Hidden in Plain Sight

If you are interested in

hacking

and

ctfs

, then steganography challenges (which come under the broad category of digital forensics) are the easiest to get into. Because you don't need to learn a lot of concepts to solve your first challenge. And once you have solved these, you can go on to learn

web exploitation

and other

binary exploitation

techniques.

In this article, we are going to solve the following steganography problem listed on

defendtheweb.net

– https://defendtheweb.net/playground/squashed-image

We have an image and a field with Username and Password. It is a steganography challenge, so we should start by looking into the image.

One of the things you learn while playing ctfs is to use the right tools to get the job done. And for me, the first thing I usually do is open up the file in a Hex Editor that lays out all the bytes used in images. It’s somewhat like looking at the source code of a website. [But of course, no developer hides their password in the source code]

Now we have two options -

1. Use an online tool to open the file – https://hexed.it/ Or,

2. Use an app to open the file locally – for example, the

HxD editor

for Windows

Every file has a few signature bytes that can be used to identify it. And for jpg images, its header bytes are

FF D8

and ending or footer bytes

FF D9

. These are hexadecimal numbers, and you can find the corresponding ASCII text in the

Decoded text

section.

As you can see in the hex editor below, there is more text after the footer byte. And it clearly reads as

secret.txt

.

If it were a long file, we’d have to copy these extra bytes into a new file. After that, you can change it to a desirable extension or save it as a Zip. But as we can see here, there is no reason to do that because the secret text is already visible. Can you see the username and passphrase there? These are the credentials we need to solve the challenge.

user - admin, pass - safe

We already have the solution but sometimes it's not visible so quickly. So here is the long-form solution.

After the FF D9 bytes, you will see that the next byte translates to PK, which indicates the start of a zip file.

PK is short for Phil Katz

, the co-creator of the zip file format. So we will save these bytes into a new file named secret.zip and extracting it gives us the same username and password.

Tools used -- HxD editor, WinZip extractor

Happy Hacking!