CTF pictures hidden files Separation Methods
Foreword
You can use tools like winhex first analyze whether it is a picture, you can see its header information, there is a characteristic JPG picture last application data block FF E0 live directly binwalk look at the pictures you have any ghost stuff of.
binwalk separation
命令:binwalk -e 图片路径
foremost separation
foremost separation
命令:foremost 图片地址 #会在图片地址的目录下生成一个output的文件夹。输出到里面了。
Separation dd
命令:dd if=要分离的图片名.jpg of=分离出来的图片名.jpg skip=偏移量 bs=1
How to find the hidden flag pictures
First, we need to analyze the picture, where we need to use a tool binwalk, want to learn this tool can refer to this Binwalk: the back door (firmware) analysis tool article, as well as kali official binwalk overview and introduction to use.
Here we use is the most simple, to provide the firmware file path and file name directly after binwalk to:
binwalk carter.jpg
After obtaining the hidden information Our next step is to put another jpg isolated, several methods are discussed below:
(1) separating dd command (the linux / unix)
We can use the command dd separated hidden files:
dd = if = carter.jpg of Carter-1.jpg Skip. 1 = 140 147 = BS
can refer dd Detailed command, where if the input file is specified, of the output file is specified, a Skip Specifies skipped before starting to copy blocks 140,147, each read block size bs setting is 1 byte from the beginning of the input file.
Finally, we can get such a carter-1.jpg picture :( 2)
(2) use of separate tools foremost
foremost is the command to restore a built-in file-based data structure file and the file header and trailer information line tool, win can Download, Linux can
by using the following command to install:
apt-get install foremost
After installing foremost you can use to view the foremost -help use help, here is the most simple separation of the command file:
foremost carter.jpg
when we use this line of command, foremost will automatically generate output directory where the file was isolated:
(3) hex editor, file analysis
As hex editor has many, hexeditor wait for the next next win was more useful to winhex, UltraEdit, etc., linux, here we have an example to winhex manual separation, before the separation we need to know a little knowledge about the jpg file formats, jpg format 2 bytes are the beginning of the document image start SOI (start of image, SOI) is FF D8, after the two bytes are the data blocks JFIF application APPO (JFIF application segment) of FF E0, the last 2 bytes of the image file is the end mark EOI (end-of-file) for the FF D9, if you want to know more details in this regard can refer to jpg file format analysis article.
Winhex open with images, the offset address to jump to another 22373 jpg picture start block by Alt + G shortcut key input, the image can be seen that the start block FF D8.
• an end block and the image FF D9
• select the shortcut keys used to select Alt + 1 FF starting blocks, Alt + 2 D9 selected as an end block, then right -> Edit-> Copy Block-> corresponding file extension Into New File Save, e.g. new.jpg
• Other
There is also a special case, it is the pre-production of a hide.zip, placed inside a hidden file, and then need a jpg image example.jpg, then the command copy / b example.jpg + hide.zip output.jpg output.jpg generate a new file, the principle is to use the copy command, the two files in binary mode to link up marks the end of the normal jpg file is FF D9, and picture viewer will ignore the content after the jpg at the end, so we additional hide.zip will not affect the normal display of the image. (Reference AppLeU0 of Invisibility summary)
For this special case we can directly read jpg file zip file suffix (such as other files rar file is similar), you can see hide.zip compression bag hidden files.
For example, when we get a wh3r3_is_f14g.jpg file:
• When we open the file with winhex found wh3r3_is_f14g.jpg file marks the end of the last block is not the FF D9 jpg file, but marks the end of the zip file.
• We will file directly renamed wh3r3_is_f14g.zip, open to get flag.txt.
• Finally, open flag.txt get flag.
