Access Granted

Steganography [450pts]



Do you recall the C2 group exfiltrating data we were tracking last year? Well, as it turns out, we’ve managed to corroborate their activities with APT-47 nicknamed ‘The Engineers’. Their operations span across a wide range of industries, including disrupting SCADA systems and stealing corporate data.

Recently, they’ve been leaking unreleased tracks from various media groups. A Canadian firm, which suffered a fresh leak, has requested us to take a look. Over the past few days, our analysts have combed through network data trying to identify which computers or servers may have been compromised and used.

In order to bypass detection from IDS/DLP signatures, we think they’re somehow extracting these tracks by hiding them in existing music videos so it blends in with usual traffic. We’ve attached a video that we believe is going to one of their IP addresses, can you take a look?

We are given an mp4 file that is 46MB. Looking at the file using a hex editor, we see that there is a password on the bottom that we will need for later:


I couldn’t find anything interesting for this mp4. There was a MySQL index file, JPEG and PNG using binwalk but the challenge creator confirmed this was a false positive. So looking up video steganography techniques, I found one option that uses a rare technique (indicated by the challenge creator) : TCSteg


It turns out that TCSteg involves adding a hidden volume in an mp4 file. So trying this out, I looked for tools that can open hidden volumes. One option was TrueCrypt but it was discontinued around 2014. So the other option was the updated version: VeraCrypt.

Using VeraCrypt, we are able to use the password we found: guitarmass

Looking at the A: drive, we see an image displaying our flag:

Cheap Facades

Steganography [400pts]

Description: We’ve found a JPEG, but it doesn’t seem to open in any of our editors. Can you see what’s going on?

We are given a flag.jpg that won’t open in any photo viewer. So looking at it in a hex editor we see some strange occurrences.

The image has a JFIF in the header (for jpgs) and IHDR + IDAT (for PNGs). It seems that there is a broken header in this image and it is not really a jpg, but more like a PNG. There is even an IEND at the bottom of the file.

The next step is to replace the broken header with a valid PNG header. Valid PNG headers look like this:

After replacing our broken header image with a valid PNG header, we run pngcheck only to find that it has invalid dimensions 0x0. This is a similar problem to Dimensionless Load ( and requires us to fix the issue.

I used the same python script as I did for Dimensionless Load:

After letting it run, it turns out the dimensions were: 420 x 69

Dimensionless Loading

Steganography [250pts]

Description: This PNG looks to be valid, but when we open it up nothing loads. Any ideas?

We are given an image that is unable to open. Running pngcheck, we see that there are invalid dimensions for the image 0x0. When we view this in a hex editor, the byte blocks where the width and height would be is 0x0.

Intuitively we would want to add some dimensions to this, but doing so will ruin the CRC values and mess up the image. An intended solution is to reverse the CRC values with a valid dimension..but I ended up bruteforcing it anyway.

I wrote a small python script to bruteforce the dimensions and write to a new image as well as run pngcheck to see if it is valid:

After letting it run for a while, it turns out the valid dimensions came out as 1378 x 363:

Cut Short

Steganography [200pts]

Description: This image refuses to open in anything, which is a bit odd. Open it for the flag!

We are given a .png image that does not open in anything we try. So looking at the image using a hex editor, we see a major flaw:

The IEND is supposed to be at the very end of a valid PNG. So, replacing this block with 0’s will allow us to view our flag:

A Musical Mix-up

Steganography [200pts]

Description: One of our guys found a strange midi file lying around on our servers. We think there might be some hidden data in it. See if you can help us out!

We are given a midi file (challenge.mid) that plays a sequential tune. When we analyze this midi file using a MIDI file to text online tool, we see interesting values:

The numbers on the right look especially interesting, I thought of ASCII decimal values and it turns out that this does spell out the flag:

114 97 99 116 102 123 102 53 48 99 49 51 116 121 95 108 51 118 101 108 95 53 116 51 103 33 125

Flag: ractf{f50c13ty_l3vel_5t3g!}