Deadface CTF 2023 — Steganography

Write-ups for Deadface 2023 CTF Steganography challenges

Deadface 2023 CTF Write-ups

Challenges

· You’ve Been Ransomwared
· Fetching Secrets
· Electric Steel
· Syncopated Beat
· Conclusion

You’ve Been Ransomwared

You’ve Been Ransomwared challenge

Task

DEADFACE is taunting GlitterCo with their latest ransomware attack. According to our intel, the attackers like to leave a calling card in their attacks. If we can figure out which DEADFACE actor executed this attack, we might be able to figure out a way around paying. Can you find anything in this screenshot that might point to which attacker ran this ransomware attack?

Submit the flag as flag{attacker_name}.

Download Image

Solution

For this challenge I have first cycled through the usual bag of tools to investigate and examine image stego:

• ExifTool
• Stegseek
• Binwalk
• Steghide
• Strings
• Stegdetect

As they have yielded nothing useful, I resorted to trying stegsolve.

If this tool is not installed on your Kali machine already, download it and install it from this repository:

Stegsolve
https://github.com/zardus/ctf-tools/blob/master/stegsolve/install

Stegsolve is used to analyze images by manipulating different image planes, allowing you to reveal hidden information by adjusting image bit planes.

Image planes refer to separate color channels (like red, green, and blue) in an image. Tools like Stegsolve manipulate these channels to uncover concealed data or assist in image analysis.

Let’s dive into analyzing this image.

Original image

I have saved my stegsolve folder in /opt/stegsolve so your installation path will be different. Adjust the command accordingly

$ java -jar /opt/stegsolve/stegsolve.jar ransomwared.png

File > Open > ransomwared.png

Open the image in Stegsolve

As you cycle through the different planes using the arrows at the bottom you begin to notice the hidden binary data at the bottom of the picture.

Concealed data starts to show in the image

Green plane 5 seems to give me the closest thing to a clear image of the hidden data.

Green Plane 5

There are two ways to go about this:

1. Write the binary data by hand and convert them to ASCII using websites like CyberChef.
2. Use Optical Character Recognition (OCT) online tools to recognize text in an image then use CyberChef to conver them to ASCII text.

I have opted for the latter, however the OCR was not accurate enough to detect the first two lines. Bits of the last line were recognized which may be sufficient to include the attacker’s name or signature and that should be enough to uncover the flag.

Online OCR
https://www.onlineocr.net/

Step 1: OCR scan of image

Now we have some of the binary data. This is what we recovered so far:

01101000 01110100 06100060 01110100 01101111 00100000 01111001 01101111 01110101 00100000 01100010 01111001 00100000 01101101 01101001 01110010 01110110 01100101 01100001 01101100 00101110

Let’s load them into CyberChef and see what we can convert them to:

CyberChef Binary to Text

It seems likt the sentence ends with “Brought to you by mirveal”.

Assuming “mirveal” is the sign off name we are after. Let’s try it as a flag.

flag{mirveal}

Fetching Secrets

Fetching Secrets challenge

Task

This image was found on Ghost Town. Looks like one of DEADFACE’s newest members is new to steganography. See if you can find any hidden information in this image. Knowing information about the image may help to reveal the flag.

Submit the flag as: flag{flag_text}.

Download Image

Solution

Let’s kick off with the basics:

• ExifTool
• Binwalk
• Steghide

None of the above yielded anything useful so we turn to another tool.

Stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files. It is built as a fork of the original steghide project and, as a result, it is thousands of times faster than other crackers and can run through the entirety of rockyou.txt in under 2 seconds

It specifically concentrates on LSB analysis and attempts to unveil hidden data by iterating through possible messages using wordlists or dictionaries.

Run stegseek against our downloaded JPG

$ stegseek cyberdog.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "kira"B)

[i] Extracting to "cyberdog.jpg.out".

Analyze the extracted file

$ file cyberdog.jpg.out
cyberdog.jpg.out: PNG image data, 500 x 100, 8-bit/color RGBA, non-interlaced

The output seems to be a PNG image, so let’s rename the file accordingly

$ mv cyberdog.jpg.out cyberdog.png

When we open the resulting cyberdog.png we see the flag!

Flag

flag{g00d_dawg_woofw00f}

Electric Steel

Electric Steel challenge

Task

Check out this image DEADFACE left on one of their victims’ machines. We tried a couple tools and they didn’t reveal anything. Take a look and see what you can find.

Submit the flag as flag{flag_text}.

Download Image

Solution

Steg tools and ExifTool would not be as useful here based on the challenge description. So we start off with our trusty Binwalk, a popular and powerful tool used in digital forensics and cybersecurity, particularly in the analysis of embedded files within other files, including image files.

Let’s run a basic binwalk analysis of the image.

$ binwalk electric-steel.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1232 x 928, 8-bit/color RGB, non-interlaced
2767          0xACF           Zlib compressed data, default compression
1435378       0x15E6F2        TIFF image data, big-endian, offset of first image directory: 8
1435914       0x15E90A        Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
1467642       0x1664FA        gzip compressed data, from Unix, last modified: 2023-06-04 01:14:27

We clearly see additional data and files embedded in our PNG file.
Let’s extract them using the -e option.

$ binwalk -e electric-steel.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1232 x 928, 8-bit/color RGB, non-interlaced
2767          0xACF           Zlib compressed data, default compression
1435378       0x15E6F2        TIFF image data, big-endian, offset of first image directory: 8
1435914       0x15E90A        Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
1467642       0x1664FA        gzip compressed data, from Unix, last modified: 2023-06-04 01:14:27

Enter the newly created folder, examine the data extracted etc.

$ cd _electric-steel.png.extracted/
$ ls
1664FA  ACF  ACF.zlib
$ file *
1664FA:   POSIX tar archive (GNU)
ACF:      empty
ACF.zlib: zlib compressed data
$ tar xpvf 1664FA
flag.txt

Bingo! we have a flag file we can view.

$ cat flag.txt
flag{3L3ctr1c_5t33L_b1G_H41R}

flag{3L3ctr1c_5t33L_b1G_H41R}

Syncopated Beat

Syncopated Beat challenge

Task

We know there’s a hidden message somewhere here, but none of our steg tools are able to reveal it. Maybe we need to think outside the box?

It is a well-known fact that rock musicians are all Non-Incarnate Conscious Entities (NICEs) influenced. NICEs speak lyrics to them and insinuate their evil messages into the song.

Find the flag and enter it like this : flag{Syncopated_Beats_Are_EVIL!!!}

Download ZIP

Solution

Conclusion

Stego is one of my favorite categories. I have not come across it in real-life scenarios except for network stego by malware writers and Command & Control (C2C) structures which try to hide data as well as their beaconing behavior on the network by using network-level steganography.

I wish we had some of those on this CTF such as ICMP / DNS tunneling or exfiltrating data (the flag) through innocuous looking legitimate network traffic. However, the cool audio stego made up for it :)

My tip for doing image and sound steganography is to build a library of stego tools and cycle through them until something sticks.

Generally, you may be given a clue as to what route to take but be prepared for anything in case you aren’t given a clue.