Tags: stegano steganography stegno stego
# Quals Saudi and Oman National Cyber Security CTF 2019 – Try to see me
* **Category:** Digital Forensics
* **Points:** 100
> you'll need your glasses or good pair of eyes and some brainzzz.
This is a steganography challenge.
Analyzing the [file](https://github.com/m3ssap0/CTF-Writeups/raw/master/Quals%20Saudi%20and%20Oman%20National%20Cyber%20Security%20CTF%202019/Try%20to%20see%20me/final) with an hexadecimal editor, it will seem like a BMP file without the `BM` file signature. It is sufficient to modify the first two bytes with `BM` signature and to rename it with `.bmp` extension to open the image.
The image contains a message: *"Can u c me? I bet u can't!"*, and on the right something is written with a very light color.
That is: `3c034c8ecf5121fc23612ef9d71756b0`. This is not the flag, but the MD5 hash of: `potatoman`.
Trying with *steghide*, you will discover that something is hidden in the image, without filename and protected with the previous hash.
$ steghide --info final.bmp -p 3c034c8ecf5121fc23612ef9d71756b0
format: Windows 3.x bitmap
capacity: 19.6 KB
size: 32.0 Byte
encrypted: rijndael-128, cbc
You can use *steghide* to extract it.
$ steghide --extract -sf final.bmp -p 3c034c8ecf5121fc23612ef9d71756b0 -xf final.out
wrote extracted data to "final.out".
The extracted file is a text file with the flag.
Can you elaborate on how you decided that it was a bmp file.
I've searched the net on how to identify the file signatures. I was stuck on this during the task and i still cant seem to understand how you decided that it was a bmp file. Since the file signature of bmp is 42 4D and the signature on the file seems to be removed.
Thanks in Advance