Add seccon19 writeup

[pub/jan/ctf-seminar.git] / writeups / ifkata / seccon19.md

# Seccon: misc-sandstorm

The task was chosen, because it seemed interesting at first and I have never seen such a challenge before. 

### Status: not solved

### What I considered
Generally, I found out that there could be 5 ways of hiding data in the image:
* text in the raw bytes of the image
* embedding a file in the image
* hiding pixels in a single color plane
* hiding data in the bits of the pixel data in the image
* image metadata


### What I tried
1. Testing the image metadata:
    ```
    exiftool sandstorm.png
    ```
2. Testing for printable strings of different length (here, for example 10):
    ```
    strings -a -n 10 sandstorm.png
    ```

3. Viewing the hex representation of the image just in case there was something after the file end:
    ```
    xdd sandstorm.png
    ```

4. Checking what bitwalk could extract and analyzing the extracted files
    ```
    $ bitwalk -e sandstorm.png
    -rw-r--r-- 1 ivo ivo     0 Oct 19 18:14 3B
    -rw-r--r-- 1 ivo ivo 63456 Oct 19 18:14 3B.zlib
    $ zlib-flate -uncompress < 3B.zlib
    ```
    Nothing of interest was found though

5. I analyzed the RGBA Values of the image and checked if I could find something there. I used https://georgeom.net/StegOnline/ for this

6. Using (Stegsolve)[https://en.kali.tools/all/?tool=1762] I tried changing the different image channels in case something was there

7. Again, using Stegsolve I tried changing to different bit planes and checking out the result

8. Using (zsteg)[https://github.com/zed-0xff/zsteg] I tried exploring the file a little further and I found out this:
```
b1,r,msb,xy         .. text: "SEF:\r$CW"
b3,rgba,lsb,xy      .. file: MPEG ADTS, AAC, v4 Main, 88.2 kHz, stereo+center+LFE
b4,rgb,lsb,xy       .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
```

Which, I think, means that there is an audio file inside the image.