CTFtime.org

Baby Steganography

by boo / 2u1q

Tags: forensic 

Rating:

# 2020 Defenit CTF - Baby Steganography
>###### TAGS: `forensic`
>[name=rlaclgjs@PLUS]

## Attachments
* writeup
* [solver code](https://gist.github.com/rlaclgjs1107/263cd8e085ac98c8d15f07a690223d97#file-sol-py)

Attachments are uploaded on [gist](https://gist.github.com/rlaclgjs1107/263cd8e085ac98c8d15f07a690223d97)

## Challenge
```
Description
I heared you can find hide data in Audio Sub Bit.
Do you want to look for it?
```
Challenge provides a file named `problem`.

## Solution
Below is file header of `problem`, opened with `HxD Editor`.

![fileheader](https://user-images.githubusercontent.com/53330811/84628225-310eef80-af23-11ea-8a49-a8990fb66c84.PNG)

Reading header of the file, we can know `problem` is `.wav` format file.
Because description of the challenge mentioned `Audio Sub Bit`, I noticed the challenge is about `LSB`.

Wave information is contained in `data` subchunk that comes after `fmt` subchunk.

So, The flag will be hidden in the `LSB` of the actual information behind the `ckID` and `cksize` of the `data` subchunk.

Let's check out!

## Solver
```
with open("problem", "rb") as f:

ckID = f.read(4)
cksize = f.read(4)
WAVEID = f.read(4)

ckID_ = f.read(4)
cksize_ = f.read(4)
wFormatTag = f.read(2)
nChannels = f.read(2)
nSamplesPerSec = f.read(4)
nAvgBytesPerSec = f.read(4)
nBlockAlign = f.read(2)
wBitPerSample = f.read(2)

ckID__ = f.read(4)
cksize__ = f.read(4)

print("ckID : %s"%ckID)
print("cksize : %s"%cksize)
print("WAVEID : %s"%WAVEID)
print("=======")
print("ckID : %s"%ckID_)
print("cksize : %s"%cksize_)
print("wFormatTag : %s"%wFormatTag)
print("nChannels : %s"%nChannels)
print("nSamplePerSec : %s"%nSamplesPerSec)
print("nAvgBytesPerSec : %s"%nAvgBytesPerSec)
print("nBlockAlign : %s"%nBlockAlign)
print("wBitPerSample : %s"%wBitPerSample)
print("=======")
print("ckID : %s"%ckID__)
print("cksize : %s"%cksize__)

res = open("res.txt", "w", encoding="utf-8")
while True:
for i in range(8):
break_f = 0
data_raw = f.read(1)
if not data_raw:
break_f = 1
break
data = str(bin(int.from_bytes(data_raw, 'big') & 1)).split('b')[1]
res.write(data)
if(break_f==1):
break
res.write("\n")

res.close()
res_r = open("res.txt", "r")
res_string = open("res_str.txt", "w", encoding="utf-8")
for l in res_r:
try:
res_string.write(chr(int(l,2)))
except:
res_string.close()
res_string.close()
```

Then in the first line of the file `res_str.txt`, there is a flag!

## Flag
`Defenit{Y0u_knOw_tH3_@uD10_5t39@No9rAphy?!}`

Original writeup (https://gist.github.com/rlaclgjs1107/263cd8e085ac98c8d15f07a690223d97).

Comments