July 25, 2017, 03:46:10 AM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: THS - IMAGE CHALLENGE 2  (Read 8329 times)

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2800
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: THS - IMAGE CHALLENGE 2
« Reply #15 on: November 01, 2012, 11:27:20 AM »
I gave up on this when he first started the first night we had him on the phone... just pissed me off...lol...
** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*

Offline corr.x86

  • Top Hat Member
  • Elite
  • ********
  • Posts: 1111
  • Internets: +10/-0
  • ^That's a lie
Re: THS - IMAGE CHALLENGE 2
« Reply #16 on: November 01, 2012, 06:36:29 PM »
Well, it's good that he keeps it that way. at least one of us will be trying their best to solve it
"I have this assignment bla bla bla, can you give me teh codez?"

"www.adoptamalware.com would be a nice website to run."

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2800
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: THS - IMAGE CHALLENGE 2
« Reply #17 on: November 01, 2012, 11:30:44 PM »
if n1tr0g3n couldn't solve it I don't think anyone can. He was upset like me over the phone. I remember him saying he had spyware on his machine trying different software... lol
** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #18 on: November 02, 2012, 04:15:12 AM »
OK, well let's go through what has been tried then.


First of all, assumptions;
beware.. assumption is the mother of all fuck-ups ;)
No information has been given on which OS the alterations to the files were done.
Admin previously did mention as a hint 'dir /r' which would imply checking on windows
and thus imply that the work should be able to be done on a Windows system.

I am also assuming that what was done to the files was done using standard tools on the
OS and not using any specialised 3rd party software.
So I am thinking of simple commands entered in ms-dos and the like, with the possible exception of
hints being provided in metadata (so checking with exiftool).

Considering getting the info difference is reportedly done within a minute or so, a lot of the below
is over the top checking, but if you dont know what to look for, you have to look at a lot !



IMAGE COMPARISON
==============

So based on taking the 1st .jpg file as basis and first comparing it with the .png (left image
and then with the 2nd .jpg (right image) ;
 


"copy /b" hiding technique
=====================


My first thought was to check to see whether any compressed archive was 'hidden' in the image by using the 'copy /b' approach.

So basically this means you compress/zip information, and then copy this as binary information to an image file as follows ;
In command-prompt;
Code: [Select]
copy /b my_image.jpg + hidden.zip my_image.jpg
This image file will then still look and act like an image file, however you can extract information from the file by
simply treating it as a archive file (for instance right click in explorer and choose extract with your installed archive tool)

So I checked this by simply verifying whether or not I could treat any of the file as a zip/archive file and extract anything.
No Go.

You can also do the same, hiding a simple text file;

Code: [Select]
copy /b my_image.jpg + my_text.txt new_image.jpg
On opening the new_image.jpg with a text editor, you should see the text of your hidden file at the very end.


Checking for hints in metadata of the files
=============================


Doing this by checking the information in a GUI version of exiftool ;

Challenge 1




In the .jpg version of the file there is a reference to Ducky and to Adobe.


Challenge 2



This image is 7.5kB whereas the first .jpg image was 7.1kB, indicating possibly hidden info,
most likely text, depending on whether the 1st image was just what it appeared to be.

Irfanview information;
image quality 77% with 8355 unique colours used on the first jpg image
image quality 80% with 9291 unique colours used on the 2nd jpg image.


ADS / Alternate Data Streams
=====================


Considering Admin mentioned checking out dir /r, I did of course and it would then seem that ADS is part of the deal.






But you will find ADS references on nearly all items you DL from the net, and the stream references on the lightbulbs
just appear to be the general type you get when you download files from internet.

The way streams work is that you can 'hide' data in a stream of a different file.
For instance I created a text file called 'ads-test.txt' and put an image called test.JPG in the same directorty.

Now to add the test image (a 4MB jpeg image) to the 6byte text file, you would follow ;
In command-prompt;
Code: [Select]
type test.JPG > ads-test.txt:test.JPG

Now when doing a dir check, you will see that the ads-test.txt has not even changed size, it remains identical.
However when doing a dir /r you will see the ADS reference clearly indicating the presence of the test.JPG file.
So the actual size is not showing the real size although it is over 4.25MB difference !




OK you say, so what happens when we delete the intiially used test.JPG file and check again ?
it is still there.. ;


To 'extract' the data hidden in the ADS, you need to know what program can actually do what you want.
In this case as it is a JPEG file that is hidden, you can think of mspaint.
(if you would have seen a .txt file you would have started the command with notepad, etc.)

In command-prompt;
Code: [Select]

mspaint ads-test.txt:test.JPG
Will open that babt right up in Paint.


Now if I upload that file to a filesharing site and download again, what do I get ?




Soo... this simple test shows that if there was a file hidden with ADS, it is possible that it would
not be retrieved after having uploaded / downloaded it.


STEGANOGRAPHY
=============

As steganography in the sense of using tools to hide date in images requires 3rd party tools, I
dont believe that is what is being done here.

But for sake of good order did do a quick test with stegdetect ;




SO

Those have been my tests and my findings with a little information on how the methods to hide info work.

What were your tests and what were your results ? 
« Last Edit: November 02, 2012, 07:07:27 AM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2800
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: THS - IMAGE CHALLENGE 2
« Reply #19 on: November 02, 2012, 09:08:35 AM »
How funny...

Challenge 1

In the .jpg version of the file there is a reference to Ducky and to Adobe.

I found that info myself but did you find the wpa info? LOL....

** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #20 on: November 02, 2012, 09:16:08 AM »
Give more info on what you found and how, otherwise its not of much help...  ;)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #21 on: November 03, 2012, 04:37:20 PM »
FFS TAPE, you senile idiot.. well for part of it anyway.
stegdetect sux ...
Oh well.. one step closer ;

Challenge 2 on coollightbulb.jpg
-------------------------------------------
The image of the 2nd jpg image had so many changes evident after checking that with imagemagick that I new
there must be something there, but couldn't figure out why stegdetect wasnt showing it.

After reading a bit more and seeing that steghide does a decent job, I thought, hey crap, is that included in the
stegdetect checks ?  no it isnt...

So I ran steghide on the coollightbulb.jpg ;
Code: [Select]
steghide info coollightbulb.jpg
There wasnt even a password on it, so it was a matter of hitting enter..

Can also do ;
Code: [Select]

steghide extract -sf coollightbulb.jpg


I did check a couple of passwords before though just to see ;)

Text within the extracted file ;
Quote

This is a picture of a light bulb.
More importantly, it is a picture of a picture of a light bulb.
More importantly, there is text inside of this picture of a picture of a lightbulb.
Therefore, the picture of the picture of the lightbulb is not important at all.
Its this text which is inside of the picture of a picture of a lightbulb.

I'm wondering whether the text is providing a hint for challenge 1, so will be looking further,
but considering the 'dir /r' hint am wondering whether any mistake was made on formatting now...

In any case continuing with this friggin mind-fuck of Challenge 1...
« Last Edit: November 03, 2012, 05:17:33 PM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline corr.x86

  • Top Hat Member
  • Elite
  • ********
  • Posts: 1111
  • Internets: +10/-0
  • ^That's a lie
Re: THS - IMAGE CHALLENGE 2
« Reply #22 on: November 03, 2012, 08:24:33 PM »
SO YOU GOT IT?!?!! CONGRATSSSS
"I have this assignment bla bla bla, can you give me teh codez?"

"www.adoptamalware.com would be a nice website to run."

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #23 on: November 04, 2012, 03:31:00 AM »
Well, just the Challenge 2, not the Challenge 1..

Still waiting for some further advice on that one as not getting anywhere on it..
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline n1tr0g3n

  • Super Elite
  • ******
  • Posts: 4734
  • Internets: +63/-2
  • MCSA, MCP, MCTS, DCSE, CE/H, ACSP, N+,A+, CWSP
    • n1tr0g3n Information Security Blog
Re: THS - IMAGE CHALLENGE 2
« Reply #24 on: November 04, 2012, 09:51:25 AM »
TAPE you must be going crazy with that  :D  I couldn't take any more and had to stop lol  The new OS has a bunch of image forensic tools you might like.
"It's mind over matter, If you don't have a mind then it doesn't matter

Youtube  Channnel
http://www.youtube.com/user/n1tr0g3n0x1d3
Twitter  https://twitter.com/n1tr0g3n_com
http://www.n1tr0g3n.com  
http://teamctfu.weebly.com/

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #25 on: November 04, 2012, 10:48:21 AM »
Actually I'm enjoying reading about the different ways that data obfuscation is done :)
Will have to document some of it in a tutorial one of these days. Its interesting stuff!

but challenge 1, yeah... think we need to get Raven, string him up and beat him with sticks
until he yields more info... :D

As for other image tools, not found anything more with the tools available as yet.

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline n1tr0g3n

  • Super Elite
  • ******
  • Posts: 4734
  • Internets: +63/-2
  • MCSA, MCP, MCTS, DCSE, CE/H, ACSP, N+,A+, CWSP
    • n1tr0g3n Information Security Blog
Re: THS - IMAGE CHALLENGE 2
« Reply #26 on: November 04, 2012, 10:53:17 AM »
I see a whole new write up on the TAPE blog soon!  ;)
"It's mind over matter, If you don't have a mind then it doesn't matter

Youtube  Channnel
http://www.youtube.com/user/n1tr0g3n0x1d3
Twitter  https://twitter.com/n1tr0g3n_com
http://www.n1tr0g3n.com  
http://teamctfu.weebly.com/

Offline M0rPh3u5

  • Elite
  • *****
  • Posts: 523
  • Internets: +0/-0
  • Musician
Re: THS - IMAGE CHALLENGE 2
« Reply #27 on: November 04, 2012, 04:17:45 PM »
I see a whole new write up on the TAPE blog soon!  ;)

LOL That would be cool!
One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs.

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #28 on: November 04, 2012, 04:48:50 PM »
I was thinking about making a post or two here on the forums, but was worried I might get a bit carried away and start writing full blown novels which are best maintained on a blog ;)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #29 on: August 02, 2013, 03:53:22 PM »
I just figured this one out, and yes I did it before reading the thread. I would've been pissed at myself otherwise.