Steganography is the way of hiding secret message in the cover media such as an image, text carrier file, audio or video format. Information is hidden in such a way that only intended recipient can access it.

Where is steganography?

Steganography is everywhere in the communications, nature, instruments, in our life and in the digital world.

This writeup is dedicated to solving a tryhackme room Stegoint, which tests the steganography and file analysis skills.

Room link: https://tryhackme.com/room/stegoint

Download & analyze the task file

Download the task file which is an image file of .png format with size of 2 kbs, the provided image is a QR code, scan this QR code using Google Image search tool you will be provided with a link from this QR code. The link found in the .png image is a GitHub repository of a tool called ‘mitra’.

This tool is used to generate weird files such as polyglots. Polyglot file is a file that is valid for two different file formats. It is a steganography technique used to hide secret file in another file format and evades detection if malicious program is hidden in such a way.

Assuming that the task file might be a polyglot (containing a hidden file), lets try to detect and extract hidden file(s) from .png format

Detecting and extracting polyglot

Using binwalk to perform detection and extraction of any hidden file from the .png file format. What is binwalk? binwalk is a firmware analysis tool written in rust, primarily used for file analysis, extraction and reverse engineering. This tool is pre-installed on kali Linux but you can also clone it from the GitHub repo . Once the tool is installed run the following command to perform analysis of the image file

binwalk wordlist-1655197007917.png

The above output displays there is a hidden zip archive within the .png image format containing a hidden file called secret.txt, binwalk can also be used to extract this hidden zip archive using following command

binwalk -e wordlist-1655197007917.png

Explore the hidden data

After successfully extracting the hidden data from the image file, it extracted a directory “_wordlist-1655197007917.png.extracted” containing the hidden files. Lets move to this directory and list the contents

Lets unzip the archive 912.zip and extract the secret.txt, using following command

unzip 912.zip

Failed to unzip the 912.zip archive because it is password protected. Stuck on this, why not crack this zip file using a tool called JohntheRipper.

Crack the zip archive

To crack a password protected zip file we first need to generate a hash of the zip file, because JohntheRipper is a hash cracking tool and used to crack & deal with different hash formats. There is a built-in utility with JohntheRipper to generate hashes for zip archive and later we can crack these hashes. Using following command to generate a hash of the zip archive and store it in a hash.txt file:

zip2john 912.zip > hash.txt

Once, hash is successfully generated use john to brute force different combinations and find the exact password string required to unzip the archive. Using following command to perform brute force on a hash file with the rockyou.txt wordlist:

john hash.txt - wordlist=/usr/share/wordlists/rockyou.txt

Failed to crack the zip archive using rockyou.txt wordlist, this shows that the password used to protect the zip archive is stronger or it does not exist in our rockyou.txt wordlist. Stuck again…what next?

The file name “wordlist-1655197007917.png” of our task file suggests it’s a wordlist, but it’s actually just an image of a QR code. When we scanned the QR code earlier, it led to a GitHub URL. Could that URL point to the real wordlist we need to crack the zip archive? Let’s explore the GitHub page, extract potential password combinations, and use them as a custom wordlist to crack the zip file password.

Crack zip archive using custom wordlist

We can use a tool called cewl to extract words from a webpage and generate a custom wordlist. Since the QR code from the task file led us to a GitHub page, we’ll use that URL to create our wordlist.

Here’s the command to generate a wordlist named wordlist.txt from the GitHub page:

cewl https://github.com/corkami/mitra -d 0 > wordlist.txt

This will crawl the page, collect unique words, and save them into wordlist.txt for use in cracking the zip file.

Once the wordlist successfully generated using cewl, use following command to brute force the hash using our custom worlist and JohntheRipper tool.

john hash.txt --wordlist=wordlist.txt

Successfully found the password string of zip archive and the answer to our first question “What is the Password of zip file?”

Unzip and analyze secret.txt

Now, unzip the archive file. When prompted for a password, enter the one we found earlier using John the Ripper and the wordlist.txt.

unzip 912.zip

It extracts the secret.txt from the the zip arhcive 912.zip. Now, you can view the content of the file secret.txt

As shown in the output above, the secret.txt file contains encoded text. Encoding is a method used to make content less readable to unauthorized users—but unlike encryption, it can be easily decoded if you know the technique that was used. One of the best tools for decoding such content is CyberChef, a powerful and user-friendly web app. Let’s use it to decode the hidden message.

Utilizing the auto detection technique of Cyberchef’s magic tool, it automatically sets the recipe and decodes the data secret.txt in plain text “text_steg_in_secret_txt”. But this output string is not our final flag it is a hint which points to the existence of text steganography in secret.txt file. It is another steganography technique used to hide secret message in a text file.

How to extract hidden data from a text file? From hint “Unicode text” of the final flag it shows that Unicode encoding technique is used to hide the secret message in the secret.txt file.

Decode & extract Unicode characters

I was exploring Unicode text steganography and Unicode character encoding. After reading several articles and watching tutorials, I still couldn’t extract the hidden message from the secret.txt file. After hours of searching online, I finally came across the official write-up by PakCyberbot, which pointed me to a useful tool:
🔗 https://330k.github.io/misc_tools/unicode_steganography.html
Using this tool, I was able to successfully extract and decode the hidden Unicode text to obtain the final flag.