Hyperion Gray Steganography Challenge Write-up

Hello reader!

I’m Spieler from the Philippines and this is my first challenge writeup.

I recently participated in a Twitter challenge hosted by Hyperion Gray, a company I was following on my personal twitter account that really piqued my interest. They are a team of very cool people backed by DARPA to conduct research and build awesome stuff using open source stacks!

Anyway, onto the write-up!

Beginning of the Challenge

The challenge started with the following tweet:

Source: https://twitter.com/HyperionGray/status/1096497142334664706

Accessing the link to imgur.com resulted in this image:

Source: https://imgur.com/a/J3qISxU

Since tools such as binwalk, exiftool, file, foremost, stegdetect and unzip did not give any relevant information about the image (Which is information in itself – those were not the correct tools to use on it), I decided to open the image on Stegsolve by Caesum and saw the following URL to GitHub:

Hidden GitHub Repository: https://github.com/5C4R48Security/HGStegoChallenge

It was relatively simple to reach this point through the command line (especially since I used Kali Linux):

mkdir /root/Documents/HyperionGray; cd /root/Documents/HyperionGray
wget https://i.imgur.com/3QrJhIA.jpg
wget http://www.caesum.com/handbook/Stegsolve.jar
# Open 3QrJhIA.jpg in Stegsolve
# Browse through the various color planes of the image
java -jar Stegsolve.jar

After finding the hidden URL:

git clone https://github.com/5C4R48Security/HGStegoChallenge; cd HGStegoChallenge

The GitHub Repository contains one file to lead challengers astray and two important files to complete the challenge:

Source: https://github.com/5C4R48Security/HGStegoChallenge

The file to lead challengers astray (ast..ley?): README.md

README.md contained the following line of text:
Arire tbaan tvir lbh hc Arire tbaan yrg lbh qbja Arire tbaan eha nebhaq naq qrfreg lbh Arire tbaan znxr lbh pel Arire tbaan fnl tbbqolr Arire tbaan gryy n yvr naq uheg lbh
Since it looks similar to the output of a well-known substitution cipher (ROT13), I decided to use the tool CyberChef by the GCHQ and immediately found out that this … is indeed a Rickroll:

Never gonna give you up Never gonna let you down Never gonna run around and desert you Never gonna make you cry Never gonna say goodbye Never gonna tell a lie and hurt you

At this point, it was sort of a mind game:

  • The message clearly said that “The following isn’t relevant”
  • It really is irrelevant
  • MaYbE I sHoUlD bELieVe tHeM
  • There is another text file called “NothingToSeeHere.txt”
  • It really seems that there is nothing to see
  • MaYbE I sHoUlD bELieVe tHeM
  • … Or should I?
My Brain: MaYbE I sHoUlD bELieVe tHeM

Of course, I believed them for a while, but then decided to look again :P

The file containing the flag: secretmap.jpg

Running binwalk on secretmap.jpg allowed me to extract 4 other files:

Contents of secretmap.jpg

Extracted files:
1. 53cr3t5/.DS_Store
2. 53cr3t5/hglogosteg.jpg
3. __MACOSX/53cr3t5/._.DS_Store
4. __MACOSX/53cr3t5/._hglogosteg.jpg

Although I was immediately interested with hglogosteg.jpg, I decided to check the contents of the other files first to see what information those contained.

Contents of the 3 other extracted files

1. 53cr3t5/.DS_Store
Since .DS_Store is a file that contains folder-specific metadata, it is likely that the folder 53cr3t5 used to contain the following files:
- hglogosteg.jpg
- hyperiongraylogo.jpg

2. MACOSX/53cr3t5/._.DS_Store
This file did not contain much information

3. MACOSX/53cr3t5/._hglogosteg.jpg
Found two links:
- https://futureboy.us/stegano/encode.pl
- https://futureboy.us/stegano/encinput.html

The first link did not show much information but the second link suggested that steghide was used.

Source: https://futureboy.us/stegano/encinput.html

My attempts to use the decoder or steghide on hglogosteg.jpg without a password failed – I knew I needed a password if steghide is the intended tool to use on this file.

The file containing the password: NothingToSeeHere.txt

I went back and decided to check the other file:

Contents of NothingToSeeHere.txt

At first glance, the text really does look like some sort of nonsense jarbled together. But having encountered something similar, I thought of “Unicode Steganography” and checked my notes for the tool I used on a different challenge. It did have some output (gibberish) so I knew I might be onto something:

Source: https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder

I decided to gather and read more by doing a quick google search for “Unicode Steganography Decoder” which led me to the following link: http://zderadicka.eu/hiding-secret-message-in-unicode-text/

Google search with terms: "Unicode Steganography Decoder"

Reading through the article, one line in particular caught my eye as it looked very similar to the text in “NothingToSeeHere.txt” – There’s definitely something to see here! :D

Source: http://zderadicka.eu/hiding-secret-message-in-unicode-text/

I did another google search and this time with the terms “Homoglyph Steganography” and fortunately found the link that will lead me to the password:

Google search with terms: "Homoglyph Steganography"

This wonderful link is what led me to the password:

Source: http://holloway.co.nz/steg/

Password: st3g0iz1337

Getting the Flag & Hashes

Since the steg file and password were found, the flag can be obtained:

steghide extract -sf hglogosteg.jpg -p st3g0iz1337
cat steganopayload28871.txt
Flag is: <hgst4g0>

I can verify that the flag is indeed correct if it can generate the same hash submitted by the first two challengers on Twitter. I resorted to using an online tool to check and verify.

Source: https://passwordsgenerator.net/sha1-hash-generator/

I later found the right method for generating a SHA1 hash via command line from this link:

Source: https://albertech.blogspot.com/2011/08/generate-sha1-hash-from-command-line-in.html

Conclusions & Lessons Learned

It was a fun challenge! I really enjoyed it!

The solution seems so simple but in reality, one needs to spend a lot of time and effort to understand and reach it.

Some blunders I did that made me spend a good couple of hours:

  1. Trying to get the hidden message from hglogosteg.jpg without a password

    • I encountered a different challenge where I was given 2 jpg files (the original and the modified file) and had to take the difference of both files (resulting to another jpg containing the hidden message) and open it on another tool to retrieve the base64 encoded flag. I spent a lot of time trying to do the same thing with this challenge
    • I compared hglogosteg.jpg with hyperiongraylogo.jpg found in this commit to generate a new image which I thought should contain the flag: https://github.com/5C4R48Security/HGStegoChallenge/commit/4dcd1efef668e10eea2e80d5b95a7520662ffe6d
  2. Not actually trying to understand the given information / hints

    • Failing to realize the possibility that encryption was used on the embedded data for this challenge
    • Trying and installing multiple tools for steganography HOPING they would work – Without understanding why they would or would not work on the steg file I have based on information I have
    • I only realized after some time that the links found in __MACOSX/53cr3t5/._hglogosteg.jpg were actually hints pertaining to the use of steghide
  3. Ideas can come from unexpected places

    • I did not realize the possibility that the embedded message was encrypted and that steghide can and does encrypt the message until I saw the description for gosteg in GitHub:
      • “Image steganography with AES encryption”
    • I would not think of gosteg had I not thought that the line in 53cr3t5/.DS_Store resembled a command:
gosteg hglogosteg.jpg hyperiongraylogo.jpg