# Dode ascisCTF (Misc/Forensics) ###### tags: `ctf` `exploits` `find information on image` Description: It is Doge, or not??? Attact: https://drive.google.com/file/d/118LNaIH6gzj1F7r0TPHv9VLB1v9rTet9/view?usp=sharing ## First sight - Thinking :thinking_face: ![](https://i.imgur.com/dp8jiPD.jpg) - Yeah, on the first side i think it little bit about easily challenge but not :smiley: - So typically, i do basic stego with that image like *aprisolve, zsteg, binwalk, exiftool and moretool to stegography*. But i receive zero information about that image. What the heck !!! i think. :weary: - So next step, i usually use *steghide* for extract something from image and i receive something already strange different from the others challenge stego and i know i need to explain this. The core item will bring my struggle away :sweat_smile: ## Exploit - First of all, i need so you something about strange i meet on using steghide ![](https://i.imgur.com/NR2KtLH.png) and watch out in the 0xc4 it will really dangerous position i will save it in bottom heart. - So i don't know `Corrupt JPEG data: 3463 extraneous bytes before marker 0xc4` have what they mean it look like some thing bytes is added in front of byte `0xc4`, so i try thinking it will be or should be relative with the hex header on the **f dode picture** :angry: and i try reopen it with python because it will give me some strange thing i thinks it so try with basicly openCV is open and show that in the monitor. ``` import cv2 image = cv2.imread('6uecny.jpg') cv2.imshow('image', image) cv2.waitKey(0) ``` - you think what i think, the processing open okay but warning return again and one time i meet it `Corrupt JPEG data: 3463 extraneous bytes before marker 0xc4` so i need it to check header right now because it make cost much of time i have on contest to check what the instruction of image `JPEG OR JPG.` oh no my scared :cold_sweat: - So i use the basic hexeditor on window to open that with [HxD](https://mh-nexus.de/en/hxd/) for Windows and just hexeditor like xxd on the Linux. ### That all of exploit for this image because importance we need to know what image say something ## Google and Searching - The first thing u need to know something is finding the description or theory of it and it work with anysituation so i google and find jpeg construct so don't like me read to fast and skip importance thing cause effect on flag finding processing - [Wiki](https://en.wikipedia.org/wiki/JPEG) is not make me disapointed it have enough to dig in with that. - So i continous to reach wrong way first and i will talk about my return on this challenge. It will relate some skill delete and recover the image. - So in the first time, i think it will be some kind we will replace or delete something in byte 0xc4 or cover that, so i don't know what the byte meaning so go wikitag and see and they said it `DHT 0xFF, 0xC4 variable size Define Huffman Table(s) Specifies one or more Huffman tables.` and it have meaning image have that to see what the image say so onething can be use we will not need to touch of that because the image will die ![](https://i.imgur.com/ZB35jf3.png) - So basiclly look hex it contain 10 position 0xC4 and what the heck right position is similar with the corrupt talk - And i will talk about the magicbyte the byte you see on that 0xC4 is magic byte it is factor to construct the image. Image is series of magic byte and it alive on byte and it have start and end on the image, basically like that but some situation Author will custom that to change some thing effect on the magic byte and it will cause the changing in the image - And i will relate jpeg or jpg which structure of one will be like this![](https://i.imgur.com/FfD0x1I.png) so it start with `FF D8` for header and it first magic we need to know that be start postion of image and not be data and what the heck on that postion don't touch that i will be earase something u want ![](https://i.imgur.com/nUijWpr.png) and more magic byte like that for each image or audio or anything building on the pc and internet - So long theory back again the challenge, will check it contain 10 magic byte `0xFF 0xC4` and not touch on that and we will find byte `0xFF 0xDA` to see what we got and yet we got bunch of that ![](https://i.imgur.com/c7nyxR2.png) so like i say hecking wrong on the image why it contain to much readable thing - So i try erase series before byte `0xFF 0xDA` and it not right what i think i image will contain in each of data with readable but i wrong the image i bunch of subsample of image - so it like they but the more and more image to bring some *kind high resolution image like SRGAN* in **DEEP LEARNING**. :hand_with_index_and_middle_fingers_crossed: No no i think a long way but the Symbiotic of my action is try put the corrupt thing because it thing we need or anyone will do because the warning is annoy me skip the first wrong way, reach to second wrong way :smiley: - I find the method to pass this corrupt situation and i found it ImageMagick tool will be perfect with stego CTF or stego on real life because it such powerful tool and can do anything with that. So i am try using [mogrify](https://imagemagick.org/script/mogrify.php) and done i do erase something importance like flag in image because of the image over come normally image so i contain magicbyte `0xC4, 0xC0` to change the size of image and data with such a one of that ### Timeup and get the experience for next time :smiley: ## Reach the true thing :smirk: - Because thinking wrong way bring me to struggle and not find any kind thing so i hear that it relate some kind stretching image like change width and height of image but but it change in the hex not perform that in the image because you will not receive anything - So try again i read the doc of jpeg and finding the relate with new some doc useful for this situation - a new way exploit image but i not knowing is change the heigh and width of image to hide infomation - [The blog](https://blog.cyberhacktics.com/hiding-information-by-changing-an-images-height/) is the thing talk which contain some kind of way to reach that hiding information and someking of that have on CTF in XmasCTF2018 ![](https://i.imgur.com/xMfdwoI.png) and try on that on the image i have but it not have `0xC0` because if we i change `0xC0` will appear but on that situation it have not so i read again and find some kind like true ending for f*king game - ![](https://i.imgur.com/1AKNAiL.png) and we have two kind of SOF is start of frame and with S0F0 it depend on the baseline DCT (idk what the heck this mean) but with S0F2 it progessive DCT (like it upgrade of S0F0) and it start with byte `0xFF 0xC2` and i found it ![](https://i.imgur.com/EKfg5u6.png) just 1 of that in the image so la la la we reach of the true. - ![](https://i.imgur.com/MVBx849.png) because of same structure with S0F0 the upgrade S0F2 will similar and it just change that on 4 end of postion with 2 of front for height and other for width. - Using [cyberChef](https://gchq.github.io/CyberChef/) - power tool - so convert image to hex and copy all on that in input and cho reverse covert to image will we do the action change the height of image - ![](https://i.imgur.com/8BZMzXZ.png) this is thing we need to change but don't touch first of five because it not be good so touch 02 6c on the hex so if you change `02` if you decrease that it will decrease the height of image but i don't have anything ![](https://i.imgur.com/pf6BWyb.png) - The image is being cut off but not anything behind of this so try to increase the high with increase byte `02` equal `06` and yeah we found it the hiding ![](https://i.imgur.com/KgvKE2B.png) > flag: ASCIS{b47_Ng0_cHU4_b4_D4!!!} ### So new way to exploit image the new experience with CTF on this challenge LOL. Now keeping cool your mind and see what we got :smiley:. It ain gonna fun challenge but you miss something and go wrong. Reach to next CTF :necktie: and write up will come :sailboat:. Happy hacking !!!
Last changed by  
XeusNguyen
Stay humble and enthusiastic with passion. Follow me more on: https://wiki.xeusnguyen.xyz
994

Read more

Hackwekend Session 5 - Cloud Security (AWS IAM Policy)

First solve

4/28/2024
Deploy your alert with Grafana by Terraform and some common error with K8s

So hi there, continue of my mood for writing blog, i will release something to help you define the alert on grafana just use by terraform and managing them

4/25/2024
Hackwekend Session 0 - QRCode Vulnerabilities (Malicious QRCode gain access or reverse shell)

QR Codes Exploitation: How to Mitigate the Risk?

1/26/2024
Flag Hoarding - mapleCTF 2022 - [misc/forensic]

Description: Damning internal communications within Maple Bacon have been leaked, revealing a plot to steal the flags of other teams at the upcoming International Flag Admirers’ Conference. You’ve gotten a hold of the leaked files. Find information that could help uncover the identity of the whistleblower.

12/11/2023
Read more from XeusNguyen
Published on HackMD