[CryptoChallenge] Basic Stego 2 - Solution

steganography
crackme

(pico) #1

I’m sure you all have solved this last crypto challenge, but in case you don’t . This is a short write up on how to get the hidden message.

You can use different tools to achieve what is described below. I’m going to use GNU/Linux command-line tools to get the message out of the file. Let’s go.

Looking into the image

First we have to be able to take a look to the contents of that noisy image. For easily doing this, I will use the convert tool from the ImageMagick package and convert the original grey-scale PNG into a plain PGM:

$ convert stego2.png stego2.pgm

The .PGM format is quite convenient because it contains all the data uncompressed just after a small header. This really simplifies the access to the pixels without writing any code or use special tools. So, the PGM file looks like this:

$ head -c 30 stego2.pgm
P5
653 55
255
-FLAC-
fLaC

The value 30 is just a random number (I already know which value have to put there :P), but, as you can see the header is around that size.

We can see the initial format identifier P5. Then we find the image dimension and finally the pixel encoding format. In this case, 255 means that each pixel is 1 byte (256 values).

FLAC

Those are the contents of the standard PGM header. The string -FLAC- we find just next is actually the value of the first 5 pixels in the image. If you do not know what FLAC is, you can do a quick search on the web.

If you are lazy like me, keep reading. FLAC ( https://en.wikipedia.org/wiki/FLAC ) is an audio file format supporting lossless compression. That makes sense. Compression will obfuscate the original message and the lossless nature of the file format will allow us to use bit masking techniques like the ones we already know ( [CryptoChallenge] Basic Stego - Making Of (Spoiler warning))

If you take a look to a FLAC file, you will find out that the format uses a magic string at the beginning of the file. That is common to many file format. The magic bytes for the FLAC format are fLaC. That is the string just after the first -FLAC-… So, let’s ignore the first -FLAC- that does not fit the FLAC format, and let’s extract what follows.

An audio file

To get the FLAC file our of our PGM image we have to first find out the offset to the data we are interested on and then dump that data into a file:

$ xxd stego2 | head -n 5
0000000: 5035 0a36 3533 2035 350a 3235 350a 2d46  P5.653 55.255.-F
0000010: 4c41 432d 0a66 4c61 4300 0000 2210 0010  LAC-.fLaC..."...
0000020: 0000 0575 001c b902 b110 f000 0053 fd80  ...u.........S..
0000030: 09c2 40f2 b686 21da 8ead 18cf e8e9 e103  [email protected]!.........
0000040: 0000 1200 0000 0000 0000 0000 0000 0000  ................

Just counting, we find out that the offset (the beginning of fLaC string) is at 22 bytes from the beginning of the file. Let’s extract the file:

$ tail -c +22 stego2.pgm > stego2.flac
$ play stego2.flac
stego2.flac:

 File Size: 35.9k     Bit Rate: 147k
  Encoding: FLAC          Info: Processed by SoX
  Channels: 1 @ 16-bit
Samplerate: 11025Hz
Replaygain: off
  Duration: 00:00:01.95

In:95.3% 00:00:01.86 [00:00:00.09] Out:20.5k [!=====|=====!]        Clip:0
Done.
play WARN flac: decoder MD5 checksum mismatch.

You should hear some audio when playing back the flac file.

Accessing Audio Samples

Now that we have our audio file, let’s look into it. The FLAC format is compressed. Do not waste time dumping the file. We have to uncompress it to ne able to look at what is inside.

For doing this, we are going to use the sox tool. This is a really handy command-line audio tool, that can convert between different audio formats and do some transformation to the audio stream. One of the formats it supports is raw samples… that format looks convenient.

$ sox steog2.flac stego2.raw 
$ xxd stego2.raw | head

You should now be able to read the message, however as I used 16bits to encode the audio samples, and used the 8 lower bits to store the message, you have to skip one out of two chars or do some little programming/scripting to read the message.


#2

Damn, thank you for posting the solution because I was trying with a completely different way which wouldn’t lead me anywhere. Sweet challenge, keep them coming pico!


(pico) #3

The idea was to just post the FLAC file… but that is not allowed, so I had to fit the audio inside an image. That may have made the challenge a bit misleading.


#4

I thought of coding my way around it but I scrapped it. I’m curious if it’s possible.


(pico) #5

I think it is… give me a couple days


(system) #6

This topic was automatically closed after 30 days. New replies are no longer allowed.