This stego challenge was pretty fun, it took me a bit of time to figure out the last parts, but I definitely learned a little bit more about how to attack challenges like these! Let’s get into it.
The only file provided was a PNG with three characters (Figure 1). The first thing to check of course is the image metadata. I pulled up fotoforensics.com, uploaded the image and pulled up the image metadata info (Figure 2). Conveniently, there was a tag called ‘Hint’, which linked to yet another PNG over on imgur. I pulled that image down and repeated the process above, but nothing else was revealed.
It was at this point my eyes glazed over and I got sucked into a maelstrom of steganography and digital forensics tools for a short while. Honestly I wasn’t too sure which direction I should go. I eventually put two and two together; could it be as simple as doing a file diff between the two images? I researched diffing binary files and finally settled on compare, which is: “The compare program is a member of the ImageMagick(1) suite of tools. Use it to mathematically and visually annotate the difference between an image and its reconstruction.”
This sounded promising! I looked up how to diff two images and magically, a third image was the result (Figure 3)!
compare stego100.png hint.png -compose src diff.png
QR Code, sweet. I uploaded it to zxing (Figure 4), where I was then able to grab the flag!