Simple Steganography (CTF Learn)

Forensics

Challenge — Simple Steganography — CTFlearn — CTF Practice — CTF Problems — CTF Challenges

Think the flag is somewhere in there. Would you help me find it? hint-” Steghide Might be Helpfull”

Don’t forget we always work inside VMs .

So we’ll upload the file there and then :

We took the download link and used wget to download the :

I always change the names to something that is closest to what we do, so I changed the name of the file to the name of the task that we are doing now , Now let’s get started :

Here we define the file type , There are a lot of interesting things :

I decided to use exif and exiftool, but nothing new :

It seems like strings didn’t work this time :

The appearance of the word (myadmin) caught my attention in every way.

I went back and found keywords, but why?

Binwalk didn’t work either :

I used foremost :

Let’s break down the options you’ve provided:

-v: This stands for verbose mode, which means the command will provide more detailed output about its operations.

-q: This stands for quiet mode, which typically suppresses normal output, and only error messages or important information are displayed.

i Minionsl.jpeg: This specifies the input file or device from which foremost should recover data. In this case, it’s looking for data in the file named “Minionsl.jpeg.”

It seems that the matter is related to the audit file. Inside the image, after all this research, it appears that the private key to open this file is (myadmin).

Well we have to use Google, it has been discontinued .

After a lot of searching I found a tool called steghide, I installed it and then…

We used help :

Let’s break down the options you’ve provided:

steghide — extract -sf Minionsl.jpeg -p myadmin\  — extract: This option specifies that you want to extract (uncover) hidden data from the specified file.

-sf Minionsl.jpeg: This option specifies the source file from which you want to extract the hidden data. In this case, it’s “Minionsl.jpeg.”

-p myadmin: This option is used to provide the passphrase or password that was used during the embedding process. The passphrase is necessary to successfully extract the hidden data.

So, the command is instructing steghide to extract hidden data from the “Minionsl.jpeg” file using the passphrase “myadmin.” Keep in mind that the success of the extraction depends on using the correct passphrase that was used during the embedding process.

Here I used https://cyberchef.org/ , I didn’t know what to use so I used migic:

Well it looks like Base64 :

To make it more clear, I used the command :

Here is the flag\ See you soon in other reports….!!

Abdelwahab_Shandy

AS_Cyber