Hacking OWASP’s Juice Shop Pt. 43: Steganography

Challenge: 

Name: Steganography

Description: Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)

Difficulty: 4 star

Category: Security Through Obscurity

Expanded Description: https://pwning.owasp-juice.shop/part2/security-through-obscurity.html

Tools used:

OpenStego, StegHide, exiftool

Resources used:

None.

Methodology: 

Steganography both fascinates and confuses me. The idea of hiding data in plain sight with only a trivial chance of it being detected is something I like for some reason. That it’s not just limited to photos, but also video and audio is just icing on the cake. I remember distinctly solving the “Milkshake” stego challenge on hackthebox.eu and being dumbfounded at how borderline-impossible that would be for a casual audiophile to discover. Naturally, then, this was a challenge I had been looking forward to for a while. I even had an idea of where to start.

Nothing useful available here! ( 
der@ju e-sh.op)

This review, “Nothing useful available here!”, has always bugged me. Assuming this was related to this specific challenge, I opted to download all of these images and dig through them. As they can’t be save directly, you must inspect the page, find the image file locations, and download them manually.

- GIMP 
File 
[I] (imported)-2.O (RG B color 8-bit gamma integer, G I M P bu ilt-in sRG B, I layer) 400x300 
Edit Select View Image Layer Colors Tools Filters Windows Help 
1. 
2. Hardness 050 (51 51) 
Basic, 
Current layer only 
Delete cropped pixels 
Allmv g rcwing 
Expand from center 
Fixed Aspect ratio v 
400:300 a D 
Position: 
Mode 
10.0 
Normal v 
100.0 
v 
100% 
v l.jpg (1.1 MB)

Looking through the files with GIMP, nothing really jumped out at me. I tried StegoHide as well, but without a passphrase there was no way to extract potentially hidden data from any of the files. One thing jumped out at me, though. All but one of the image files was in .jpg format, with one outlier in .png.

Yea no-star-inserted 
title="" style=" backg round-image: 
repeat: no- repeat; event' 
ng-star-inserted 
title="" style=" backg round- image: 
repeat: no- repeat; 
rig-star-inserted 
title="" style=" backg round- image: 
repeat: no- repeat; 
no-star-inserted 
left-side right-side slide-out-right " 
url( 
•assets/public/ images/carousel/l 
left-side right-side slide-out- right " 
url( 
•assets/public/ images/carouseI/2. 
left-side right-side slide-out-right " 
url( 
•assets/public/ images/carouseI/3. 
ngconn 
ngconn 
ngconn 
selected slide-in-left" ngcontent c126="' 
urI( "assets/ public/ images/carouseI/4. jpg" )mround-posit: 
no- repeat; " > c/a> event 
title="" 
title="" style=" backg round- image: 
repeat: no- repeat; •event 
ng-star-inserted 
left-side right-side slide-out-right" 
ngcont' 
round- image: url •assets/pubIic/irnages/carouseI/5. png"Lr01 
event 
ng-star-inserted 
left-side right-side slide-out- right" 
•assets/public/ images/carouseI/6. jpg" 
url(
Outliers deserve attention.

Since I knew that StegoHide wasn’t the right tool, I opened OpenStego and attempted to find hidden data in the .png file.

File 
Digit 
Help 
Data Hiding 
Hide Data 
Open Stego 
Extract hidden data 
Input Stego File 
/home/Colby/Pictures/5.png 
Output Folder for Message File 
Success 
Message file successfully extracted from the Cover file: J7RbRp1D5XDM5LlNxOTdgeFX_o.png 
Embed Watermark 
Verify Watermark

Success! Here’s the image hidden in the PNG file:

Now just submit the Customer Feedback form with the character’s name in the Comment section and you’re done!

Customer Feedback 
• Author — 
Comment 
I'm Pickle Rick! 
O Max. 160 characters 
Rating 
CAPTCHA: 
-10 
What is 
4-7*2 ? 
Submit
You successfully solved a challenge: Steganography (Rat out a notorious character 
hiding in plain sight in the shop. (Mention the exact name of the character)) 
x

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s