Our spies found this image. They think something is hidden in it… what could it be?

imaged.zip

Solution

Quite a huge PNG we got for this stego challenge!

After several failed attempts, including

  • image palette randomization
  • multiple variations of LSB
  • overlapping image partitions

we hopelessly executed strings on the image, being able to recover the first part of the flag -_-.

0 $ strings imaged.png | head -n 6
IHDR
9447
0PLTE
H40t
0l(t
{Ste

Notice 9447 and {Ste. Simple things are always the best.

The flag is encoded in the CRC fields of the PNG chunks. The following script is able to retrieve it by accessing the four-byte CRC blocks found in the image.

#!/usr/bin/python

import sys
from struct import unpack

def main():
	with open(sys.argv[1], 'rb') as f:
		png = f.read()
		flag = ''
		# skip png signature at the begninning
		i = 8
		while True:
			# data len + chunk type + data + crc
			i += 8 + unpack('>I', png[i:i+4])[0] + 4
			flag += png[i-4:i]
			if flag.endswith('}'):
				break
		print(flag)

if __name__ ==  '__main__':
	main()

There you go

0 $ python decrc.py imaged.png
9447{Steg0_redunDaNcy_CHeck}