Not Art
由于是隐写题,我们知道有部分信息隐藏在图片中,我们采用最基本的工具来分析它。
steghide & foremost:
root@kali:~/桌面/HTB/Stego# steghide info not_art.png
steghide: the file format of the file "not_art.png" is not supported.
root@kali:~/桌面/HTB/Stego# foremost -i not_art.png
Processing: not_art.png
|*|
并没有如何信息可利用,接下来进一步探索:
root@kali:~/桌面/HTB/Stego# strings not_art.png
IHDR
JIDATx
O2~tt
kNB(
B([W
3"qV
!.'!
Bf-#
eG=1w
&=1{Rl4
-Tg~
+,:
k22s
(;-A
3fM!
Ljb&
=bNB(
B([O}-;
>;m];
9eNB(
IEND
root@kali:~/桌面/HTB/Stego# exiftool not_art.png
ExifTool Version Number : 12.36
File Name : not_art.png
Directory : .
File Size : 2.1 KiB
File Modification Date/Time : 2018:06:21 01:04:13+08:00
File Access Date/Time : 2022:02:07 22:43:16+08:00
File Inode Change Date/Time : 2022:02:07 22:43:16+08:00
File Permissions : -rw-------
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 300
Image Height : 300
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Image Size : 300x300
Megapixels : 0.090
root@kali:~/桌面/HTB/Stego# zsteg -a not_art.png
b1,r,lsb,xy .. file: , OEM-ID "\003\377", Bytes/sector 3840, sectors/cluster 252, sectors 65280 (volumes <=32 MB), Media descriptor 0xff, sectors/FAT 240, sectors/track 0, FAT (12 bit by descriptor)
b2,b,lsb,xy .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b2,b,msb,xy .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b6,r,lsb,xy .. file: AIX core file fulldump
b1,rgb,lsb,xy,prime .. text: "lHR&I"Z$"
b1,rgb,msb,xy,prime .. text: "D&IlIK"i"I)6"
b3,r,lsb,xy,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b4,g,lsb,xy,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,g,msb,xy,prime .. file: Common Data Format (Version 2.5 or earlier) data
b5,g,lsb,xy,prime .. file: AIX core file
b8,b,lsb,xy,prime .. file: Matlab v4 mat-file (little endian) \300\300\377\377\377\300\300\300\300, numeric, rows 3233857728, columns 3233808384, imaginary
b1,g,msb,yx .. file: dBase III DBT, next free block index 1072693248, block length 64512, 1st item "\001"
b2,b,lsb,yx .. file: Matlab v4 mat-file (little endian) \377\377\360, numeric, rows 251658240, columns 65535, imaginary
b2,b,msb,yx .. file: Matlab v4 mat-file (little endian) \377\377\017, numeric, rows 4026531840, columns 65535, imaginary
b5,b,lsb,yx .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 0, columns 0
b5,b,msb,yx .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 0, columns 0
b6,r,lsb,yx .. file: AIX core file fulldump
b6,g,lsb,yx .. file: Matlab v4 mat-file (little endian) \377\377\360, numeric, rows 0, columns 0, imaginary
b6,g,msb,yx .. file: Matlab v4 mat-file (little endian) \377\377\017, numeric, rows 0, columns 0, imaginary
b7,b,lsb,yx .. file: Matlab v4 mat-file (little endian) @\201\002\004\010\020?\377\377\377\377\377\377\377\377, numeric, rows 0, columns 0
b8,b,lsb,yx .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b1,rgb,msb,yx,prime .. file: TeX font metric data
b2,r,msb,yx,prime .. file: DOS 2.0-3.2 backed up file \017\003
b3,r,lsb,yx,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b4,r,msb,yx,prime .. file: , Bytes/sector 3840, root entries 15, Media descriptor 0xff, sectors/FAT 255, sectors/track 0, heads 15, FAT (12 bit by descriptor)
b8,b,lsb,yx,prime .. file: Matlab v4 mat-file (little endian) \300\300\377\377, numeric, rows 0, columns 4294951104, imaginary
b3,r,lsb,XY .. file: AIX core file
b3,g,lsb,XY .. file: AIX core file
b4,r,lsb,XY .. file: Matlab v4 mat-file (little endian) , numeric, rows 4294967040, columns 65535
b6,b,lsb,XY .. file: AIX core file fulldump
b3,b,lsb,XY,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz, stereo + center
b4,r,lsb,XY,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,r,msb,XY,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,g,lsb,XY,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,g,msb,XY,prime .. file: Common Data Format (Version 2.5 or earlier) data
b8,g,lsb,XY,prime .. file: Matlab v4 mat-file (little endian) \300\300\377\377, numeric, rows 4294967295, columns 0, imaginary
b3,r,lsb,YX .. file: AIX core file
b6,g,lsb,YX .. file: Matlab v4 mat-file (little endian) \377\377\360, numeric, rows 0, columns 0, imaginary
b6,g,msb,YX .. file: Matlab v4 mat-file (little endian) \377\377\017, numeric, rows 0, columns 0, imaginary
b6,b,lsb,YX .. file: AIX core file fulldump
b7,g,lsb,YX .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377\377\340@\201\002\004\010\020 @\377\377\377\377\377\377\377\377\376\004\010\020 @\201\002\004, numeric, rows 0, columns 0
b7,g,msb,YX .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377\377\007\002\201@ \020\010\004\002\377\377\377\377\377\377\377\377\177 \020\010\004\002\201@ , numeric, rows 0, columns 0
b8,g,lsb,YX .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b8,g,msb,YX .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b1,rgb,msb,YX,prime .. text: "-!%&6l2\t%"
b3,b,lsb,YX,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b4,r,lsb,YX,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,r,msb,YX,prime .. file: Common Data Format (Version 2.5 or earlier) data
b6,g,lsb,YX,prime .. file: Matlab v4 mat-file (little endian) \377\374\017\300, numeric, rows 4043243520, columns 3238002432
b6,g,msb,YX,prime .. file: Matlab v4 mat-file (little endian) \377?\360\003, numeric, rows 268369920, columns 67108608
b2,r,lsb,Xy .. file: AIX core file
b4,bgr,msb,Xy .. file: MPEG ADTS, AAC, v4 Main, 48 kHz, surround + side
b6,g,lsb,Xy .. file: AIX core file fulldump
b6,b,lsb,Xy .. file: AIX core file fulldump
b6,bgr,lsb,Xy .. file: MPEG ADTS, AAC, v4 Main, surround + side
b7,bgr,lsb,Xy .. file: MPEG ADTS, layer II, v1, 48 kHz, Monaural
b1,bgr,lsb,Xy,prime .. text: "I"Ki$q%)"
b3,g,lsb,Xy,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b3,b,lsb,Xy,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b4,r,lsb,Xy,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,r,msb,Xy,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,g,lsb,Xy,prime .. file: , Bytes/sector 3840, sectors/cluster 255, reserved sectors 4095, FATs 255, root entries 240, sectors 61455 (volumes <=32 MB), Media descriptor 0xff, sectors/FAT 65535, sectors/track 65535, hidden sectors 4042326015, sectors 4278255360 (volumes > 32 MB), dos < 4.0 BootSector (0), FAT (12 bit by descriptor)
b4,bgr,msb,Xy,prime .. file: MPEG ADTS, AAC, v4 Main, 48 kHz, surround + side
b6,r,lsb,Xy,prime .. file: AIX core file
b6,bgr,lsb,Xy,prime .. file: MPEG ADTS, AAC, v4 Main, surround + side
b7,bgr,lsb,Xy,prime .. file: MPEG ADTS, layer II, v1, 48 kHz, Monaural
b4,bgr,msb,yX .. file: MPEG ADTS, AAC, v4 Main, 48 kHz, surround + side
b5,r,lsb,yX .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 0, columns 0
b5,r,msb,yX .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 0, columns 0
b6,g,lsb,yX .. file: AIX core file fulldump
b6,b,lsb,yX .. file: AIX core file fulldump
b6,bgr,lsb,yX .. file: MPEG ADTS, AAC, v4 Main, surround + side
b7,r,lsb,yX .. file: Matlab v4 mat-file (little endian) @\201\002\004\010\020?\377\377\377\377\377\377\377\377, numeric, rows 0, columns 0
b7,bgr,lsb,yX .. file: MPEG ADTS, layer II, v1, 48 kHz, Monaural
b8,r,lsb,yX .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b1,bgr,lsb,yX,prime .. <wbStego size=24795, data="\x99"II$-\xB7\x01&%"..., even=false, enc="wbStego 2.x/3.x", mix=true, controlbyte="\xD8">
b3,g,lsb,yX,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz, stereo + center
b3,b,lsb,yX,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz, stereo + center
b4,g,lsb,yX,prime .. file: , Bytes/sector 3840, sectors/cluster 255, reserved sectors 240, root entries 61455, sectors 61455 (volumes <=32 MB), Media descriptor 0xff, sectors/FAT 255, sectors/track 0, heads 15, hidden sectors 4026593295, sectors 4278190080 (volumes > 32 MB), physical drive 0xf0, dos < 4.0 BootSector (0), FAT (12 bit by descriptor)
b4,bgr,msb,yX,prime .. file: MPEG ADTS, AAC, v4 Main, 48 kHz, surround + side
b5,r,lsb,yX,prime .. file: Matlab v4 mat-file (little endian) \377\300, numeric, rows 4030660608, columns 0, imaginary
b5,r,msb,yX,prime .. file: Matlab v4 mat-file (little endian) \377\003, numeric, rows 268173312, columns 0, imaginary
b6,r,lsb,yX,prime .. file: Matlab v4 mat-file (little endian) \377\374, numeric, rows 251658240, columns 255
b6,r,msb,yX,prime .. file: Matlab v4 mat-file (little endian) \377?, numeric, rows 4026531840, columns 255
b6,bgr,lsb,yX,prime .. file: MPEG ADTS, AAC, v4 Main, surround + side
b7,bgr,lsb,yX,prime .. file: MPEG ADTS, layer II, v1, 48 kHz, Monaural
b2,g,lsb,xY .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 4294967040, columns 65535, imaginary
b2,g,msb,xY .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377, numeric, rows 4294967040, columns 65535, imaginary
b3,r,lsb,xY .. file: Matlab v4 mat-file (little endian) \377\377\360, numeric, rows 0, columns 0
b3,r,msb,xY .. file: Matlab v4 mat-file (little endian) \377\377\017, numeric, rows 0, columns 0
b3,b,lsb,xY .. file: AIX core file fulldump
b6,g,lsb,xY .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377\377\377\377\377\377, numeric, rows 0, columns 0, imaginary
b6,g,msb,xY .. file: Matlab v4 mat-file (little endian) \377\377\377\377\377\377\377\377\377\377, numeric, rows 0, columns 0, imaginary
b7,r,lsb,xY .. file: Matlab v4 mat-file (little endian) @\201\002\004\010\020, numeric, rows 0, columns 0
b8,r,lsb,xY .. file: Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
b1,r,lsb,xY,prime .. file: raw G3 (Group 3) FAX, byte-padded
b6,r,lsb,xY,prime .. file: Matlab v4 mat-file (little endian) \377\374, numeric, rows 0, columns 1056964608, imaginary
b6,r,msb,xY,prime .. file: Matlab v4 mat-file (little endian) \377?, numeric, rows 0, columns 4227858432, imaginary
b2,r,lsb,Yx .. file: AIX core file
b6,g,lsb,Yx .. file: Matlab v4 mat-file (little endian) \377\377\360, numeric, rows 0, columns 0, imaginary
b6,g,msb,Yx .. file: Matlab v4 mat-file (little endian) \377\377\017, numeric, rows 0, columns 0, imaginary
b6,b,lsb,Yx .. file: AIX core file fulldump
b3,b,lsb,Yx,prime .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
b4,r,lsb,Yx,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,r,msb,Yx,prime .. file: Common Data Format (Version 2.5 or earlier) data
b4,g,lsb,Yx,prime .. file: Matlab v4 mat-file (little endian) \360\377\377\017\377, numeric, rows 255, columns 16715520, imaginary
b6,r,lsb,Yx,prime .. file: AIX core file
[!] possible image block size is 10x10, downscaling may be necessary
似乎都没有什么有效的信息
解法
从图片上我们可以看出这是一个特别的形状,是一个螺形的图像,也许可以通过转换rgb到ascii码,从而得到一些有效的信息。
我们提取每个颜色块的rgb,使用python中的PIL模块。
[(255, 192, 0), (0, 255, 192), (192, 255, 0), (255, 255, 192), (255, 0, 0), ... ]
可以看出只有三种选择,分别是0, 192, 255。 所以实际上我们看到的可能是base 3编码的数据
我们可以将0,192, 255替换成0, 1, 2。 这样我们就得到一组base3数据。我们可以将base 3数据转换成base 10的数据。
base 3实则就是基数为3的数字,转化成base 10规则如下
例如:
210(base 3) = 0*3^0 + 1*3^1 + 2*3^2 = 0 + 3 + 18 = 21(base 10)
021(base 3) = 1*3^0 + 2*3^1 + 0*3^2 = 1 + 6 + 0 = 7(base 10)
120(base 3) = 15(base 10)
221(base 3) = 25(base 10)
或者使用在线工具: www.unitconversion.org/numbers/bas…
其中的base 10数字可以转化为字母a-z,也就是a就是1,b就是2
21(base 10) = u
7(base 10) = g
15(base 10) = o
25(base 10) = r
根据特征和积累,"ugo"其实就是"HTB"通过ROT13编码而来,因此我们需要将所有的字母进行一次ROT13编码。
htbleftcurlybracketuppercaseiunderscorelowercasetuppercaseolowercaseluppercasedunderscorelowercaseyuppercaseolowercaseuunderscoreuppercasetlowercasehuppercasealowercasetunderscoreuppercasetlowercasehuppercaseilowercasesunderscoreuppercasewlowercaseauppercasesunderscorelowercasenuppercaseolowercasetunderscoreuppercasealowercaseruppercasetunderscorelowercasenuppercaseolowercaserunderscoreuppercaseplowercaseiuppercaseelowercasetexclamationmarkexclamationmarkrightcurlybracketeof
最后我们就得到了一串明文数据,在通过键盘名称替换成相应的符号(例如underscore为_,leftcurlybracket为{等等),即可得到最终的flag。
完整代码
from PIL import Image
img_name = 'not_art.png'
try:
img = Image.open(img_name) # Return an Image object
except:
print ('Put not_art.png file on this directory')
exit(1)
pixels = img.load()
processed_rgb = []
rgb_decoded = []
first = 0
last = 29
while first*10+5 < 135: #Just follow the lines of the image each 10 pixels (blocks)
for i in range(first, last+1):
processed_rgb.append(pixels[i*10+5,first*10+5])
for i in range(first+1, last+1):
processed_rgb.append(pixels[last*10+5,i*10+5])
for i in reversed(range(first, last)):
processed_rgb.append(pixels[i*10+5,last*10+5])
for i in reversed(range(first+2, last)):
processed_rgb.append(pixels[first*10+5,i*10+5])
processed_rgb.append(pixels[(first+1)*10+5,(first+2)*10+5])
first += 2
last -= 2
processed_rgb.append(pixels[145,145])
processed_rgb.append(pixels[155,145])
processed_rgb.append(pixels[155,155])
for i in range(len(processed_rgb)):
temp = 0
for j in range(3): # Conversion to base 3
if processed_rgb[i][j] == 192:
temp += 1*(3**(2-j))
if processed_rgb[i][j] == 255:
temp += 2*(3**(2-j))
rgb_decoded.append(chr(97+((temp+12)%26))) # ROT+13 decode + ascii decode
message = "".join(rgb_decoded)
message = message.replace("underscore", "_")
message = message.replace("leftcurlybracket", "{")
message = message.replace("rightcurlybracket", "}")
message = message.replace("exclamationmark", "!")
message = message.replace("lowercase", "")
while message.find("uppercase") != -1:
array = list(message)
array[message.find("uppercase") + 9] = array[message.find("uppercase") + 9].upper()
message = "".join(array)
message = message.replace("uppercase", "", 1)
message = message.replace("htb", "HTB").replace("eof", "")
print(message)
