[ROOT-ME]-STEGNOGRAPHY WRITE-UP

# **[ROOT-ME]-STEGNOGRAPHY WRITE-UP** # TXT - George and Alfred > Source : ch4.txt The file text has conversation is written in the French language , an important passage can be translated be : > Alfred de Musset replied: > > When I swear to you, alas, eternal homage, > Would you have me change my language for a moment? > Why can't I, with you, taste true happiness? > I love you, oh my beautiful one, and my pen, in a frenzy, > Lays down on paper what I dare not say. > Carefully, read the first word of my verses. > You will know what remedy to bring to my woes. > > Similarly, George Sand replied: > > This great favor that your ardor demands > Perhaps harms honor, but answers my flame. > > Use the last "hidden sentence" to validate this test. I just adhere to a rule : take the first letter and put together > FLAG : Cette Nuit # Twitter Secret Messages Challenge : Statement We suspect that this tweet hides a rendezvous point. Help us to find it. `Ｃhｏose a jοｂ yоu  lονｅ, and you ｗіｌl ｎeｖｅｒ have  tο  ｗｏrk a day in yοur  lіfｅ．    ` The validation password is the meeting place (in lower case). **Solution ** In descripton problem , i seen keyword `homoglyphs` What is homoglyphs : Homoglyphs are characters that look very similar or identical but have different meanings. For example, the number $0$ and the uppercase letter $O$ are homoglyphs. I try paste passage to https://originality.ai/, and this is result : ![image](https://hackmd.io/_uploads/HyQ7hJqeWe.png) How can reverse hide message : I lookup doc to learn about type hide message , and one of type is : Hide message is convert to binary , then loop through orginial text , if bit is 0 , it not change , otherwise text convert to homoglyphs same it I convert orginal text to binary , it has 114 length , it maybe 6-bit binary. Know the principle , I can convert it with rule : * Divive binary with 6-bit chunk * If unicode is ASCII text -> 0 * Else - > 1 * Convert result to hide message I find a tool can decode with this rule : https://holloway.nz/steg/ Result : ![image](https://hackmd.io/_uploads/ByEZklql-x.png) > FLAG : `grand central terminal` # Dot and next line Source : `ch1.png` When face dot , I take upper character, put up with and get flag ![image](https://hackmd.io/_uploads/r1XPOacg-l.png) > FLAG : `chatelet15h` # EXIF - Metadata > Source : `ch1.png` I extract metadata with exiftool then take result : ![image](https://hackmd.io/_uploads/HJZ_KT9x-e.png) Use ggmap : ![image](https://hackmd.io/_uploads/rJs3YT9gWx.png) > FLAG : `Marseille` # EXIF - Thumbnail Source : ch10.png I try binwalk and see interesting thing : ``` $ binwalk ch10.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 30 0x1E TIFF image data, big-endian, offset of first image directory: 8 202 0xCA JPEG image data, JFIF standard 1.01 232 0xE8 TIFF image data, big-endian, offset of first image directory: 8 404 0x194 JPEG image data, JFIF standard 1.01 ``` I cut file with : `dd if=ch10.png of=result.png bs=1 skip=10` and get flag in the result.png > FLAG : `B33r1sG00d!` # Crypt-art > Source : `ch8.ppm` I search "a language where the programs are works of modern art" in gg then know it is Piet Language. Overview about Piet : Piet is a esoteric programming language where programs are images that look like abstract art, such as a Piet Mondrian painting ..... ..... I use https://www.bertnase.de/npiet/npiet-1.3f.tar.gz to run program , this is result : ``` ─(khoi㉿khoi)-[~/Desktop/rootme/steg/npiet-1.3f] └─$ ./npiet /home/khoi/Desktop/rootme/steg/ch8.ppm key is EYJFRGTT ``` I `strings` with ch8.ppm and find encrypt message : ![image](https://hackmd.io/_uploads/ryN32a5xZe.png) It is Vingrene cipher , I write simple script to decode : ``` def decode_vigrenere(ciphertext, key): decode_char = "" sample_text = "" s = len(ciphertext) for i in range(s): sample_text += key[i % len(key)] decode_char += chr((ord(ciphertext[i]) - ord(sample_text[i]) + 26) % 26 + ord('A')) return decode_char if __name__ == "__main__": ciphertext = "EPCQFBXKWURQCTXOIPMNV" key = "EYJFRGTT" print(decode_vigrenere(ciphertext, key)) ``` > FLAG : `ARTLOVERSWILLNEVERDIE` # Yellow dots > Source : ch18.png Statement : ``` You attend an interview for a forensic investigator job and they give you a challenge to solve as quickly as possible (having the Internet). They ask you to find the date of printing as well as the serial number of the printer in this document. You remain dubitative and accept the challenge. The answer is in the form: hh:mm dd/mm/yyyy SSSSSSSS ``` Firsly I use friendly tool exam strings,binwalk,exiftool,... and read content in image , but all not prospect. I rollback to web and see a important source : ![image](https://hackmd.io/_uploads/Hk3MzBngWx.png) I try search what is yellow dots then know it is a stegnography method in print : Shortly , it can work is : Printer tracking dots, also known as printer steganography, DocuColor tracking dots, yellow dots, secret dots, or a machine identification code (MIC), is a digital watermark which many color laser printers and photocopiers produce on every printed page that identifies the specific device that was used to print the document. Developed by Xerox and Canon in the mid-1980s, the existence of these tracking codes became public only in 2004. To decode , i can find hide 15x8 matrix yellow dot . To do this , i can learn about color theory to how see yellow in image. In image , i just see white background and black text , my mission is split yellow of this two color . I try about with RGB color system but fail because that reason : both black text and yellow dots same characteristic,so i try with HSV system . Why HSV system can solve problem distinguish yellow dots and black text ? + Yellow Dots : has value yellow in range 20-40 + Black text : almost not value yellow Know the principle , i write a script use open-cv and numpy is : ``` import cv2 import numpy as np import sys def yellow_dots(image_path): img = cv2.imread(image_path) if img is None: raise ValueError("Image not found or unable to load.") else : pass hsv = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) lower_yellow = np.array([20, 100, 100]) # Min yellow upper_yellow = np.array([40, 255, 255]) # Max yellow mask = cv2.inRange(hsv, lower_yellow, upper_yellow) height, width = mask.shape[:2] scale = 0.5 resized_mask = cv2.resize(mask, (int(width*scale), int(height*scale))) cv2.imshow("Yellow Mask", resized_mask) cv2.waitKey(0) cv2.destroyAllWindows() if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python yellow_dots_decode.py <image_path>") print("Example: python yellow_dots_decode.py C:\\CTF\\ch18.png") sys.exit(1) img_path = sys.argv[1] yellow_dots(img_path) ``` And is result : ![image](https://hackmd.io/_uploads/ry6xBBnxZe.png) I use tool https://github.com/Natounet/YellowDotDecode - a tool decode yellow dots with Xeror principle : ![image](https://hackmd.io/_uploads/HkZvrS2gWx.png) > FLAG : 11:05 27/07/2014 06922930 # APNG - Just A PNG Source : ch21.png I has one APNG file - a extension of png , it not just one file , has many png seemly gif . After time learn , I know one method stegno in type problem is base on the delay each png . I write a script python to extract it : ``` import os import subprocess #Run tool outside python import glob # Find pattern root_dir = "./" pattern = "frame*" out_dir = "zsteg_results" os.makedirs(out_dir, exist_ok=True) # Create output directory if not exists #find files matching pattern files = glob.glob(os.path.join(root_dir, pattern)) if not files: print("[!] Không tìm thấy file nào khớp mẫu.") exit(0) for idx, f in enumerate(files, 1): base = os.path.basename(f) out_file = os.path.join(out_dir, f"{base}.txt") print(f"[{idx}/{len(files)}] zsteg -a {f} -> {out_file}") try: result = subprocess.run(["zsteg", "-a", f], capture_output=True, text=True) with open(out_file, "w") as out: out.write(result.stdout) out.write(result.stderr) except Exception as e: print(f"[!] Error {f}: {e}") ``` ![image](https://hackmd.io/_uploads/rJqaNpnx-x.png) ![image](https://hackmd.io/_uploads/B16A4TneWl.png) I think it to ASCII . Try with some first : 70 -> F 76 -> L 65 -> A 71 -> G boom,I right , continue and get flag > FLAG : `P3PoFRoG` # Kitty spy > Source : kitty.jpg I binwalk file and see 4 zip file hidden in jpg file.Probaly has 4 challenge to obtain flag ! I started with step1 , initial , i think it easy because just step1 but not, it make me more time to solve . I try very and very tool but not success . I decide try StegSolve to find anything , and has bright . ![image](https://hackmd.io/_uploads/Hyp8FTalWg.png) But in Argentina text has difficult to see , I install and edit curve , level to see clear, but i don't good at color and edit image , I see not more clear but guess then finally got the pass : `f1rstStepi5DoN3` # PNG - Least Significant Bit I use a tool in github extract lsb is : https://gist.github.com/dhondta/d2151c82dcd9a610a7380df1c6a0272c Result : ![image](https://hackmd.io/_uploads/BySFYf0gZl.png) 4 final character seem trash , i try submit `TFdmMDdyc01iaUE2` but error , I try decode base64 and success . > FLAG : `LWf07rsMbiA6` # PNG - Pixel Indicator Technique I search google keyword : "Pixel Indicator Technique" then find a tool in github : https://gist.github.com/dhondta/30abb35bb8ee86109d17437b11a1477a I use it and get flag : ![image](https://hackmd.io/_uploads/rk3ADz0x-g.png) > FLAG : `PiTiSAls0aSteg4n0gr4ph1eM3thod`