HackThisSite Stego Mission 13 writeup
For this solution, we need to understand how the signature of a file works. First, we need to open the file in a hex editor like HxD, and it will show something like this when we will open the image in hex editor.
The first two bytes In HEX 42 4D declares that it is a BMP file. All file contains their signature value that declares if it is zip or PNG or BMP etc. In here we can see it’s a BMP file as its values are 42 4D. Then we will look for the next 8 bytes. This declares the file size in hexadecimal value. But the tricky part is we have to count it backwards. So 76 37 00 00 00 00 00 00 it will become 00 00 00 00 00 00 37 76. When we convert the value in Decimal we will see the original value.
So the actual value of the file is 14198 bytes. But when we will go to the properties we will see the actual value of the file much more than that. So there is some extra strings or null byte added on this file that is working as a cover-up and hiding the password. So when we dig deeper into that file we see some strings like this “I thought what I’d do was, I’d pretend I was one of those deaf-mutes” and there is some null byte after it and then ending with “I thought what I’d do was, I’d pretend I was one of those deaf-mutes” this again.
So this may be the reason that is bulking the file size and working as a cover. Now we have to remove all the beginning and ending of the string followed by the null bytes like I marked blue in the above picture using the hex editor. Don’t delete all the null bytes of the file. Null bytes are important for an image file to work. After removing all of them the and saving it the picture will become clear and you will get the flag.
So now you guys might ask why did I talk about signature and counted file size where I could have just told you to open the file in a hex editor and delete the strings followed by the null bytes. And boom! You guys would have gotten the flag. Normally we are used to using file command in Linux to check the actual file format. But how does computer understand it? They actually read the signature to determine what is the file type. The main point is not to always depend on automation tools like Steghide or Stegoveritas etc. Sometimes people can use covers on a file by adding random strings followed by null bytes. We won’t be able to identify them unless we know how a file signature works.