RSS

Leetmore CTF 2012: Stego 300 (Go Through The Tunnel)

0 Comments | This entry was posted on Oct 18 2012

The challenge was to extract the key hidden inside the PNG image below.

 

By using the stego plugin for Paint.NET and extracting the 1-bit hidden image (shown below), we noticed that there seems to be a repeatable pattern in the least significant bit of a pixel.

 

So lets examine it a bit further.

>>> from PIL import Image
>>>
>>> # Open PNG image object.
>>> im = Image.open('stg300.png')

When we get the least significant bit of each color channel of a pixel, we see that this bit is the same for each color channel. As an example,

> Pixel: 0×0
> DecToBinary: 0000001[0]
> DecToBinary: 0000110[0]
> DecToBinary: 0001000[0]
> Pixel: 0×1
> DecToBinary: 0000010[1]
> DecToBinary: 0000111[1]
> DecToBinary: 0001001[1]

We discovered that the LSB of each color of the pixel has always the same value.
So, for pixel 0, only keep 0.
For pixel 1, only keep 1.
Thus after 8 pixels, we have 1 byte of hidden data consolidating all the bits collected.

>>> for pixel in im.getdata():
... print [color & 1 for color in pixel]

[0, 0, 0]
[1, 1, 1]
[0, 0, 0]
[0, 0, 0]
[0, 0, 0]
[0, 0, 0]
[1, 1, 1]
[1, 1, 1]
[0, 0, 0]
[1, 1, 1]
[1, 1, 1]
[0, 0, 0]
[1, 1, 1]
[1, 1, 1]
[1, 1, 1]
[1, 1, 1]
[0, 0, 0]

When we look the number of pixels we can see that we have a multiple of 8, so by using only the least significant bit of one color channel of a pixel we can make full bytes.

>>> print "Number of pixels: " + str(len(list(im.getdata())))

Number of pixels: 229920

Extract the least significant bit of only one color channel of each pixel:

>>> # Store least significant bit of each pixel (of only one color) in lsb
>>> lsb = ""
>>>
>>> for pixel in im.getdata():
... # Add least significant bit of the current pixel.
... lsb += str(pixel[1] & 1)
...
>>> print "".join([ chr(int(lsb[i:i+8],2)) for i in range(0, len(lsb), 8) ])

Congrats
You win!
The
Flag
is
4E34B38257200616FB75CD869B8C3CF0 *** Congrats
You win!
The
Flag
is
4E34B38257200616FB75CD869B8C3CF0 *** Congrats
You win!
The
Flag
is
4E34B38257200616FB75CD869B8C3CF0 *** Congrats
You win!
The
Flag
is
4E34B38257200616FB75CD869B8C3CF0 *** Congrats
You win!

Solution: 4E34B38257200616FB75CD869B8C3CF0