paint-brush
Hidden in Plain Sightby@shelstronic
317 reads
317 reads

Hidden in Plain Sight

by ShelstronicMay 10th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

If you are interested in hacking and ctfs, then steganography challenges (which come under the broad category of digital forensics) are the easiest to get into. Because you don't need to learn a lot of concepts to solve your first challenge. Once you have solved these, you can go on to learn web exploitation and other binary exploitation techniques.
featured image - Hidden in Plain Sight
Shelstronic HackerNoon profile picture
0-item
1-item

If you are interested in

hacking
and
ctfs
, then steganography challenges (which come under the broad category of digital forensics) are the easiest to get into. Because you don't need to learn a lot of concepts to solve your first challenge. And once you have solved these, you can go on to learn
web exploitation
and other
binary exploitation
techniques.

In this article, we are going to solve the following steganography problem listed on

defendtheweb.net
https://defendtheweb.net/playground/squashed-image

We have an image and a field with Username and Password. It is a steganography challenge, so we should start by looking into the image.

One of the things you learn while playing ctfs is to use the right tools to get the job done. And for me, the first thing I usually do is open up the file in a Hex Editor that lays out all the bytes used in images. It’s somewhat like looking at the source code of a website. [But of course, no developer hides their password in the source code]

Now we have two options -

1. Use an online tool to open the file – https://hexed.it/ Or,

2. Use an app to open the file locally – for example, the

HxD editor
for Windows

Every file has a few signature bytes that can be used to identify it. And for jpg images, its header bytes are

FF D8
and ending or footer bytes
FF D9
. These are hexadecimal numbers, and you can find the corresponding ASCII text in the
Decoded text
section.


As you can see in the hex editor below, there is more text after the footer byte. And it clearly reads as

secret.txt
.



If it were a long file, we’d have to copy these extra bytes into a new file. After that, you can change it to a desirable extension or save it as a Zip. But as we can see here, there is no reason to do that because the secret text is already visible. Can you see the username and passphrase there? These are the credentials we need to solve the challenge.

user - admin, pass - safe


We already have the solution but sometimes it's not visible so quickly. So here is the long-form solution.

After the FF D9 bytes, you will see that the next byte translates to PK, which indicates the start of a zip file.

PK is short for Phil Katz
, the co-creator of the zip file format. So we will save these bytes into a new file named secret.zip and extracting it gives us the same username and password.

Tools used -- HxD editor, WinZip extractor

Happy Hacking!