Steganography / InfoSec / CTF

Hyperion Gray Steganography Challenge

. 5 min read . Written by Nautilus
Hyperion Gray Steganography Challenge

I wrote this blog post shortly after the last person submitted the flag to the Hyperion Gray Steganography challenge. However, I didn't post it immediately since I was thinking of moving my blog over to a self-hosted domain at the time (here). So, (finally) here's my write-up of a pretty fun steganography-based challenge from Hyperion Gray.

So, I woke up this morning and saw that there was a steganography challenge on my Twitter timeline.. Let’s get straight to work.

I started off by putting the image supplied by Hyperion Gray into stegsolve.jar which showed me that there was some interesting text at the top of the image:

However,  this text is not very legible, so let’s try moving to Gimp and seeing if we can make it a bit easier to read.

After playing around with some colors for awhile I finally got a readable (if i squint a little) link:

Link: https://github.com/5C4R48Security/HGStegoChallenge

After browsing to the github page, we can see that there are three files:

1.NothingToSeeHere.txt
2.README.md
3.secretmap.jpg

Let’s download all of these files and see what’s going on!

The first thing I did after unzipping the files was cat the README.md and NothingToSeeHere.txt which resulted in:

The first thing that stood out to me was the garbled text in the README.md. So I threw it straight into a ROT Cipher decoder:

I hate everything right now.

Okay now let’s try looking at secretmap.jpg

Thankfully, instead of Rick Astley, we're presented with an image of Hyperion Gray's 'Dark Web Map' (which I would really recommend checking out if you haven't).

(I left the coffee shop I was at, went home, and switched to my desktop. Hence the background and terminal change in-between the photos).

After I got home I tried to use StegCracker on the image and played around in Stegsolve for a bit but didn’t get anywhere.

From here I decided to use Binwalk on the image:

Now let's extract the contents of secretmap.jpg and see what's going on:

The first folder I browsed to was 53cr3t5 which resulted in me finding an image called hglogosteg.jpg. When opened this image showed the following:

From here I tried attacking the file with Stegcracker again which yielded no results:

After following dead ends for a few minutes I decided to check out the __MACOSX directory which contained two hidden files:

Although the ._.DS_Store contained nothing.. There was some interesting text hidden in ._hglogosteg.jpg:

Now, the interesting thing about this information is that I've used futureboy.us/stegano before. Futureboy.us/stegano uses Steghide to encode or decode images online. If you're interested in checking it out then click here.

The fact that the specific url we've been provided with ends in encode.pl and encinput.html leads me to believe that there is a password on the image - but not a common password which can be found in rockyou.txt. Therefore, it's fair to assume that I missed something in one of the original files I downloaded from GitHub.

After looking into the files a little more.. I decided that something must be going on with NothingToSeeHere.txt as this was the only file which hadn't been utilized so far:

After scouring the web high and low, I finally came across this website about unicode steganography.

This website is awesome. It shows how you can hide messages in regular twitter messages. After reading all the content on this website I discovered that the similar letters which replace normal letters are called "Unicode Homoglyphs"

So, let's try plugging in the text from NothingToSeeHere.txt:

Yikes, a white website on a white blog background. If you can't read the hidden message then I'd encourage you to check it out yourself! However, I will copy both the encoded message, and decoded message below:

Encoded message: There is absolutely nothіng to see here.  Nothіng I tell yоu.  NOTHING!  Leave me alone.  Nо
cοokіes for you.  Thіs is just
some nоnsense І jarbled together!
Decoded message: thisispaddingthis the password is st3g0iz1337   

Honestly. This is one of the coolest things I've ever seen. I love steganography and I hadn't heard or used this previously. But now we have a password.. And we can assume that this password is for the hglogosteg.jpg picture.

Now let's use steghide and extract any hidden contents form the image:

SWEET. Now let's view the extracted data:

Even sweeter. Looks like we've completed the challenge. Now we have to create a string with my Twitter handle (Nau71lus) followed by the flag (<hgst4g0>), and add a space in-between the two. This means that the full flag would look like this:

Nau71lus <hgst4g0>

All we have to do now is hash the string with sha1 which we can do in a second online:

Our final hash to win a free shirt (if I had found this challenge in time) would be:

c8f873f933e6828764fdca2cec6cb4e1b5f1787b

Final Thoughts

I really enjoyed this challenge. Although I didn't win anything I learned about something completely new and had a really fun time. If you're interested in learning more about steganography and trying challenges similar to this then I'd recommend checking out HackTheBox's steganography challenges!

Image Reference:

27_Aksioma_Amy Suo Wu__DSC7570” by Akisoma is licensed under CC BY 2.0