{"componentChunkName":"component---src-templates-post-template-js","path":"/himitsukichi-ctf-forensic-obilivious-en","result":{"data":{"markdownRemark":{"id":"c225ebd4-efd2-592b-98f8-b5af024e018c","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/himitsukichi-ctf-forensic-obilivious\">original page</a>.</p>\n</blockquote>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#problem\">Problem</a></li>\n<li><a href=\"#concept\">Concept</a></li>\n<li><a href=\"#writeup\">Writeup</a></li>\n<li><a href=\"#script-used-to-create-the-challenge\">Script Used to Create the Challenge</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"problem\" style=\"position:relative;\"><a href=\"#problem\" aria-label=\"problem permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Problem</h2>\n<p>This challenge was presented as follows.</p>\n<blockquote>\n<p>Hello expert.\nMy PC sent <a href=\"https://twitter.com/yuki_kashiwaba\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">@yuki_kashiwaba</a>’s twitter icon for C&#x26;C server.\nBut I couldn’t find any suspicious point.\nCould you investigate this?</p>\n<p>Format: HimitsukichiCTF{XXXX}\nFile: <a href=\"https://github.com/kash1064/Kaeru-no-Himitsukichi/raw/pages/file/flag.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">flag.png</a></p>\n</blockquote>\n<p>The image provided as the challenge file (flag.png) was the following.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 399px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3bd07725c6eecc23d84deeb4b9f895a8/a307d/flag-16650649768366.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAIAAAAC64paAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEYklEQVQ4yz2Sh09bVxTGn0ABQhQSUhQXEqgKgYaRMIKJIdiYhwcxHmCGw3YBR2wiis0IlEJSoKWlZT3b7xnbDDG8F88bLyA4NGr7H/XaaSt9+qR7dX/3O+fcC/mNcp9B7jrZdmm23VrErUf8ZvmZUQbcb8Z8JuCo34IGrBGFrDsBEwZ2ghYFEOTWSr16uVuDePVStw4I8RpkPhPqNUgDFgwI8MCDViwCWLGQFfNbwA4aMKNQwKTw6mR+I+rRIi4N4jPKAQaAM2PkBAgJWBT/CQ3Z0NApFrDKfRZZBPYb0HML4KVRIeAuEOsxSM+ifBRGQWC0CjRoi5D/yiKHPFpppGaD3KOTgubt2nWPUXZp3Q2aFVEy2qE1kuwDSxvgQfPyzw5gxH686dIiHp1sH1mooeb1DdEk73nYjvgDvuczyQAJ+PPTnY/uvQtcAcb2mYzAzuPt6IQwvXqVwcwqfn6znHGnojF28Ze6S9uu1ygFZNi5B2JV2+88JvQSV/wfDvkMMjDnkFW5L5snwfFk5m12S2bPYJkalYCHAW92gavQ9e+pTAqVSR2endGfIBenWDBaP+TRbTk1GyGrYnd7lvoyuaEjc3CKtIl1n+M756fKgBX75N7vH+p8THlGa6Sz2rhy2dKVQxk8xUK4AnIcbeCHv3u1SKuISOZ+8WayeudIZLCJvUYEdBt2qT0mrLbpJbuTOygR7WHvrx2qK4c67FB/dKohk3oVP1jfXBGnVcTA/NTxCZ7FumBzzJk0y2CEYbtqdnG8kMManuo/Pln/4NwFTNipvnbu/uneg3SKFffRVreInl4J8Zqzx8Vcg37O6VrUH/4IPgyu3aQIOGVtHWOTPRbDbz4beo5jlw7llV35CSTjB2tG1c8F8MNsckxDQ+7kFF9zMme3v8O1a2G7Uro1X8Bjkxq502+FDttG2KW8dqn/cO/+5d3/23sAWZTLmz+NpZJu5VXHM9jp303W76jGDzXifbUkfKpANmYqhcKqFs7M2w7cvBayIOdm2YVZHjRKfbpNSCdfHB9ovlcUV1B7k1J3Z2yatI4IVzcE75brj2WzP8z2lXV1lwja2kc7paqllWXxymz//ETbgqRzeqgVev2KRWPm3i2DbufcSPkqLpuY0D3yqG80XyDM6u4pGBqtIX/bXsjnE+trGN1NnSJ6a/vzLiH518X+7SUJVE7Mp8Bfk/kJpbUJKenxSV/eSHsay+/IgGkZLE6WsLdgRMxmddW2Cami3hdvRmiiPrKgtVwy2TMz3AFNDLSzmcUvKHdZ9YSs3MSiouSUzMQ8yi0qTMgvJFDhjF7AD5Jf95JGh+CBnqr+oYb6V+wmAa2jrwVq5lQ8KbpXSrwPU3KePklLIcRlZScl3o+p4hJI5clMVkqr4JvmhpxGbrZ4mCNqhinEHLiugtlIh3lkiF6Zy6GV8OglbLgYeAohgUbJHRTVEUqhUkZsDT2JxyBWVz4iPnvwOPMhXFnS28bm11WUlmU9SE3+B1SiVh4CsE2CAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3bd07725c6eecc23d84deeb4b9f895a8/8ac56/flag-16650649768366.webp 240w,\n/static/3bd07725c6eecc23d84deeb4b9f895a8/66086/flag-16650649768366.webp 399w\"\n              sizes=\"(max-width: 399px) 100vw, 399px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3bd07725c6eecc23d84deeb4b9f895a8/8ff5a/flag-16650649768366.png 240w,\n/static/3bd07725c6eecc23d84deeb4b9f895a8/a307d/flag-16650649768366.png 399w\"\n            sizes=\"(max-width: 399px) 100vw, 399px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3bd07725c6eecc23d84deeb4b9f895a8/a307d/flag-16650649768366.png\"\n            alt=\"https://raw.githubusercontent.com/kash1064/Kaeru-no-Himitsukichi/pages/file/flag.png\"\n            title=\"https://raw.githubusercontent.com/kash1064/Kaeru-no-Himitsukichi/pages/file/flag.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The image downloadable from my Twitter profile (<em>rUFTyqG</em>400x400.png) was the following.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 399px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/86f2d904f2ccd0967966f8994409fb28/a307d/original.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAIAAAAC64paAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEaElEQVQ4yz3RiVMaVxwH8G0cE20mprEmNCaxHY1Wo43RgFcAETkUOURDiCdGIPG2sXibpBoTTZs69WDZZbk8xotzFwEREAHP2Ezb/6gPbTvzm9+8efM++3vffdCeHQ3a0J0N9c6m2meGfVY4iKO7dmQPR/dwbNcBunaP0IacaNiJRpy6kAMDO2EcCxM6yGfWBKyobxMOWDU+Cyg4YEOCDm3ApgkBQ2iDDjREYGEnOB3tEScWItAQrgUFhXAsYEGCdq3fDO+Y1bt2FDAAwAIMBEOADBG6s0IjLm3EhYFbBHEkivds2gihC1g0fosmYIH3HFj0QzYNwFF/hsPRaaC04a2o/LcIFPKbNWd3RsEChPeYZ/125NC5GMZ15zKaEER16kCWkBP4s/xnHWDYsz6/Y4b9FmQZHi8vvafoZPVPCjG96si9FHQgQAK/79J/8i3tu3X/+yj2rqvP/5DV9Aubm5ZXGF/CSSiujZn4yD/cWgzYYCBPvEtBXGtQv/U7tIduHcDnBQVtyK5Vs+80LCNvisouUblX+E9SWzsKTOhAhNCDNztwG7WzrxlcOoPL6BobsW7AB67/sN+y4N2cAw+4qH7FqLwmbkxtHyqaw2T7bj24Ksj82bfc1tmUSX/IqmXz6oUIMnW0bQi7MHAA2l6bda/+7rfAdUoKTfj1j4Nl+jWlbas/YIdB2hOvye/AKiSV/CZBx4ByCZs89RqPt00n28ZTrwlyGD+6V2bnp1XJJV+U1dzsU4kI5/jW9hi+OeWzIMce49hEX66A1z30Yn1j9si7+MkLpAnIP31LkEU37VtbkCnYd6iQSJLepxLarK+8OxPW1XdBO+o2z9OlgoL6xt5BOWGbCW6hETd26DEcewyfwWT3yozd+CGHeTuddkEszhocqtncHPN43rrNMyceg2bhdY6oqqhWODzasr01d+w1nO4s/uFb+su//HdgBSIMU/Mfer8pupxVdonDT/lpUKQ3vlw1q5ZNAycuPTw3SpW1lEr4I6ONbnwmQsD7OHKAo2E7HLTMQxZkoq9dkvggNqcijl51tXe4aBZu+XVOOjlVvY6M/TyqKGiW5UvrG3qaNMb301P902Mv3qjqxweahrvqoOdPeSxu1lcF0JWM2KRvL6ZT4mQ9dxU92VJZmqw1u7OnnPqsPremhlJdzpE9blKy6xoKm1tov020qd/3Q8WU7FLmd7SaOHJFXNKdiwk3Y5Pvx9Q0pjBZKTxB2jN5TreKX9lcUd/CUMofvewuVypo0rrigcHWkc5GSNXewOfkPaJf5VWT0rLicx8kJqV+eY9+mcEkZeeSGMwUuSKnu4P2XF7Y08lsby1t6xRXP+U/lrIaFE8giaAkJzeRTL7OpKXf/yE5iRSbmp4Qf+NCqZBUVJzI5SXVSb+XiDNqhen9XQKlhEmnZDCrSri1bKaIBrGpWQJWnoidX8WM9us34lj0zHZlFYkMkTkx5ewEEYdSRr1LeXgrM/U2k5ovr+OLeSXkgrRbydf+AZG1Vcpt1GJ4AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/86f2d904f2ccd0967966f8994409fb28/8ac56/original.webp 240w,\n/static/86f2d904f2ccd0967966f8994409fb28/66086/original.webp 399w\"\n              sizes=\"(max-width: 399px) 100vw, 399px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/86f2d904f2ccd0967966f8994409fb28/8ff5a/original.png 240w,\n/static/86f2d904f2ccd0967966f8994409fb28/a307d/original.png 399w\"\n            sizes=\"(max-width: 399px) 100vw, 399px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/86f2d904f2ccd0967966f8994409fb28/a307d/original.png\"\n            alt=\"https://pbs.twimg.com/profile_images/1578007666281938944/original.png\"\n            title=\"https://pbs.twimg.com/profile_images/1578007666281938944/original.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"concept\" style=\"position:relative;\"><a href=\"#concept\" aria-label=\"concept permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Concept</h2>\n<p>This challenge is themed around LSB Steganography — a steganography technique that exploits the property that <strong>“even if the RGB values of each pixel in an image change by only a tiny amount, humans cannot visually detect the change”</strong> — by tampering with the least significant 1 bit of each pixel’s RGB value to embed arbitrary text.</p>\n<p>Since 3 bits per pixel (or 4 bits if the Alpha channel is also used) can be embedded, a 400×400 image can hold 480,000 bits.</p>\n<p>Using 8-bit ASCII characters, this translates to up to 60,000 characters that can be embedded.</p>\n<p>Despite being a straightforward technique, I felt that LSB Steganography rarely appears in entry-level CTFs, so I decided to implement it myself this time.</p>\n<h2 id=\"writeup\" style=\"position:relative;\"><a href=\"#writeup\" aria-label=\"writeup permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Writeup</h2>\n<p>From the problem statement, we understand the scenario: a Twitter profile image was apparently sent to a C&#x26;C server, but no suspicious point can be found, and we are asked to investigate.</p>\n<p>We therefore start by comparing the actually transmitted <code class=\"language-text\">flag.png</code> with <code class=\"language-text\">_rUFTyqG_400x400.png</code>, obtainable from the Twitter profile page.</p>\n<p>As a precaution, we verify the file type with the <code class=\"language-text\">file</code> command, then use the <code class=\"language-text\">strings</code> command to confirm that no suspicious strings are embedded.</p>\n<p>Next, we compare the exiftool output, but no flag-related information was found there either.</p>\n<p>Since the file is a PNG, we try binwalk, but there doesn’t appear to be any useful information embedded.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ binwalk -e flag.png \n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n<span class=\"token number\">0</span>             0x0             PNG image, <span class=\"token number\">399</span> x <span class=\"token number\">399</span>, <span class=\"token number\">8</span>-bit/color RGB, non-interlaced\n<span class=\"token number\">54</span>            0x36            Zlib compressed data, default compression\n<span class=\"token number\">427</span>           0x1AB           Zlib compressed data, default compression</code></pre></div>\n<p>No digital watermarks were visible to the naked eye, and adjusting color tones didn’t reveal any useful information.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 702px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/34c77d729feadec231c3586a6dc5269a/d6331/image-20221006203756806.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 109.58333333333331%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAADnUlEQVQ4y32Uy3ITRxSGexgXFJukFKyS8wLJg7CikFlQZZw1D5Ablxjkm26WL4GEHQuKa4CCF2CbhR1f4kpsS8gaaUayJc3IE0kz0kgK3th/Tve0YzuxUdVX3edMz3/+OadLrFAooNvtoNlswDQtfNjdxdHf/v7+8Rgn//i5vb09sFKphHQ6jezmJorFIra3t2EYBjRNQ6VSEfDc+2wW2UwGVrmM0tYWcrmcOFOmmJ9vNBpwHAcsn89jdXUVmyRYLleg6zpWVlZEEV6sVquhappY+m0BC3+sYUnTkdlYFzl+ZnFxEcvLy5ifnxfvMu5giyryCtwhjzc2NkRVy7LEMy5qmyTcrWPdKWJpYZHaY4K360CIY9u2L5jOpFHQC8i8zwjBtfU1clDFjr0j8pZVxV9OB13zd9TXnuHX+WVyb8DzPNTrdezKvvOVWTSIht1Aq9mCU3fgNlzYNRteyxOx03DguW10vA/4e6cMT/8T1apN5xwaZhe9Xg+dTgftdhuu64Jl9SzSxTTyZh5aRYNmaWKfK+fEXisTVQ05M0fo0OwSCrU8CnYBTacJ13GFEKfZbIJ99XwY526dw4XZCwhEAwjMEFMBf8/XCDEu88RnsQA+mfoUX/z0JYpWEV2vC8d10Gq1BOzSi0tgIwxsnIjJ9TYxSkzIOCLju3IfZeiPB6FXjWOC4pMHX4TB4gx98T4oUQXKKDFCpBQ/niTGiAl/fyZ+BmySYSD1OYwd4/8Ow6/D4oA6rorKwhV3miISxJh0F/NjJaEIl6GZARi1kwSfXga7QYJJVThlSSmQ9D/t3yL8GRVWkooQDs2RoHWS4MuweEGdVn2RhOxbXK6cKSlMOWVGEQUH7p/m8PFlMQThMCZfjPhuhNgd4pbM0VCUmC8Ymh04pYcP5SePqocT/UH2bkJyUIBySkQR+1CSBM2P9ZAL3j4iNn6EscNVCHKHqY8NhRyoE+qhm4OBjMi7d0cWomf8WvE4OB08rYdh0SP17pFPniUeENPEjzKe9K8Ov4v8fH+i/xTBV2HhSJ1S/WnOSYGkFPuZuCdzc/Iekvvgg+DJQ7ny5IqofnburLg66j0iqoqpC2ZUUUxN+fm+aJ+4PqH7IRg2Cbb/I3jx4UWw72Svbkq+kVfle+JruefPvz3kfOQ89JqOntc7Lph4l8Dg00EMvxnG0JshDL0iXhJPiGfEc5njPBrCtV+u4errq7j+9joqdgWddkf8KRwI/gNXbYkz9RU52QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/34c77d729feadec231c3586a6dc5269a/8ac56/image-20221006203756806.webp 240w,\n/static/34c77d729feadec231c3586a6dc5269a/d3be9/image-20221006203756806.webp 480w,\n/static/34c77d729feadec231c3586a6dc5269a/de2ca/image-20221006203756806.webp 702w\"\n              sizes=\"(max-width: 702px) 100vw, 702px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/34c77d729feadec231c3586a6dc5269a/8ff5a/image-20221006203756806.png 240w,\n/static/34c77d729feadec231c3586a6dc5269a/e85cb/image-20221006203756806.png 480w,\n/static/34c77d729feadec231c3586a6dc5269a/d6331/image-20221006203756806.png 702w\"\n            sizes=\"(max-width: 702px) 100vw, 702px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/34c77d729feadec231c3586a6dc5269a/d6331/image-20221006203756806.png\"\n            alt=\"image-20221006203756806\"\n            title=\"image-20221006203756806\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>For image comparison we use magick’s composite, but the output was completely black.</p>\n<p>Since composite takes the color difference, it makes sense that two visually identical images produce a solid black result.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ ./magick composite -compose difference flag.png _rUFTyqG_400x400.png diff.png</code></pre></div>\n<p>Since composite couldn’t confirm the presence of differences, we try WinMerge instead.</p>\n<p>As shown below, differences were found in almost every part of the image.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 871px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6c4796604bec064c847de7b07e70c5ee/9d5da/image-20221006222431056.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAACGUlEQVQoz12Qe1MSURiHd0ozCssygTKiFNJMUcRy+qg2w0iiJl4TkMt6YZdVcbwQN5lmLC5e+hpP7y5dZvrjN2fnnOd99neO0sh9oK5PSoI0ckGaual2DDPTtPRhzisq5fMCjT+cbnL/s+1vpWFu6OO0cgEujUlZJ+RggpYRkARFOCjCjAjPaGhjbVa4Szm3uL9se06p61PUNT+Hqy6ONl3SwG8NNPQJ668t3ftPKLJv22/Qo70UUx6rhCkzWXNtSpSm8V6gYdKRLvKbfVzuB7jYG2Nn0UU5M8qV4aNqCU+tVoW4m1Skk1Law83hFMUtH7tLz7jIjsvspDTU3pHfcGGsPeaHMcKVbB7HvBjrHuttr43X1Krtht9335KN9nCW7Ke5L9eXhvrqC063vFbDq4MgysVegNScTaRO6saoXH+c7ehzKuoQP4+mufktrNYKlJIDJMJ3pN1LWgd+quoIarSfes5vtb02hWcxHxuhDrTlHkqqm3JqgEzUTT42QCU9RCXuoFTcolY7wVjpYz10S97aITIPJ/FXpIUtJL1UkoNUkz6UvXknidkO1mc6pGkXuwt2tBUH+ooTY9nJ/pKd4tcExVIede4+m6HbfPnYiRqxkf38UFjhTD76hPyaG0WLuNgO24nP2EiE7pEKd5Gd70ab7yG3+JSUtD8+3qBcybMT7iYzaydmsrM2Mp/uCvsAfaEXbcEhs4/4BVNV6u5QFHXlAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6c4796604bec064c847de7b07e70c5ee/8ac56/image-20221006222431056.webp 240w,\n/static/6c4796604bec064c847de7b07e70c5ee/d3be9/image-20221006222431056.webp 480w,\n/static/6c4796604bec064c847de7b07e70c5ee/81b74/image-20221006222431056.webp 871w\"\n              sizes=\"(max-width: 871px) 100vw, 871px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6c4796604bec064c847de7b07e70c5ee/8ff5a/image-20221006222431056.png 240w,\n/static/6c4796604bec064c847de7b07e70c5ee/e85cb/image-20221006222431056.png 480w,\n/static/6c4796604bec064c847de7b07e70c5ee/9d5da/image-20221006222431056.png 871w\"\n            sizes=\"(max-width: 871px) 100vw, 871px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6c4796604bec064c847de7b07e70c5ee/9d5da/image-20221006222431056.png\"\n            alt=\"image-20221006222431056\"\n            title=\"image-20221006222431056\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Incidentally, when only some pixels have differences, WinMerge displays the differing areas as follows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 877px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7b9cde3f09f99d237a0d1a77dbe0f173/4b446/image-20221006222331173.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAACkUlEQVQozx2R60vTcRTGf1FYQdCLEnpRL8KQFKwXCtGFqLBUBDPvYlppXuiCMzLNbE4tw9vUTN2aprk5xZ/31pybtnul1taaGVFZWf0dn7724nB4Dg/P85xzpDX3adad+wlYFTin9dgnu7FPaUVpcM704Jjqwhdc51NA5qfjAGuOGBbNHWLeJzg9/3mOaa3AT3BbR5G+uWL57Y5A1iXTp1Vhn+7Bbepj2TaI16zDIUQ3BFcCY/xyRrI6F422o4hxY7Mw1PFmdoAl63NcM914bDLSd3cs665wigtDyL1+BM9LHSZjO5WV15AN7QJreS8Egx9k/nqicI7s5WzyNprV+byzGtC0V6Oqvc3CVDfe+TGkNSEYNO+hTX2Q/sEK/PMGQVBwLiMBWa9m0dKHb+W3SLixcgTWod08UsdinlTjfTlAyqULFJddEWk1LNonkb7YT7Fg3Iyh9wxmUyuW0U4Sr2Si09URdBrx2Z4TWP0jbjjGR/NeJnt3MGwswW3pFiGUnC/MwjX7FP/CIH63CSkwdxRTv0S/5jhDxirRlZzIzqCjswrLSBvT/Q9Z8v/gc3ACt7yTid7tPNXlMCPXUq68Rbwwnxpp4cVAA5bxZ0j20Uhm9Zu4eXMXqXkRXC06RkJBGtnFyRQVx1KhyMS79BXf8jBW/VYMnSGkX9pHXkEUeSXxnL2cQuGNJK7mn6aztR7Jpt+Ha0giNVEiNGwLx07uICv9ABfTDpGWfIS4pOPMuYL4lvRYn0nIjyXCIyXCDocQFx9KTkYEuWkxxCVEU1JahOSZV/J2XoGmq4LaxjqqG0pR1lSJx6hoaW6h7E45r16v4g948M6VYptR0Nyk4n5jJTUPblN17y5NjU3UqFTUN6n5B6Xm3bKz/1xxAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7b9cde3f09f99d237a0d1a77dbe0f173/8ac56/image-20221006222331173.webp 240w,\n/static/7b9cde3f09f99d237a0d1a77dbe0f173/d3be9/image-20221006222331173.webp 480w,\n/static/7b9cde3f09f99d237a0d1a77dbe0f173/d7666/image-20221006222331173.webp 877w\"\n              sizes=\"(max-width: 877px) 100vw, 877px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7b9cde3f09f99d237a0d1a77dbe0f173/8ff5a/image-20221006222331173.png 240w,\n/static/7b9cde3f09f99d237a0d1a77dbe0f173/e85cb/image-20221006222331173.png 480w,\n/static/7b9cde3f09f99d237a0d1a77dbe0f173/4b446/image-20221006222331173.png 877w\"\n            sizes=\"(max-width: 877px) 100vw, 877px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7b9cde3f09f99d237a0d1a77dbe0f173/4b446/image-20221006222331173.png\"\n            alt=\"image-20221006222331173\"\n            title=\"image-20221006222331173\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To see exactly where within each pixel the difference lies, you can check the information displayed at the bottom of the WinMerge window when hovering the mouse over the images.</p>\n<p>This shows the RGBA values at the same coordinates in each image, and we can see a slight difference in one or more of the RGB values.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/fa83383e45e3424854de492f3ec60d47/105d8/image-20221006222758863.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB6klEQVQoz1WQ3W/SYBjFe2OIeuFXjFmMmhkdjJTKhyZeqH+PiXpjssU/xcW5LRmgEx26wTJoO/rBWmiBrbgVgdIyugtv/BuOD+3UePHL+/bteU7OeRhB5VEVshDlAgTpU3DK2jco+tZ/aGYNjUYRDf0znV+g6wUYRhGH1s5fLIJx22/gK/OYqBkihUk9TaQCfLpPOa1z8Fqv4NWfYaxwRAonappIBffwO4QZmIsY1+bgSv9+ekoyILxPhQk45gu4yhN4EkvvycAw1JPuj3FgaCzCI0NPzsCuxNAT52kweSagtPsPKSVHhi8xIsOxzGEgsDiuRuFICdKFxpM6NdzPgOkbC5hQ5e+7MZRXIqh+OA9buE8JMkG640qcBlmMyHCa0CUTMXsJ5bVzMEszZ9XT6IssbJ6dJlygHcbRKc2iko0EIld+gFPtEQ7Lc9hevQZjaxYj2qGrPoWzFwefuwB18wp+7MXgU4ORlMTu+nWIH29SwuZrDPnbqOYvQitehqPeI8M41UhAKsxA+3qL1hGDYzynwcfQN6+Cz0fQq92hFUThqxzapbsQN25QsyiYoS3gyFhGS38Lq/kO9sEaht0cegfrMLVl9Lt5/PJ3cOLUYLdz6OhL6DSWcNRawaCbxcCit+Z7WMYqfnrb+A3A9881LetaBwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/fa83383e45e3424854de492f3ec60d47/8ac56/image-20221006222758863.webp 240w,\n/static/fa83383e45e3424854de492f3ec60d47/d3be9/image-20221006222758863.webp 480w,\n/static/fa83383e45e3424854de492f3ec60d47/e46b2/image-20221006222758863.webp 960w,\n/static/fa83383e45e3424854de492f3ec60d47/446b5/image-20221006222758863.webp 1170w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/fa83383e45e3424854de492f3ec60d47/8ff5a/image-20221006222758863.png 240w,\n/static/fa83383e45e3424854de492f3ec60d47/e85cb/image-20221006222758863.png 480w,\n/static/fa83383e45e3424854de492f3ec60d47/d9199/image-20221006222758863.png 960w,\n/static/fa83383e45e3424854de492f3ec60d47/105d8/image-20221006222758863.png 1170w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/fa83383e45e3424854de492f3ec60d47/d9199/image-20221006222758863.png\"\n            alt=\"image-20221006222758863\"\n            title=\"image-20221006222758863\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Checking the same information at multiple coordinates, we find that the difference in one of the RGB values is always exactly 1.</p>\n<p>Since the challenge binary is an image sent to a C&#x26;C server, it is assumed that some information is embedded in these differences.</p>\n<p>Given that the difference in each RGB value is always 1, we can infer that the LSB Steganography technique is being used.</p>\n<p>Reference: <a href=\"https://ctf-wiki.mahaloz.re/misc/picture/png/#lsb\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PNG - CTF Wiki EN</a></p>\n<p>Using Stegsolve’s Extract Preview, we found that the flag could be retrieved from bit 0.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e462ac3a8e48cc7b52011583b1245cdc/f213e/image-20221006224206197.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABi0lEQVQoz52SWU/CUBCF+4N9UhNZZTP+N0FijG+lLd2325aCFRK248xQCInhxSYn57Z35pu506s1Wj002300a291BmiRtztDdHsveGp08fDYov2+vHefR3/U6Y4wGL7i7r4HrSwXyLIMeZ5juSyxWi3x/b3Cfx59ZkIzDAOmaUHXdViWBdu24TgOquoHh8MB+/3+4re03W4F+PH5BY0BrPncRhAE8H2fPMRms8HxeBTYLe12uwv0CujAIlicpAij+ORxgiRVWCxKlGVJvkDBKoqTaJ1QnGGadBpX8vjb23gKLY5j+GGEICQPItn0qENx6pa7j6VAipSKqCwXaJIkcF1XgJ7nydwnEwJGUSQAhrIHBHL9QICcZNM8Pc+HS0khxZyBqVKYzXj+JiKKXa/XGE/eoSnakOriijyrXUkiH/es05FzuRG8tqk7g34oz/0C5MD8PJsrlQIhYPFXDGQpum6KGuDiVVURcFoD6wCpLF5At6i6E2Bm+7DcUNx0QtheJAUlvi7O95iBPMNfR0zWRP0oTJgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e462ac3a8e48cc7b52011583b1245cdc/8ac56/image-20221006224206197.webp 240w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/d3be9/image-20221006224206197.webp 480w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/e46b2/image-20221006224206197.webp 960w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/afd7b/image-20221006224206197.webp 1192w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e462ac3a8e48cc7b52011583b1245cdc/8ff5a/image-20221006224206197.png 240w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/e85cb/image-20221006224206197.png 480w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/d9199/image-20221006224206197.png 960w,\n/static/e462ac3a8e48cc7b52011583b1245cdc/f213e/image-20221006224206197.png 1192w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e462ac3a8e48cc7b52011583b1245cdc/d9199/image-20221006224206197.png\"\n            alt=\"image-20221006224206197\"\n            title=\"image-20221006224206197\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Stegsolve can be used via the following steps.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">wget</span> http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar\n$ <span class=\"token function\">chmod</span> +x stegsolve.jar\n$ java -jar stegsolve.jar</code></pre></div>\n<p>Deducing LSB Steganography from pixel differences may require some prior knowledge or search skills, but in practice you can solve this even without any knowledge at all by just running Stegsolve.</p>\n<h2 id=\"script-used-to-create-the-challenge\" style=\"position:relative;\"><a href=\"#script-used-to-create-the-challenge\" aria-label=\"script used to create the challenge permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Script Used to Create the Challenge</h2>\n<p>The flag was embedded using the following script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> PIL <span class=\"token keyword\">import</span> Image\n<span class=\"token keyword\">import</span> struct\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">toggle_rmb</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"1\"</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> b<span class=\"token operator\">-</span><span class=\"token number\">1</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> b<span class=\"token operator\">+</span><span class=\"token number\">1</span>\n\n<span class=\"token comment\"># Init flag binary</span>\nflag_binary <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"_rUFTyqG_400x400.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f_file<span class=\"token punctuation\">:</span>\n    flag <span class=\"token operator\">=</span> f_file<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> f <span class=\"token keyword\">in</span> flag<span class=\"token punctuation\">:</span>\n        flag_binary <span class=\"token operator\">+=</span> <span class=\"token string\">\"{:08b}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># print(flag_binary)</span>\n\n<span class=\"token comment\"># Load image</span>\nimage <span class=\"token operator\">=</span> Image<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.png\"</span><span class=\"token punctuation\">)</span>\npixel <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Get size</span>\nimg_width <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>width\nimg_height <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>height\n\n<span class=\"token comment\"># PUT last bit for each RGB</span>\np <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>img_width<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>img_height<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        r <span class=\"token operator\">=</span> pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n        g <span class=\"token operator\">=</span> pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n        b <span class=\"token operator\">=</span> pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span>\n\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> <span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">[</span>p<span class=\"token operator\">%</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            r <span class=\"token operator\">=</span> toggle_rmb<span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n        p <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> <span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">[</span>p<span class=\"token operator\">%</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>g<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            g <span class=\"token operator\">=</span> toggle_rmb<span class=\"token punctuation\">(</span>g<span class=\"token punctuation\">)</span>\n        p <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> <span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">[</span>p<span class=\"token operator\">%</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>flag_binary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            b <span class=\"token operator\">=</span> toggle_rmb<span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span>    \n        p <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        image<span class=\"token punctuation\">.</span>putpixel<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">,</span>g<span class=\"token punctuation\">,</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nimage<span class=\"token punctuation\">.</span>save<span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.png\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>As a solution that does not use Stegsolve, the following Solver is the intended approach.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> PIL <span class=\"token keyword\">import</span> Image\n<span class=\"token keyword\">import</span> re\n<span class=\"token keyword\">import</span> struct\n\n<span class=\"token comment\"># Load image</span>\nimage <span class=\"token operator\">=</span> Image<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./flag.png\"</span><span class=\"token punctuation\">)</span>\npixel <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>load<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Get size</span>\nimg_width <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>width\nimg_height <span class=\"token operator\">=</span> image<span class=\"token punctuation\">.</span>height\n\n<span class=\"token comment\"># Enumerate pixel RGB bytes</span>\nresult <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>img_width<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>img_height<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        result <span class=\"token operator\">+=</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> \n        result <span class=\"token operator\">+=</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> \n        result <span class=\"token operator\">+=</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">(</span>pixel<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n\nresult_txt <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    tmp <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0b\"</span><span class=\"token operator\">+</span>result<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span>i <span class=\"token operator\">+</span> <span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n    result_txt <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>tmp<span class=\"token punctuation\">)</span>\n\npattern <span class=\"token operator\">=</span> <span class=\"token string\">r'.*?(HimitsukichiCTF{.+?}).*?'</span>\nresult <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span><span class=\"token keyword\">match</span><span class=\"token punctuation\">(</span>pattern<span class=\"token punctuation\">,</span> result_txt<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">if</span> result<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">.</span>group<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This yields the flag <code class=\"language-text\">HimitsukichiCTF{I_know_you_can_not_notice_for_this_image_is_already_tampered_by_me}</code>.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I implemented LSB Steganography — a straightforward technique that is nonetheless rarely seen in entry-level CTFs.</p>","fields":{"slug":"/himitsukichi-ctf-forensic-obilivious-en","tagSlugs":["/tag/himitsukichi-ctf-en/","/tag/ctf-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2022-10-05","description":"Writeup for Himitsukichi CTF","tags":["HimitsukichiCTF (en)","CTF (en)","Forensic (en)","English"],"title":"Himitsukichi CTF Forensic Oblivious","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/himitsukichi-ctf-forensic-obilivious-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}