[9447 CTF 2015] [Stega 90 – Imaged] Write Up

Description

Our spies found this image. They think something is hidden in it… what could it be?
imaged.zip

Resolution

Using strings we found a “9447” so we decided to check with a hexadecimal editor:

hd imaged.png
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|
00000010  00 00 0b b5 00 00 39 03  04 03 00 00 00 39 34 34  |......9......944| //944
00000020  37 00 00 00 30 50 4c 54  45 18 14 0c f4 f0 e8 c4  |7...0PLTE.......| //7
00000030  44 48 30 84 5c f0 e8 48  34 30 74 bc 30 6c 28 74  |DH0.\..H40t.0l(t|
00000040  c4 00 00 00 ff ff ff c4  44 92 23 bc 72 87 85 69  |........D.#.r..i|
00000050  06 03 38 30 b0 8f d4 86  1f 7b 53 74 65 00 00 20  |..80.....{Ste.. | //{Ste
00000060  00 49 44 41 54 78 01 00  e8 80 17 7f 00 c9 e4 41  |.IDATx.........A|

As you can see, there was a “9447” at the end of the 2nd line, continuing on the 3rd line.
Moreover, there was a piece of flag “{Ste” at the 6th line before an IDAT tag.
The same pattern occured some offset later:

00002060  7e 5d d9 15 72 67 30 5f  72 00 00 20 00 49 44 41  |~]..rg0_r.. .IDA|
00002070  54 99 95 a4 19 92 49 91  e9 a9 e9 a9 91 1a 92 9b  |T.....I.........|

As the flag was short, we managed to get it manually. 🙂
In the other case, we would have used the script below.
It show the 4 characters before the “.. .IDAT” (0000200049444154 in hex).

xxd -p imaged.png | tr -d '\n' | grep -Eo '([0-9a-f]{8})0000200049444154' | sed 's/0000200049444154//' | xxd -r -p
{Steg0_redunDaNcy_CHeck}▒e

Flag was : 9447{Steg0_redunDaNcy_CHeck}.

Leave a Reply

Your email address will not be published. Required fields are marked *