Foreword

I am fortunate to participate in the competition of the enterprise group of the 2nd Shanxi Network Security Skills Competition in 2022. This is the first time I have participated in the ctf competition. I went there for the purpose of accumulating practical experience. The ranking is a bit unexpected.

Tips: The following is the text of this article.

I. Question

Title:

Miscellaneous questions, simple steganographic attachments.

Attachments:

Simple steganographic attachment.png

Second, problem solving steps

1. Problem solving ideas

When you see a PNG image, first use tweakpng to see if crc reports an error.The result indicates that there is a problem with the CRC check.Use the PNG width and height shuttle tool to restore the original size of the picture (or directly change the height through WINHEX), you will find a half-section flag, and prompt the LSB related content.Drag the PNG into the 010 editor, and find that there is a compressed file mark at the end -- "PK", and then separate flag.wav from it. Spectrum analysis does not find any valuable content, and then use the silenteye steganography tool to export the hidden file---flag.pyc.Use the pyc steganography tool --stegosaurus to retrieve the second half of the flag.

2. Problem solving process

(Original image is pure white image)

Resize the image, or use a shuttle tool to restore its size and hide the information.

Get half a FLAG.

In the 010 editor, it is found that there are compressed files hidden in it, and use binwalk to separate them.

# binwalk -e simple steganographic attachment.pngDECIMAL HEXADECIMAL DESCRIPTION--------------------------------------------------------------------------------0 0x0 PNG image, 1195 x 300, 8-bit/color RGB, non-interlaced91 0x5B Zlib compressed data, compressed6553 0x1999 Zip archive data, at least v2.0 to extract, compressed size: 336438, uncompressed size: 353472, name: flag.wav343119 0x53C4F End of Zip archive, footer length: 22

Isolate the flag.wav file and use spectrum analysis software to analyze it. No valuable content is found. The music content is a standard piece of music.

Use the silenteye tool to restore the hidden information in flag.wav -->flag.pyc

Use pyc steganography tool to restore steganographic content

F:\software\CTF toolbox\ctf toolbox\other stegos\stegosaurus-1.0>python -m stegosaurus -x F:\sharedir\CTF\_simple steganography attachments.png.extracted\flag.pycStegosaurus requires Python 3.6 or later

The PY3.9 installed in the virtual machine fails to run.For this reason, the PY3.5 installed on the real machine still prompts the version problem. In desperation, the version detection item is annotated, and it is run again in the PY3.5 environment, and a miracle occurs.

F:\software\CTF toolbox\ctf toolbox\other stegosaurus\stegosaurus-1.0>python -m stegosaurus -x F:\sharedir\CTF\_simple steganographyWritten attachment.png.extracted\flag.pycExtracted payload: 665646cd2139a4ba0b0}

Content blocked by stegosaurus.py:

#if sys.version_info < (3, 6):# sys.exit("Stegosaurus requires Python 3.6 or later")

The two flags are merged.

flag{8f177eac1dff4665646cd2139a4ba0b0}

III. Summary

I haven't solved it during the competition, and I haven't solved a similar problem before. This is the first time I met it.