Open in app

Sign in

Write

Sign in

N1GHTMAR3
3 min readJan 27, 2021

HackThisSite Stego Mission 13 writeup

For this solution, we need to understand how the signature of a file works. First, we need to open the file in a hex editor like HxD, and it will show something like this when we will open the image in hex editor.

The first two bytes In HEX 42 4D declares that it is a BMP file. All file contains their signature value that declares if it is zip or PNG or BMP etc. In here we can see it’s a BMP file as its values are 42 4D. Then we will look for the next 8 bytes. This declares the file size in hexadecimal value. But the tricky part is we have to count it backwards. So 76 37 00 00 00 00 00 00 it will become 00 00 00 00 00 00 37 76. When we convert the value in Decimal we will see the original value.

So the actual value of the file is 14198 bytes. But when we will go to the properties we will see the actual value of the file much more than that. So there is some extra strings or null byte added on this file that is working as a cover-up and hiding the password. So when we dig deeper into that file we see some strings like this “I thought what I’d do was, I’d pretend I was one of those deaf-mutes” and there is some null byte after it and then ending with “I thought what I’d do was, I’d pretend I was one of those deaf-mutes” this again.

So this may be the reason that is bulking the file size and working as a cover. Now we have to remove all the beginning and ending of the string followed by the null bytes like I marked blue in the above picture using the hex editor. Don’t delete all the null bytes of the file. Null bytes are important for an image file to work. After removing all of them the and saving it the picture will become clear and you will get the flag.

So now you guys might ask why did I talk about signature and counted file size where I could have just told you to open the file in a hex editor and delete the strings followed by the null bytes. And boom! You guys would have gotten the flag. Normally we are used to using file command in Linux to check the actual file format. But how does computer understand it? They actually read the signature to determine what is the file type. The main point is not to always depend on automation tools like Steghide or Stegoveritas etc. Sometimes people can use covers on a file by adding random strings followed by null bytes. We won’t be able to identify them unless we know how a file signature works.

N1GHTMAR3

Written by N1GHTMAR3

86 Followers

Hey. It’s me. Orin. I am a medical student but doing Bug Bounty for fun

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams