June 28, 2017, 03:37:55 AM
Welcome, Guest. Please login or register.

If you are not part of the solution...You are part of the precipitate.

Author Topic: THS - IMAGE CHALLENGE 2  (Read 8291 times)

Offline R4v3N

  • Administrator
  • Super Elite
  • *****
  • Posts: 3691
  • Internets: +160/-1
  • The googles and the metasploits...
    • Top-Hat-Sec
Re: THS - IMAGE CHALLENGE 2
« Reply #30 on: August 02, 2013, 07:07:23 PM »
I just figured this one out, and yes I did it before reading the thread. I would've been pissed at myself otherwise.

Itzdanielp found the mystery. Please feel free to post a tutorial of how you found it and what you did and I will lock this thread.

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2800
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: THS - IMAGE CHALLENGE 2
« Reply #31 on: August 02, 2013, 08:36:06 PM »
THIS IS BS...  ??? N1tr0g3n and I tried that night while we were talking to you ,, congrats!!!!!!
** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: THS - IMAGE CHALLENGE 2
« Reply #32 on: August 03, 2013, 06:16:52 PM »
Well, to be honest I don't know if I should really be writing documentation on it, because I kind of blundered onto it. But I will do my best.




While working on the Challenge 1 that R4v3n posted I was trying to figure out what could be different,  and since there wasn't anything specific in the exif data, or in any of the color layers I figured it must be buried in the image itself. So I booted up my trusty backbox THS edition and started going through menu's to find something that could help.

I deduced that the "Forensics" menu was along the line of what I was looking for. And then "File Analysis". I chose Steghide, since I wasn't looking at a thumbs.db file or a firefox (or other browser). And attempted to open the files from challenge 1, and I got a prompt for a password. I figured that I was on the right track, but got stuck at this point because I couldn't get past the password.

This brings me on to Challenge 2 (This Challenge) because R4v3n mentioned it was the same type of thing, just easier. I hoped that maybe it wouldn't be encrypted.

I was right. And was able to use Steghide to extract the .txt from inside of the .jpg

Below are the steps.



Download "coollightbulb.jpg" from the OP of this forum. I let it download to my "Downloads" folder.

I opened a shell at this point. And typed the following.

Code: [Select]
steghide info /root/Downloads/coollightBulb.jpg

Which returned this:

Code: [Select]
root@backBox:~# steghide info /root/Downloads/coollightBulb.jpg
"coollightBulb.jpg":
  format: jpeg
  capacity: 390.0 Byte
Try to get information about embedded data ? (y/n)

Answering "Y" brings up a prompt asking for a password. To which I hoped there was no password, so I just pressed "Enter" and was rewarded with the following.

Code: [Select]
Enter passphrase:
  embedded file "lightbulb.txt":
    size: 337.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

This proves that there is a text file "lightbulb.txt" embedded in this pictures. That there is no password. And some other information that I don't really understand :(

The next step is to extract it.

Code: [Select]
root@backBox:~# steghide extract -sf /root/Downloads/coollightBulb.jpg
Enter passphrase:
wrote extracted data to "lightbulb.txt".
root@backBox:~#

And when you open "lightbulb.txt" you get the following:

Quote
This is a picture of a light bulb. More importantly, it is a picture of a picture of a light bulb. More importantly, there is text inside of this picture of a picture of a lightbulb. Therefore, the picture of the picture of the lightbulb is not important at all. Its this text which is inside of the picture of a picture of a lightbulb.

I hope this helps.