Ctf-i Spring Net Ding Cup first misc part writeup
Recently, because of the job registration of the net Tripod Cup, was abused a few days later know oneself or too young! Share your own experience in solving problems.
Minified
Topic:
A picture of a flower screen, PNG, old method, first look at the properties
There's nothing.
Throw it in the WINHEXV and see.
The header file is normal, it is PNG, and trying to search the flag keyword has not been harvested.
Keep throwing it into the Kali and analyze it with Binwalk.
And I didn't find anything unusual.
Would it be highly steganography, directly in the Kali double hit open png picture, found that can open normally ( Note: The modified height of the picture cannot be opened directly in the Kali, will show that the image cannot be loaded )
That continues to analyze the Idat block, Idat is a PNG image of the image of the data stored in the block, it is unclear to add to the PNG image format knowledge
We use Pngcheck to analyze idat blocks of images
Well, there's no exception.
Finally, get stegsolve and run.
Click the right arrow to find red plane 0 incredibly empty, it should be and huaping the same picture actually all black, there must be a problem, and the other 0 channels are content
Click Analyse-data Extract to view the picture channel
Select 0 Channel Discovery Playload is an LSB steganography
Save the 0 channels of Alpha,green and blue separately for different or processing
The flag is found in the comparison between Alpha and Green as shown;
Clip
Open the topic found to be the. disk file, which should be a Linux disk file
But the title of the frequency is damaged, it must not go to Kali test, then analyze the file it
Open with WINHEXV.
Well, don't know what it is, keep looking down and find the hex data that is not the same as above! There may be something inside.
The file header of PNG was found in line 196,280th of Winhex ( Note: PNG 16 header starts with 89504E47 )
There is also a PNG image of IHDR
Cut out and add PNG header
Get two photos
Picture 1:
Picture 2:
PS Stitching of two images to get flag
original article, please indicate the source: