From ee1e09c216dbbee1d4c6e0d2e229d660870afaa2 Mon Sep 17 00:00:00 2001
From: Ivaylo Ivanov <me@ivayloivanov.eu>
Date: Mon, 21 Oct 2019 17:22:35 +0200
Subject: [PATCH] Add seccon19 writeup

---
 writeups/ifkata/seccon19.md | 53 +++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 writeups/ifkata/seccon19.md

diff --git a/writeups/ifkata/seccon19.md b/writeups/ifkata/seccon19.md
new file mode 100644
index 0000000..72acc10
--- /dev/null
+++ b/writeups/ifkata/seccon19.md
@@ -0,0 +1,53 @@
+# Seccon: misc-sandstorm
+
+The task was chosen, because it seemed interesting at first and I have never seen such a challenge before. 
+
+### Status: not solved
+
+### What I considered
+Generally, I found out that there could be 5 ways of hiding data in the image:
+* text in the raw bytes of the image
+* embedding a file in the image
+* hiding pixels in a single color plane
+* hiding data in the bits of the pixel data in the image
+* image metadata
+
+
+### What I tried
+1. Testing the image metadata:
+    ```
+    exiftool sandstorm.png
+    ```
+2. Testing for printable strings of different length (here, for example 10):
+    ```
+    strings -a -n 10 sandstorm.png
+    ```
+
+3. Viewing the hex representation of the image just in case there was something after the file end:
+    ```
+    xdd sandstorm.png
+    ```
+
+4. Checking what bitwalk could extract and analyzing the extracted files
+    ```
+    $ bitwalk -e sandstorm.png
+    -rw-r--r-- 1 ivo ivo     0 Oct 19 18:14 3B
+    -rw-r--r-- 1 ivo ivo 63456 Oct 19 18:14 3B.zlib
+    $ zlib-flate -uncompress < 3B.zlib
+    ```
+    Nothing of interest was found though
+
+5. I analyzed the RGBA Values of the image and checked if I could find something there. I used https://georgeom.net/StegOnline/ for this
+
+6. Using (Stegsolve)[https://en.kali.tools/all/?tool=1762] I tried changing the different image channels in case something was there
+
+7. Again, using Stegsolve I tried changing to different bit planes and checking out the result
+
+8. Using (zsteg)[https://github.com/zed-0xff/zsteg] I tried exploring the file a little further and I found out this:
+```
+b1,r,msb,xy         .. text: "SEF:\r$CW"
+b3,rgba,lsb,xy      .. file: MPEG ADTS, AAC, v4 Main, 88.2 kHz, stereo+center+LFE
+b4,rgb,lsb,xy       .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
+```
+
+Which, I think, means that there is an audio file inside the image.
-- 
2.43.0