Basic Steganography and PNG Files

2019-01-23
[ stego ]

Introduction to Steganography

While browsing Reddit, I came across this image: Hidden Messages The poster claimed that within this picture, there were six hidden messages.

To solve this, I needed to use some steganography tools and techniques. Steganography is the art of hiding information, commonly inside other forms of media. In this case, the messages are hidden inside a picture. Messages can also be hidden inside music, video and even other messages. In contrast to cryptography, which hides a message’s meaning; steganography often hides a message’s very existence.

Steganographic techniques have been used to conceal secrets for as long as humans have had them. Today, they are used by international intelligence agencies, drug cartels and even Al-Queda 1. Steganographic challenges are frequently found in modern CTF competitions.

Finding the Messages

The First Message

Perhaps the easiest message to spot is the text in the gray letters.

“hi there.”

The Second Message

The second message is in very tiny font at the bottom right hand corner.

“GO AWAY”

The Third Message

While easy to spot, the third message is a bit more cryptic. “zrbj zrbj” appears to be encrypted. It is encoded with ROT13, a variation of the Caesar Cipher, one of the oldest and most common ciphers. Using an online decoder reveals the message “meow meow”. meow meow

PNG Files

Checking with the command file yields the following:

file bh8gntidtu921.png
bh8gntidtu921.png: PNG image data, 853 x 846, 8-bit/color RGB, non-interlaced

This tells me this is a PNG file.

PNG (Portable Network Graphics) files are an image file format.

The first 8 byes of the file are the PNG magic numbers. This acts as the file signature, and allows it to be recognized as a PNG file.

hexdump -C -n 8 bh8gntidtu921.png
00000000  89 50 4e 47 0d 0a 1a 0a                           |.PNG....|
00000008

After the magic numbers, come series of chunks. The four first bytes give the total length of the chunk. The next four bytes identify the type of chunk. Following that is the chunk data, the length of the data is specified by the first four bytes. At the end of the chunk is a 4 byte CRC (Cyclic Redundancy Code) to check for corrupted data.

Chunk Structure

There are a few critical chunks:

  • IHDR image header, which is the very first chunk.

  • PLTE palette table. This is an optional chunk.

  • IDAT image data chunks.

  • IEND trailer. Marks the end of the PNG datastream.

A common method of hiding flags in these types of challenges is to place messages after the IEND chunk. Data added after this block will not change anything besides the size of the file.

The Fourth Message

Using hexdump to look at the image:

hexdump -C bh8gntidtu921.png

00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|

-snip-

0000bde0  af e1 ce d8 e6 8c 77 4f  df e6 8c 8d a3 28 fa 1f  |......wO.....(..|
0000bdf0  36 a6 5b e3 21 7a 24 6f  00 00 00 00 49 45 4e 44  |6.[.!z$o....IEND|
0000be00  ae 42 60 82 0d 0a 51 75  69 63 6b 21 20 4c 6f 6f  |.B`...Quick! Loo|
0000be10  6b 20 42 65 68 69 6e 64  20 79 6f 75 21 20 54 68  |k Behind you! Th|
0000be20  65 72 65 27 73 20 61 62  73 6f 6c 75 74 65 6c 79  |ere's absolutely|
0000be30  20 6e 6f 74 69 6e 67 20  75 6e 75 73 75 61 6c 20  | noting unusual |
0000be40  74 68 65 72 65 21                                 |there!|
0000be46

The message “Quick! Look Behind you! There’s absolutely noting unusual there!” can be seen appended to the end of the file.

The Fifth Message

I used the strings command to try and locate more messages, but didn’t see anything. Next, I checked the image with a tool called Stegsolve. Using stegsolve I am able to manipulate the colors. When given certain filters, colors that were barely perceptible before are made obvious.

Screenshot

Stegsolve.

Scanning this QR code gives the message “Your feet smell like cheese”.

Least Significant Bit (LSB)

A common steganography trick is to hide a message in the least significant bits (LSB) of an image. Raster images like PNG images are made up of pixels. Pixel information is contained within the IDAT chunks. Each pixel is composed of three bytes, representing the amount of red, blue and green, for a total of twenty four bytes. The total number of colors that can be represented is $$2^{24}=16777216$$, far more than the human eye can detect.

To hide information in the image, the last bit of each byte is changed. This results in a color change imperceptible to the human eye, while still allowing the information to be hidden.

For example, see the below images. We start with this shade of blue.

Initial Picture

**Red:** 01000110 **Green:** 10000010 **Blue:** 10110100

Changing the last bit on each of these bytes results in this color, which is seemingly identical.

LSB Picture

**Red:** 01000111 **Green:** 10000011 **Blue:** 10110101

The Sixth Message

There are many tools out there to encode and decode LSB steganography. Using the tool zsteg, reveals zlib compressed data hidden inside this image.

zsteg -a -v bh8gntidtu921.png
b2,rgb,lsb,yx       .. zlib: data="Ducks look dumb", offset=62, size=15
    00000000: 39 38 26 34 66 23 74 69  25 64 63 38 34 2e 32 30  |98&4f#ti%dc84.20|
    00000010: 32 2e 31 35 34 2e 32 35  30 2d 32 30 31 39 2d 30  |2.154.250-2019-0|
    00000020: 31 2d 31 31 54 32 31 3a  32 32 3a 33 32 2b 30 31  |1-11T21:22:32+01|
    00000030: 3a 30 30 39 38 26 34 66  23 74 69 25 64 63 78 da  |:0098&4f#ti%dcx.|
    00000040: 73 29 4d ce 2e 56 c8 c9  cf cf 56 48 29 cd 4d 02  |s)M..V....VH).M.|
    00000050: 00 2c 47 05 98 39 38 26  34 66 23 74 69 25 64 63  |.,G..98&4f#ti%dc|
    00000060: 34 66 23 74 69 25 64 63  ff ff ff ff ff ff ff ff  |4f#ti%dc........|
    00000070: ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

“Ducks look dumb” is the sixth and final message. ducks


  1. Robertson, N. (2012, May 1). Documents Reveal Al Qaeda’s Plans For Seizing Cruise Ships, Carnage in Europe. CNN. ↩︎