Capture the Flag - Little School Bus
Had a blast participating with a few local DC416 folks in the 2017 picoCTF!
Challenge:
Can you help me find the data in this littleschoolbus.bmp?
Hint: Look at least significant bit (LSB) encoding!!
In retrospect the solution was fairly straightforward, but, tunnel vision got the best of me. Thankfully in the end I ended up learning quite a bit about steganography and LSB. (Disclaimer, it was solved by a teammate).
Here was the image:
Ran java -jar Stegsolve.jar to view each bit plane on its own. Browse around
http://caesum.com/handbook/stego.htm and look for the Stegsolve download link.
# install
wget caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
# launch/run
java -jar stegsolve.jar
File > Open > image, cycle through the planes. Interesting, there is something in the bottom-left corner of the image.
Here is just that bottom row:
The image is 252px × 199px (w x h). Let's concentrate on that last row, the 199th row; either crop out the pixels or write some code.
I opted to write some Go code (no link).
Flag:
flag{remember_kids_protect_your_headers_afb3}
The idea was to grab each byte's LSB in sequence and construct a new binary message. Then read that binary in sequence to get the flag. For example:
| Binary | ASCII |
|---|---|
| 01100110 | f |
| 01101100 | l |
| 01100001 | a |
| 01100111 | g |
| ... | ... |
I overcomplicated the challenge by thinking there was an image within the image, (inspiration drawn from this site. Fantastic resource).
Long story short, I took all the LSB's in sequence and read them in chunks of 3; obtaining values between 000-111 (decimal 0-7) to construct an 8-bit greyscale image.
Nothing fruitful in the reconstructed 8-bit greyscale image. Although it was a failed attempt it was fun.
(this portion was written in python w/ pyplot)
For fun, I pulled the image from DataGenetic's site and extracted the Flanker!
Useful Resources:
http://dragonwins.com/domains/getteched/bmp/bmpfileformat.htm