Senseless Behaviour
压缩包解压是一个wav文件
root@kali:~/桌面/HTB/Stego# file meow.wav
meow.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
并没有发现什么有用的信息
root@kali:~/桌面/HTB/Stego# strings meow.wav | awk 'length($0)>20'
35/*o7Q5p:p7=<,2]<5(d:]
(A$"2P'M<P._@t0Q@B/=A
#"A=)J>O+J6~)o-'$O'L!h!
d+) e-z"(/&$R1V&'4u'k6
'*( :h:66\1T4,&cC9*~?
1*3S7u4(9B5#8x4A3@1H(
>s8aBB9wDf8gC>42@o28;
AP:cBG2I:[:]=[;"<%Aq9$I
#o;;%W@a"YAb V?G"B=R#
1|-.32/752/:60+{4^'p3
4l"[8Q$%:X&39>')4M%2.4#
P^V_L~S29rD`AyR1?JM40D?
. 8&)s36$Q,F)`+#6W27?
0pCD/YCS,8Bi)\BJ'qCF&
"s#~(T!p, ^*:" (c$D'#
C~'C?4&_CN*?ET)oCx"7J
:u1.={. <(*!<H&;<^!,<
6k5w6y8I3]:70S9X..7g.
binwalk分离也无什么有效的信息
root@kali:~/桌面/HTB/Stego# binwalk -e meow.wav
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
12897995 0xC4CECB MySQL MISAM compressed data file Version 3
20226912 0x134A360 MySQL MISAM index file Version 3
26753717 0x1983AB5 MySQL MISAM compressed data file Version 2
36745260 0x230B02C MySQL MISAM compressed data file Version 11
接下来用audacity软件看看
仍然没有信息
我们使用steghide
root@kali:~/桌面/HTB/Stego# steghide info meow.wav
"meow.wav":
format: wave audio, PCM encoding
capacity: 1.1 MB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
发现是需要密码的,采用爆破工具尝试
apt-get install stegcracker (慢)
github.com/RickdeJager… (快一点)
stegcracker file
或
stegseek file /usr/share/wordlists/rockyou.txt
root@kali:~/桌面/HTB/Stego# stegseek meow.wav /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "skittles"
[i] Original filename: "youfoundme".
[i] Extracting to "meow.wav.out".
爆破出了密码,并且得到了文件youfoundme
同理对文件进行分析,发现是base64编码的,进行解码后发现是一大串数字
root@kali:~/桌面/HTB/Stego# cat meow.wav.out | base64 -d | head -10
89504e470d0a1a0a0000000d49484452000002be0000018b080600000021
d891f60000200049444154789cecddf9539b77b6effb9c5de7ee3a677777
3ab1e324763c308398e741f380f4e8d12c8410420c1642800019638c4166
329e312618134c6ce2398eedcc43cfbbf7bea7ead6adbaffd5fbfef0480f
12e0a9ed74a7cf3e3fac128304b2a0f04b4b9fef5a6f5d585a65fee255c6
130bc44fce309eb8c0d8a9b3c48ecd101b9da5a7ef24c19e517cc1017cc1
01424747880e9d227e728ef1c439e6cfac30bf708df9f955666757484c5f
6532718589a94526a616199fbcc2e8c94b8c8e5f646ce23263534b8c9f5e
2671668d854b3759597fcceaa74f58fdf409cb9f7ccef2da2356d61fb372
e349f2f2292b379eb2baf165b2be61edd36fe5da7cf07bee3ff977ee3ffd
特征很明显,数字最多到f,应该是十六进制,将它转成ASCII码看看
root@kali:~/桌面/HTB/Stego# cat meow.wav.out | base64 -d | xxd -r -p | head -10
�PNG
▒
IHDR�!� IDATx����S�w����]��:gww:��$v<0���A�����,�B
B�c�Af2�1&▒Ll�9���Cϻ����������H���t��>?�����KK��Zo]XZe��U�
�O�0���ة�Ď����$��Q|�|�BGG��"~r���9�Ϭ0�p���UfgWHL_e2q���E&������K��_dl�2cSK��^&qf��K7YY���OX�� ˟|���#V��r�I��)+7����e��a��o��|�{�?�w�?�+����g��-��}��������������p��?s�����m��A���淙u�n}��_�>�J���/���S�
发现是png,直接导出保存成png吧
root@kali:~/桌面/HTB/Stego# cat meow.wav.out | base64 -d | xxd -r -p > youfoundme.png
对文件进行同理分析, 先binwalk发现并没有有效信息,并进行strings查看,也无进展
丢到steg里面,在red plane0中发现了盲文
使用盲文解码工具即可www.dcode.fr/braille-alp…
