Basic Steganography and PNG Files
Introduction to Steganography
While browsing Reddit, I came across this image: The poster claimed that within this picture, there were six hidden messages.
To solve this, I needed to use some steganography tools and techniques. Steganography is the art of hiding information, commonly inside other forms of media. In this case, the messages are hidden inside a picture. Messages can also be hidden inside music, video and even other messages. In contrast to cryptography, which hides a message’s meaning; steganography often hides a message’s very existence.
Steganographic techniques have been used to conceal secrets for as long as humans have had them. Today, they are used by international intelligence agencies, drug cartels and even Al-Queda 1. Steganographic challenges are frequently found in modern CTF competitions.
Finding the Messages
The First Message
Perhaps the easiest message to spot is the text in the gray letters.
“hi there.”
The Second Message
The second message is in very tiny font at the bottom right hand corner.
“GO AWAY”
The Third Message
While easy to spot, the third message is a bit more cryptic. “zrbj zrbj” appears to be encrypted. It is encoded with ROT13, a variation of the Caesar Cipher, one of the oldest and most common ciphers. Using an online decoder reveals the message “meow meow”.
PNG Files
Checking with the command file
yields the following:
file bh8gntidtu921.png
bh8gntidtu921.png: PNG image data, 853 x 846, 8-bit/color RGB, non-interlaced
This tells me this is a PNG file.
PNG (Portable Network Graphics) files are an image file format.
The first 8 byes of the file are the PNG magic numbers. This acts as the file signature, and allows it to be recognized as a PNG file.
hexdump -C -n 8 bh8gntidtu921.png
00000000 89 50 4e 47 0d 0a 1a 0a |.PNG....|
00000008
After the magic numbers, come series of chunks. The four first bytes give the total length of the chunk. The next four bytes identify the type of chunk. Following that is the chunk data, the length of the data is specified by the first four bytes. At the end of the chunk is a 4 byte CRC (Cyclic Redundancy Code) to check for corrupted data.
There are a few critical chunks:
-
IHDR
image header, which is the very first chunk. -
PLTE
palette table. This is an optional chunk. -
IDAT
image data chunks. -
IEND
trailer. Marks the end of the PNG datastream.
A common method of hiding flags in these types of challenges is to place messages after the IEND
chunk. Data added after this block will not change anything besides the size of the file.
The Fourth Message
Using hexdump
to look at the image:
hexdump -C bh8gntidtu921.png
00000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG........IHDR|
-snip-
0000bde0 af e1 ce d8 e6 8c 77 4f df e6 8c 8d a3 28 fa 1f |......wO.....(..|
0000bdf0 36 a6 5b e3 21 7a 24 6f 00 00 00 00 49 45 4e 44 |6.[.!z$o....IEND|
0000be00 ae 42 60 82 0d 0a 51 75 69 63 6b 21 20 4c 6f 6f |.B`...Quick! Loo|
0000be10 6b 20 42 65 68 69 6e 64 20 79 6f 75 21 20 54 68 |k Behind you! Th|
0000be20 65 72 65 27 73 20 61 62 73 6f 6c 75 74 65 6c 79 |ere's absolutely|
0000be30 20 6e 6f 74 69 6e 67 20 75 6e 75 73 75 61 6c 20 | noting unusual |
0000be40 74 68 65 72 65 21 |there!|
0000be46
The message “Quick! Look Behind you! There’s absolutely noting unusual there!” can be seen appended to the end of the file.
The Fifth Message
I used the strings
command to try and locate more messages, but didn’t see anything. Next, I checked the image with a tool called Stegsolve. Using stegsolve
I am able to manipulate the colors. When given certain filters, colors that were barely perceptible before are made obvious.
Scanning this QR code gives the message “Your feet smell like cheese”.
Least Significant Bit (LSB)
A common steganography trick is to hide a message in the least significant bits (LSB) of an image. Raster images like PNG images are made up of pixels. Pixel information is contained within the IDAT
chunks. Each pixel is composed of three bytes, representing the amount of red, blue and green, for a total of twenty four bytes. The total number of colors that can be represented is $$2^{24}=16777216$$, far more than the human eye can detect.
To hide information in the image, the last bit of each byte is changed. This results in a color change imperceptible to the human eye, while still allowing the information to be hidden.
For example, see the below images. We start with this shade of blue.
Changing the last bit on each of these bytes results in this color, which is seemingly identical.
The Sixth Message
There are many tools out there to encode and decode LSB steganography. Using the tool zsteg, reveals zlib compressed data hidden inside this image.
zsteg -a -v bh8gntidtu921.png
b2,rgb,lsb,yx .. zlib: data="Ducks look dumb", offset=62, size=15
00000000: 39 38 26 34 66 23 74 69 25 64 63 38 34 2e 32 30 |98&4f#ti%dc84.20|
00000010: 32 2e 31 35 34 2e 32 35 30 2d 32 30 31 39 2d 30 |2.154.250-2019-0|
00000020: 31 2d 31 31 54 32 31 3a 32 32 3a 33 32 2b 30 31 |1-11T21:22:32+01|
00000030: 3a 30 30 39 38 26 34 66 23 74 69 25 64 63 78 da |:0098&4f#ti%dcx.|
00000040: 73 29 4d ce 2e 56 c8 c9 cf cf 56 48 29 cd 4d 02 |s)M..V....VH).M.|
00000050: 00 2c 47 05 98 39 38 26 34 66 23 74 69 25 64 63 |.,G..98&4f#ti%dc|
00000060: 34 66 23 74 69 25 64 63 ff ff ff ff ff ff ff ff |4f#ti%dc........|
00000070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
“Ducks look dumb” is the sixth and final message.
-
Robertson, N. (2012, May 1). Documents Reveal Al Qaeda’s Plans For Seizing Cruise Ships, Carnage in Europe. CNN. ↩︎