.

zsteg png1.png

exiftool

exiftool is a great tool for working with metadata in image, audio, and video files. exiftool enables you to read, write, copy, and edit the metadata. It is interesting to note that exiftool can write to read-only files if the user has write permission in the directory.

For more information about exiftool, including a full list of options, please see the man page, github page or author’s website.

Using exiftool to extract metadata from jpeg3.jpeg is as simple as running the command with the filename as an argument.

exiftool jpeg3.jpeg

stegoveritas

stegoveritas is a very diverse steganography tool that can extract all types of data from nearly every image, audio, or video file types. stegoveritas has default actions for most image types and will attempt to run on any file. It can extract metadata like exiftool, perform color corrections and adjustments, extract frames from animated gifs, and it also includes an option for steghide. For more actions (and to answer questions 1-3), run stegoveritas -h.

To find jpeg2.jpeg’s hidden message we run the file as an argument into stegoveritas with no options specified.

stegoveritas jpeg2.jpeg

You will see that stegoveritas found something with steghide and placed it a newly created directory, results. This file contains our hidden message.

stegoveritas output

spectrograms

A spectrogram, also known as sonograph, is a visual representation of the strength of an audio signal at various frequencies over time. These 2-dimensional graphs, where time is represented on the x-axis and frequency on the y-axis, are colored to depict the loudness of the audio signal. Audio files can be used as a medium for steganography, just as images can be used. If you play an audio file that has a hidden message, it may sound distorted and unpleasant.

sonic-visualiser is a tool we can use to view the spectrogram for these audio files. Once you have viewed the spectrogram for wav1, follow the same process to view the spectrogram for wav2. You may need to zoom in/out to see the hidden message.

Final Exam

The final task in this room is much less guided than the previous tasks. This is great as it gives us a chance to put these tools to the test. We start by deploying the virtual server. Navigate to the IP in your browser and you will see a web server is running.

Let’s start by downloading the image found on this page. Because it is a jpeg file, we can use a few tools to extract hidden data; steghide, stegoveritas, and exiftool. Let’s start with steghide.

steghide extract -sf exam1.jpeg

Running this command shows us a passphrase prompt. You may be able to guess the password, but instead let’s look at the metadata for some clues.

exiftool exam1.jpeg

Now that we have the password, let’s run the image through steghide again and use the password to see what hidden message is waiting for us. Once you have the key, submit it to get to the next step.

This time we are given an audio file. sonic-visualiser will certainly be useful here, but before we look at the spectrograph let’s hear what it sounds like.

It definitely sounds terrible. There is probably something hidden that we can see in the spectrograph. After we load the file in sonic-visualiser and apply the spectrograph layer, we can zoom in and clearly see there is a URL hidden in this file.

This leads us to another image. Because this file is a png we can use zsteg, stegoveritas, and exiftool to look for hidden data. Let’s start with zsteg.

zsteg KTrtNI5.png

You should have found the second key with zsteg, so let’s submit this and see what our next challenge is.

qr code

We have another png file, but this time it is a QR code. Let’s try to scan the code here: https://zxing.org/w/decode.jspx. It tells us the image is bad and could not be scanned. 

Scanning QR codes requires a high level of contrast, and this image has a pink overlay which reduces the contrast between the black and white parts of the image. Thankfully, stegoveritas has color correction features.

stegoveritas qrcode.png

Looking in our results directory, we can see that stegoveritas has created 50 different versions of our original image. If you can decode one of these generated QR codes, then you will find the final key for this room!

stegoveritas results

Leave a Reply